Back

Italian watchdog bans use of Google Analytics

827 points18 hoursgpdp.it
corywatilo17 hours ago

Italy is the 4th in a string of recent decisions across the EU.

(We're tracking these cases on isgoogleanalyticsillegal.com along with details for each.)

Note that it's not illegal to use GA entirely, just illegal to use in its default state which transmits PII to the US.

stingraycharles17 hours ago

That is an extremely important nuance which is not obvious from the title.

tut-urut-utut2 hours ago

Most of the people using GA wouldn't be able to set it up correctly. I switched my personal site from GA to Microanalytics, since I wanted to avoid spending time trying to figure out how to configure GA to be conformant.

Google should be the one doing the compliance work. If Italy bans some usage pattern in GA, it's Google that should make it impossible to configure it in non-conformant way.

digitalengineer15 hours ago

Some time ago Google gave EU admins the option to select a local regional (EU) server. This means the data is not send to the US. But! It’s still nog fully legal as the Google HQ (and thus the US government( can still access all the data.

kixiQu15 hours ago

if anyone is curious about why that gives the govt. access:

https://en.wikipedia.org/wiki/CLOUD_Act

(God willing they repeal it, even if only for the international commerce implications...)

toyg5 hours ago

This will never be repealed. It was introduced to effectively enshrine a right US authorities have had since the PATRIOT Act was introduced 17 years prior, since that act had become politically contentious and was left to expire.

If anybody seriously thinks US authorities will quietly lose a key power after enjoying it for 21 years, I have a few bridges ready to be sold.

DyslexicAtheist6 hours ago

something I'm not getting here. If you buy a EU engineered IoT home appliance that has PII including, whether a user is presently inside their home, then every company I know operating in this market uses US based clouds (what other options are there LOL) to do things like digital twin or device shadows but by using a local availability zone.

So this is very different than GA, but depending on the threat-model can be worse. Also very similar metrics can be gathered from the data as from a GA cookie (are they eating, cooking, showering, watching TV).

CloudAct would (or should) in this case also apply here or what am I missing?

toyg5 hours ago

You're not missing anything. A lot of companies just have no idea of the legal landscape, or simply ignore it in the name of convenience. That's because consumers are even more ignorant of their rights around technology and don't sue them. It will take a lot of civil litigation for this to change.

spockz5 hours ago

I am only aware of Hetzner. (German) The other day I was checking out there offerings and I was amazed at how easy it is to order a vm. And then it is live the next second. It is amazing.

Obviously they don’t have full range of services the big three have. But maybe just enough anyway.

undefinedzero5 hours ago

The watchdogs are extremely slow and have a huge backlog. You’re right that storing that data in the US or without transferring ownership to an EU subsidiary would not be legal.

concordDance2 hours ago

> (God willing they repeal it, even if only for the international commerce implications...)

It's hard to express how impossible this is. It is very very strongly in the state's interest to keep powers like this. We're more likely to get communism...

y426 hours ago

Like Adobe, who uses tracking servers in the EU, but Data Processing happens in the US?

cavisne8 hours ago

The article has the watchdog suggesting exactly that (the specific site has 90 days to use GA in a compliant way, no direct complaint against GA), so it seems from their point of view it's legal.

The title of this post and a lot of the comments are projecting what they want GDPR to be (all non european online entities banned from doing business in the EU) vs how its being enforced.

googlryas15 hours ago

Why is that not fully legal? Wouldn't the same law prevent Google USA from querying PII data from Google Italia?

digitalengineer15 hours ago

If Google US can access the data, that means the US government by extension can also. This is exactly what GDPR doesn’t want happening. More details in this open letter by Max Schrems “ the Court has clearly held that US surveillance laws and practices violate Article 7, 8 and 47 of the Charter of Fundamental Rights” https://noyb.eu/en/open-letter-future-eu-us-data-transfers

marcosdumay15 hours ago

Italian laws do not apply to Google USA.

wonderbore6 hours ago

Oh yes they do. GA is part of a company that also sells services in Italy. They should follow the law if they want to keep earning that non-US Adwords money that allows GA to remain free.

