Comment by bflesch 5 hours ago
Website says "no tracking" on the frontpage. I look at ublock origin, it mentions one blocked domain called "plausible.io". I go to plausible.io and see that "Easy to use and privacy-friendly Google Analytics alternative Plausible is powerful, lightweight analytics. No cookies, just insights. Made and hosted in the EU, powered by European-owned infrastructure. "
"No tracking" is a different concept than "Google analytics alternative".
The Plausible does count raw statistics without "tracking" specific users. That is just used for general website analytics. The first-party functional cookie that I am using (very similar to the auth login cookie) is used to prevent duplicate anonymous votes. Neither of these track the user and both are for on-site only. The functional cookie works much better than the fingerprint (actually less invasive too), but isn't full proof. You can switch browsers, go to incognito mode in some browsers, etc.. to bypass it, but it works for most casual users. Since it isn't election level polling, I figured it is fine. I do have an in memory rate limit to prevent excessive voting spam.
Actually no, I'm rate limiting per individual IP address right now. Good catch... I should probably normalize IPv6 to /64. I was originally thinking about not blocking universities or large groups that share IPs, but I guess that is more of an IPv4 NAT concern. Thanks for pointing it out! I didn't really think about a user rotating through IPs. I didn't add the rate limiting on voting until I removed the fingerprint, so that is for sure a valid concern.
So the site does use Plausable analytics. I chose that one because it does not use cookies, does not identify the user in any way, and does not follow you across the internet.
It counts raw aggregate statistics and is compliant with GDPR without requiring a banner. While it is "tracking" I suppose, it doesn't "track you". Do you think my wording doesn't work? I am open to suggestions.
I guess I will have to dive into this a bit more. I don't want to make false claims on the site. From the research I did before choosing Plausible, they do not collect any user data. They collect statistics of things that happened, but no actual user data.
From their website:
"By using Plausible, you don’t need to have any GDPR, CCPA or PECR prompts and you don’t need a complex privacy policy about your use of analytics and cookies. With Plausible, you are not tracking any personal data after all. Your visitors can enjoy your site without any annoyances and distractions."
You can't even tell if the same person comes back on a different day.
You can see their full privacy statements here: https://plausible.io/privacy-focused-web-analytics.
Honestly, I don't even really need them. I may just remove it entirely. I am not a B2C or B2B website. It doesn't really matter to me that much to have the stats, but it is nice in general to see how it is doing. The votes submitted sort of count the users for me anyways.
Maybe it was changed quickly, but I can't find anywhere that is says "No tracking". It specifically says "We don't track you around the internet." and "doesn't track you across sites" in the terms and about pages.
Also, you kind of have to "track" users to some extent for a site like this - otherwise it would be simply for someone to stuff votes.