Opinions: Are privacy-friendly analytics ever ethical?

Hi!

I maintain a couple independent, small, privacy-focused websites. They currently don’t collect any analytics.

I personally use uBlock for every website I visit. Would it be hypocritical of me to include privacy-friendly analytics on my own sites?

To narrow it down:

  • I’d only use verifiably privacy-friendly options that legally don’t even require consent, such as Plausible & Fathom.
  • I would block the loading of my analytics depending on Do Not Track/Global Privacy Control settings.

My definition of privacy-friendly is:

  • No cookies or cross-site tracking
  • No tracking across devices
  • Aggregated data only
  • No PII collected

I read PrivacyGuides used to use Plausible, but doesn’t anymore. Is that a stance on collecting data for something that inherently advocates against it, or is there a deeper reason?

Some of this data is incredibly helpful - especially referrers, bounce rate, locations, and basic conversion data, and cannot be tracked to any given individual. Do you use analytics on your site?

2 Likes

Yes, you can’t build products without feedback :person_shrugging:t4:

8 Likes

yes it would be hypocritical

yes it would be hypocritical

Even if I whitelist domains for services I don’t object to?

Browsing the web without uBlock is painful.

This, yeah whitelisting maybeee

hypocritical doesn’t mean bad or wrong, but it is the definition of hypocrisy (unless the analytics is opt-in). but yeah, if you whitelist similar analytics then it’s not

your situation kinda reminds me of how brave blocks ads but then offers its own in-browser ones (which has its own issues and i heavily disagree with it)

No.

There are many ways you can think about this, whether it is or isn’t hypocritical depends on your thinking, but here is one way of thinking that is ethically consistent:

  1. It is my right to control my system, that includes controlling my browsing experience, what resources I allow my system to load or not load, etc.
    2/ Likewise, it is your right to control your system, that includes your server and includes your right to use privacy preserving analytics to gain insights into how your server is being used.

So long as your intentions are in-good-faith, and not malicious or deceptive, you are transparent, and you are there is nothing inconsistent about the above (your system your choice, my system my choice)

If you believe all analytics are objectively wrong, then yes, it would be objectively hypocritical, but that is a pretty extreme, and not very common or practical belief.

2 Likes

only if it’s opt-in (or at least there’s an easy way to disable on landing page for an ordinary user who doesn’t have ublock)

Likewise, it is your right to control your system, that includes your server and includes your right to use privacy preserving analytics to gain insights into how your server is being used.

the analytics are being run on client’s devices, not the server

It is a bit of a simplification but:

  1. OP can only control their side (server side).
  2. It is up to me (and my content blocker) what happens on my side (client side).
1 Like
  1. OP can only control their side (server side).

not true. they can EASILY make analytics opt-in if they want to. i won’t go into the ethics of opt-in vs opt-out (that was extensively discussed with fedora’s telemetry proposal Opt-in / Opt-Out? A breakout topic for the F40 Change Request on Privacy-preserving telemetry for Fedora Workstation - Fedora Discussion) but opt-out is definitely hypocritical

This doesn’t seem to relate at all to what I wrote/what you quoted.

Soft or hard opt-in or opt-out is a separate consideration, It is something you can have an opinion on, and worthy of discussing, but it is a separate topic, independent from what I wrote above.

1 Like

No, it was useless as most of PG visitors are using adblockers as you would be expect.

2 Likes

fwiw DivestOS has “analytics”

The Updater app checks for an update once a week and there is a transient counter on the server for each device.

There is no device identifier or similar so the same device can be counted repeatedly.

It serves as an extremely useful “heartbeat” for me to know which devices are actually in-use, are popular, and if they’re working or not.

It also is entirely public which allows users to determine a more accurate status for the device support.

You can see it on the devices downloads page as “Updater checks past” and “Updated users”: Devices - DivestOS Mobile

The actual code for this is here:

5 Likes

you said that OP can “only control the server side”. that’s not really true, as they control what resources and scripts the user pulls and runs on their browser (though of course, users can override this but that doesn’t mean OP has no control on what is executed by default)

i.e. it’s OP’s choice whether the telemetry is run and uploaded from client’s devices by default (although they have to abide by laws) and they can easily make their implementation opt-in if they wanted to, just as they can choose not to have telemetry at all.

opt-in is more similar to the approach op is taking with their ad blocker, white listing by default and not running anything unless they want it to. im not really talking about ethics (although it’s hard not to), just whether what their proposal is “hypocritical”. and i concede that it is subjective, but i think there’s a very strong argument that with opt-out analytics, the answer would be a firm “yes”

Short answer is NO.
Long answer is NOoooo.
Analytics and telemetry are not evil things.

4 Likes

True

they control what resources and scripts the user pulls and runs on their browser

I don’t feel this is accurate.

they control what resources and scripts the user pulls

I don’t feel this is accurate

(if it were extensions like noscript and uBlock Origin could not function as they do)

OP can control their end. But you as the user are not a passive/powerless subject, you have agency.

OP can choose to use analytics software on their server, and you can choose to block it.

and i concede that it is subjective

We are in agreement here. Whether you consider it ethical or not, or hypocritical or not, will largely depend on your personal perspective and philosophy. And I don’t believe there is a single correct philosophy.

just whether what their proposal is “hypocritical” […], but i think there’s a very strong argument that with opt-out analytics, the answer would be a firm “yes”

While I do not share this point of view. I can empathize with and understand your position.

As with all things, there is nuance.

If the assumption that the metrics you are concerned with are privacy respecting, then that answers the question - if it respects privacy it’s fine. However, defining what respects privacy or not is really the hard part.

For me…

  1. Is it strictly internal for developing product? More acceptable.
  2. Is it sold to third parties for profit? Not acceptable for paid products, annoyingly part of a lot of “free” products, and I want to be able to opt out of this or I will find a way to block it.

Also keep in mind some metrics have little impact on privacy, some have greater impact, but it can be hard to tell what’s collected if not defined.

I think it’s largely best to evaluate on a case by case basis, and generally try to block by default when possible. If you really enjoy a service and trust + respect the company, consider enabling metrics to assist with their efforts and provide active feedback. Otherwise, it’s easier to play it safe than sorry.

1 Like

I think the bigger issue is opt-in or opt-out as defaults, or maybe some fine tuned granularity between the two (default “respectable” opt in, possible to opt in further for complete information sending, or opt out entirely).

Thanks everyone.

I’ve made up my mind in that it’s okay for me personally, for a couple of a reasons:

  • I cannot use the analytics mentioned to compromise your privacy or anonymity as an individual
  • I have no monetary incentive to include the analytics: I provide resources/information for free. If you can’t find what you’re looking for on my websites, that is a disservice to you and me
  • I have whitelisted domains for analytics providers I’m okay with

As for making them opt in: you can barely get someone to opt out, and if you do, the method is obtrusive. I see no way of making analytics opt-in and unobtrusive in a way that does not render them useless.

2 Likes

could you open up the metrics you get? so all your site users can see them