+1
lovich14 hours ago
+1
googlryas15 hours ago
connicpu13 hours ago

But someone will have to foot the bill when their branch in Italy is fined by the government for violating Italian law

minsc_and_boo15 hours ago

Isn't it already against Google Analytics' policy to put PII in the platform to begin with?

https://support.google.com/analytics/answer/6366371?hl=en#zi...

rgbrenner13 hours ago

Gdpr uses a more expansive definition of personal data, and it includes the IP address and geolocation data, for example.

dudus10 hours ago

And to be clear Google Analytics has a setting to "anonymize" the IP address which deletes the last octet of the address and makes geolocation less accurate.

Then there's an argument that the IP address still reaches Google servers before it's deleted. But that's just splitting hairs at this point. If Google doesn't process the data with IP the IP address I see no harm.

IP addresses are not something that you can choose to not send at all. It's kind of required by the TCP/IP stack. If that was the case users in EU could not access any website in the USA.

riffraff7 hours ago

The press release mentions that partial truncation is not considered good enough as google has enough ancillary metadata to reverse it.

y426 hours ago

I guess the difference here is, that I want to visit a website in the US versus a tracking request, that happens in the background.

fulafel5 hours ago

The GDPR is a product of the Snowden revealed pervasive surveillance done by US TLAs. Keeping the data in EU vs sending it over to US under assurances is a big hair.

ricardobayes2 hours ago

Forget anonimized GA, I wonder what regulators would say to the likes of Hotjar which even records your screen and can be played back.

stickfigure10 hours ago

Is it illegal to use my website from Italy? I store PII (and everything else) in the US.

dmitriid5 hours ago

No. It's illegal for you to operate in the EU.

lmkg16 hours ago

> just illegal to use in its default state which transmits PII to the US

As I mentioned in a sibling comment, this is technically true but complying with GDPR takes more than unchecking a few boxes. I've never seen any GA set-up that would remotely approach compliance. At minimum, you need to mask IP's before they reach Google, which means standing up a non-Google server to proxy all the hits. That is more complexity than 99+% of GA installations.

closewith16 hours ago

That’s a very common implementation of serverside GTM/GA in the EU. If you advertise, you’ll still be sending GCLIDs, though.

Nextgrid15 hours ago

If only ad clicks send back tracking parameters (and nothing else) it might actually fall into legitimate interest.

closewith15 hours ago

The current issue isn't the lawful basis for the processing, as compliant companies already only use Google Analytics once they have consent. The issue is that without an adequacy decision from the EU to allow data transfers to the US, and with the global reach of US authorities thanks to the CLOUD Act, there's no way to keep personal data safe from US law enforcement.

naet16 hours ago

My current understanding of google analytics and GDPR compliance is that you can use it in a GDPR compliant manner without that much trouble. On the older UA there is a simple flag that enables IP anonymization and on the new GA4 there is purportedly no need for it as they don't collect or store the IP at all.

For many clients I have set up a cookie compliance tool like Onetrust, which blocks loading of GA and other scripts with one of the consent popups. With this combined configuration (and having verified nothing sneaks through before someone gives consent) most company legal / compliance teams I have worked with have deemed this to be a fully compliant setup. Of course, this might not be actually compliant, but the company legal team has done some research and arrived at this as the most advantageous position currently available.

I think using a compliance based tool like Onetrust also gives a sense of legal security in that if our configuration is properly set up they are advertising that we then get compliance as part of their service, and so responsibility of a violation could potentially be passed to them in a legal setting.

ref: https://support.google.com/analytics/answer/2763052?hl=en

jeroenhd13 hours ago

I'm not so sure your take on IP address anonymization. The source states:

    The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.
The Google documentation says:

    The IP-anonymization feature in Universal Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to Google Analytics.
IANAL but I'm pretty sure the IP anonymization setting is no longer an acceptable way of getting GDPR compliance. It may have been acceptable under Austrian or French ruling before, I don't know about those, but from 90 days from now you'll have to explicitly require consent for _at least_ all Italian users.

As a side note, OneTrust has the worst of the worst cookie banners, to the point that I no longer even open websites that have that crap installed. It's also illegal by making it harder to reject tracking than to opt-in, there just haven't been any specific lawsuits about this party yet.

+1
snowwrestler11 hours ago
majewsky14 hours ago

> For many clients I have set up a cookie compliance tool like Onetrust

Every time I've seen a cookie popup from Onetrust, it was obviously illegal because "Reject all" was not the easiest option. It's fine if "Accept all" is as easy as "Reject all", but nothing is allowed to be easier than "Reject all". Have they fixed that yet?

erikgaal5 hours ago

This is actually a setting within OneTrust which has a terrible default. We (had to) use OneTrust on eurovision.tv, but configured it ourselves to have three equally styled options.

1vuio0pswjnm713 hours ago

Here are the URLs for those who disable Javascript (from https://github.com/PostHog/isgoogleanalyticsillegal.com)

https://gdprhub.eu/index.php?title=DSB_(Austria_-_2021-0.586...

https://www.cnil.fr/en/use-google-analytics-and-data-transfe...

https://www.gpdp.it/web/guest/home/docweb/-/docweb-display/d...

https://noyb.eu/en/austrian-dsb-eu-us-data-transfers-google-...

NOYB is the primary source tracking these cases and generally was also responsible for filing the complaints that led to them. All the details are available from NOYB's GDPRhub wiki, https://gdprhub.eu. GDPRhub attempts to provide information on all the European DPAs including how to file complaints. At the least it provides contact info for all the DPAs and English translations of DPA decisions.

As stated in 13 Jan 2022 announcement on noyb.eu, these decisions are generally the result of the "Max Schrems II" decision. After that decision, Schrems filed 101 complaints to DPAs, and now the chickens are coming home to roost.

Note that the "legality" of Google Fonts, under the default configuration, is also in question. Arguably use of Google Fonts is even more widespread than use of Google Analytics.

mro_name16 hours ago

yeah, like 'swimming pools only bear a danger of drowning when wet'.

hnarn16 hours ago

That analogy makes no sense at all.

rightbyte16 hours ago

Empty pools are probably more dangerous.

Forge3616 hours ago

I hear they attract skaters.

tin7in17 hours ago

We are based in Europe and self-host our analytics exactly for this reason. I feel this is just the beginning.

rambambram17 hours ago

Congrats. We also chose to do the analytics ourselves. No tracking, no cookie banners, and probably better stats as well. One thing that Google did very cleverly was to only give GA users the search terms that visitors used to end up on their site.

m3adow6 hours ago

Don't you still have to provide a cookie banner as soon as your analytics are storing cookies, even if it's your own?

y426 hours ago

> Don't you still have to provide a cookie banner as soon as your analytics are storing cookies, even if it's your own?

You need consent for every kind of storage usage on client side if you create profiles to analyze the them for marketing goals. If not, and no PII is being processed, no consent is required. Eg you could easily aggregate your server logs without a consent.

EEBio4 hours ago

You generally don't need a consent for gathering data that is required to run the site.

But if you use the data for analytics purposes, you do need the users' consent for that, even if it's the same data that you use for operational purposes.

cgjohn3 hours ago

Just to be clear: PII is not the same as personal data as defined by the GDPR. The latter is generally much stricter as it also includes indirect data. Data which would be anonymous by itself but in a collection uniquely links to a single person would still be considered personal data under the GDPR.

adrr6 hours ago

How are you tracking returning users without cookies? Also if it’s multi-lingual, how are you storing the language prefs?

rambambram4 hours ago

> How are you tracking returning users without cookies?

We're not. And that's exactly the point, because we don't want to track. I make a distinction between tracking, analyzing and stats. What we do is guess who are the unique visitors (and who are not), and I say guess because it's guesswork since the browser can spew out any kind of info.

tpxl43 minutes ago

> Also if it’s multi-lingual, how are you storing the language prefs?

Cookies you require for functionality (ie. login cookies, language settings) require no consent, but do require to be laid out in a cookie policy.

guelo16 hours ago

Isn't the search term in the Referer header?

Taywee16 hours ago

Nope. They forward through an in-between that obscures it. They argue that because search results are personalized, being able to see the search terms can give you information about the visitor that can compromise their privacy. Google doesn't want anybody violating user privacy except for Google.

+1
mhitza14 hours ago
closewith16 hours ago

Not for many years. The only way to get Google search term data now is through the Search Console product, which integrates with GA.

joshyi15 hours ago

Same here. We’ve been using goaccess for years on a 300M hits a month. Self-host is the way to go for us.

closewith17 hours ago

Unfortunately, you can't self-host the integration with Google Ads or Search Console, which locks anyone who relies on Google (or Facebook, Microsoft, etc) Ads into the use of Google Analytics/Ads tracking.

quickthrower213 hours ago

Why not? Can’t you still pass the campaign information via the url?

closewith4 hours ago

You can send campaign data that way, but to run any kind of effective campaign on Google Ads, you also need to send conversion data back if the user who clicks on your ad actually does the thing you want. You can either use GA or Google Ads own tracking option to set a cookie with a unique ID associated with that ad click and then send that to Google when they convert.

A privacy-conscious serverside GTM/GA implementation won't leak any personal data like IP address to Google, but there's no way to avoid sending the GCLID if you advertise.

A lot of companies are dependent on Google Ads for demand generation, so it's the reason they are sticking with GA even as the writing's on the wall.

V__17 hours ago

Are you using a custom sotware or something like plausible.io?

tin7in17 hours ago

I've heard about Plausible but haven't tried it yet. We are using Posthog which is a suite for product analytics.

stevoski15 hours ago

Plausible et al all are a pale imitation of GA. They all offer a dashboard with some basic filtering. But they offer little in the way of true analytics features, that allow you to slice, dice, and compare data.

mhitza14 hours ago

I'm working on an web analytics project that gives users more power over the way they slice/dice/compare analytics data. Would you be interested in giving it a try when the project launches in alpha?

Send me a hello email at the address listed on my profile, would be happy to send out an invite when ready.

quickthrower213 hours ago

Which is a good thing!

Rygian16 hours ago

Self-hosting does not automatically make your analytics legal, on the other hand.

Processing of your users' personal data is legal only in the few exceptional scenarios outlined in Article 6.

https://gdprinfo.eu/en-article-6

giobox15 hours ago

Our definition of "exceptional scenarios" is clearly not the same... The list of scenarios in article 6 are common business operations covering a huge range of legitimate activities where processing might need to occur; there is little exceptional about them.

Rygian13 hours ago

Processing of personal information is unlawful except in the conditions listed in the article.

So "exceptional" in the sense that they are exceptions to a more general rule, as of opposed to the sense of being extraordinary.

cm201216 hours ago

Another decision in a long stream that will make it much harder for EU start-ups companies to catch up to American ones. With absolutely no improvements to actual EU citizen well being.

nathanaldensr15 hours ago

Maybe a race where the finish line is maximum exploitation of the digital population isn't a race worth running.

RubyRidgeRandy6 hours ago

here I thought maximum exploitation would be selling someones identity on the dark web but I come to find on HN that it's actually hashed analytics data D: !!!

MarcelOlsz6 hours ago

I wish the internet was purely an informational no bullshit interface/store instead of all this crap. I welcome these changes. Convert it back into a piece of furniture. Oh no we can't make a billion dollars for no reason.

neuronic1 hour ago

Yes, let's all marvel at the accomplishment of making everything funded by exploitative and intrusive but largely useless advertisements.

All digital startups are literally doomed without the indiscriminate collection of personal tracking data.

Side note: thank you modern adtech for consistently recommending me products I already bought days and weeks before. Very effective. Gullible companies just keep paying cold hard cash for these garbage recommendation systems because some sales rep talks fluffy about AI and machine learning, it's so mindblowing....

iLoveOncall15 hours ago
waffleiron14 hours ago

So lets legalise child labour? Get rid of OSHA?

Where you draw the line is cultural and personal, so don’t dismiss things like this so easily.

jimnotgym14 hours ago

Isn't this an opportunity for EU startups? By choosing to enforce the law on US companies that EU companies are already generally very compliant with, surely the EU has levelled the playing field for EU companies?

AdriaanvRossum13 hours ago

It is. Most startups in the EU have to use more and more businesses in the EU. The selection is little, so way more changes to succeed if your EU based and serve both markets.

I run Simple Analytics [1], which is a privacy-first analytics business from the Netherlands. I see a lot of business from the EU just because we are from the EU as well.

[1] https://simpleanalytics.com/?ref=hn

hnbad36 minutes ago

Frankly, as a EU company (based in Germany no less) I'm steering clear of any US SaaS whenever possible. Even if they operate in the EU they're usually a legal headache because privacy compliance is added as an afterthought and they'll often carelessly transfer data to US servers based on assumptions that should have been abandoned when Privacy Shield was torn down in the courts.

Out of the big cloud providers only Azure feels even remotely safe to use (if only because of the privacy reputation of Google and Amazon).

jeroenhd13 hours ago

I can already see the taglines: "ConsentCo, tracking that's legal in the EU, unlike Google Analytics"

cm201213 hours ago

A little advantage for EU analytics startups, disadvantage for all other EU startups and SMBs who have less options for figuring out what users like about their website and offerings.

hef198984 hours ago

Assuming any of that actually helps to grow revenue, or that it is the only way to find out what your users want. Plus, GDPR isn't making tracking illegal in general, it is just heavily regulating it. If it was just properly enforced, the internet would be a much nicer place...

Side note, I'm slowly getting tired of people ignoring regulations and compliance simply out of laziness.

YetAnotherNick14 hours ago

So due to this legislations it is more costly/less profitable for a company to have a European customer compared to US customer. Things like GDPR/lawsuits/bad PR etc. doesn't come for free for companies. So if some startup has more ratio of European users it is at a disadvantage.

herbst4 hours ago

GDPR is rarely enforced, we are still In a transition phase and many who start out choose to just ignore it to a degree.

I don't see how it's more costly or less profitable. Judging by the amount of lawsuits per capita I think it's way more likely to get sued in the US than Europe. And guess what's more expensive or complicated for a European company?

makeitdouble7 hours ago

Setting up something like Matomo instead of GA doesn't looks to me like a huge penalizing factor for a startup.

If anything, EU startups could benefit from better control over the tools they use. One interesting halo effect of Google seeing that much data is also that US startup from ex-googlers get a head start on many insights.

realusername6 hours ago

That decision is on the US, once the cloud act will be removed, those services will be legal again

toyg4 hours ago

Before the CLOUD Act there was the PATRIOT Act, which had effectively the same provisions.

These things have not been legal since the GDPR went into effect, and in some countries even before then.

realusername4 hours ago

Oh yeah sure, that also would not work with the patriot act.

To be compliant with the GDPR, the US needs data laws which only affects citizens on their own soil and not overreaching to EU citizens.

hef198984 hours ago

And we all know that this will never ever happen.

baq7 hours ago

take data of your USA customers and sell it to the highest bidder without their consent or even knowledge as you please. don't complain that I have the right to know you do that and disagree to you doing that.

dehrmann6 hours ago

Google doesn't really sell user data.

speedgoose6 hours ago

No, it’s too valuable. They sell services using the data such as Google ads.

herbst4 hours ago

I am no EU citizen, however live in Europe and do tech startups. I welcome GDPR as well as this ruling.

It's unethical IMO to send personal data to countries that have weak privacy laws without making it absolutely clear to the user. Which is rarely the case with GA right now.

I switched most my projects to shynet, for me personally that's more than enough information and I have zero worries about tracking and know that some users appreciate my approach.

Edit:// even before GDPR became a thing I worked with several companies who had strict rules about hosting in Europe or even more explicit not hosting in the US.

peoplefromibiza13 hours ago

or maybe EU is starring to rely on their own startups.

If I had to chose an analytics software for a customer's website, I'd chose someone in EU for the sole reason that it would be compliant in both EU and the rest of the World.

hnbad40 minutes ago

Nah. The problem here is Google, not analytics in general. You can still use analytics as long as you do it in a privacy-first approach.

These laws also apply to US companies offering their services to in the EU. Frankly, it's about time American companies get reigned in on their privacy abuses. US startup culture has been playing fast and loose with people's data for far too long to disastrous effects.

xnickb5 hours ago

Let me guess, you're from the US and user surveillance is beneficial to your business so naturally everyone with non-capitalist (read not $$$-centric) ideology is plain wrong. EU startups don't have to "catch up" or even compete with US start ups.

skdd83 hours ago

read this with a french accent for whatever reason >.<

redleather7 hours ago

That's assuming a European GDPR-compliant alternative to Google analytics wouldn't arise. But of course it will. It's not even a very difficult product to build. If anything this is both sticking it to Google and creating opportunities for European startups to fill the void.

andiareso7 hours ago

Yikes... Have you ever heard of some of the alternatives?

I self-host Plausible which is GDPR compliant and gives me all of the features that Google Analytics is actually good for. There is so much bloat in GA that provides absolutely no extra value.

I'm skeptical that this is a bad deal for EU citizens.

[EDIT] missing and

t6jvcereio11 hours ago

That's ok, that's our decision.

suction6 hours ago

As an EU citizen, I find it to be a huge improvement to detangle my data from US-American entities. Especially with the election of Trump and January 6th. Maybe Americans haven't fully realized what that meant for US-EU relations for the next hundreds of years. The US is just not a politically stable country until further notice.

concordDance2 hours ago

Eh? Jan 6 wasn't very noteable (a bunch of disorganized protestors are let into congress, but the state was not meaningfully threatened), the US has long had political instabilities, the business plot was way worse, but who has heard of it now...

alexklarjr5 hours ago

since when EU became politically stable? Last time i checked you were at war with Russia.

kcartlidge5 hours ago

> since when EU became politically stable? Last time i checked you were at war with Russia.

Russia's attack on Ukraine has no relevance at all to whether the EU is or isn't politically stable.

There may be other reasons you can cite, in which case fair enough, but that example is a non-EU third party attacking a non-EU third party. And the EU is not at war with Russia.

+2
alexklarjr3 hours ago
Scarblac5 hours ago

Ukraine is, not the EU. The US is at least as involved in the war as the EU is.

But I wouldn't call many EU countries very stable either. It can still be a win to not send private data to the US though, tracking has become far too precise and omnipresent.

iakov4 hours ago

You are demonstrating the level of geographical and political knowledge that people expect from americans. I hope this is satire.

DisjointedHunt6 hours ago

The EU hasn’t shaken off their roots in monarchy. Using the power of the state to go after a single private entity since they have a blood feud with said entity and are now finding all sorts of excuses to hit them economically.

I’ve been following the cases with regard to privacy in the EU and it’s a complete joke. You have all these onerous rules against any web technology making it near impossible for startups to function without an army of lawyers. Think I’m exaggerating? Look up the provisions under GDPR for any business, big or small, to set up a website and then process a single user request for their data even without sign in.

The UK is sick and tired of this and has recently begun moving to ignore these onerous rules. All power to them.

tgv6 hours ago

You may be looking at this through a very narrow, heavily politicized lens.

First: GDPR is a compromise, so it's a bit uneven. That's partly due to lobbying by google and friends. Second, privacy very much needs protection. Even if you are perfectly fine giving up your privacy, other people aren't. Third: you can actually process user requests. Depending on how you do it, you don't even have to show a banner. Is that really too intrusive?

kcartlidge5 hours ago

> The EU hasn’t shaken off their roots in monarchy.

I know, right. I mean obviously the world's most famous royal family (our British one) isn't really a monarchy so that doesn't count. And they certainly don't get previews and vetos on our laws, or given hundreds of millions from the licence fees for offshore wind farms, or own a notable percentage of the land.

As for GDPR, compliance is pretty straightforward provided you aren't being shady to begin with.

And the new UK proposals are much worse and if they go through as they stand will be a nightmare for anyone serving UK visitors.

openplatypus16 hours ago

While I should be happy with narrative (I run https://wideangle.co, GA alternative), let's be honest. It not banned. Nor is it illegal.

It is illegal to use it in such a way that results in Personal Data being siphoned to the US.

Is it hard? Yes. Outright illegal? Nah.

stevoski15 hours ago

It is good to see a GA competitor not resort to FUD as a marketing tool.

dx0345 hours ago

But it's enough of a hurdle that many website owners may just decide to go with a EU-based competitor. Certainly a good ruling for the EU tech scene.

nwellnhof17 hours ago

What's really puzzling is that Google Analytics never got banned because of antitrust laws. It's the most obvious example of predatory pricing I've ever seen. How is a smaller company supposed to compete against a free product?

raviparikh16 hours ago

I co-founded a company called Heap that competed against Google Analytics and we were quite successful. Amplitude, Mixpanel, and others have also done so. GA’s free pricing was not really a big issue for us and customers were very willing to pay 6- and 7-figures for a differentiated quality product.

Nagyman16 hours ago

Loved Heap (Analytics?). I advocated for it while working at my previous employer :) I think we were early customers. At the time, its automatic tracking of all events was a godsend compared to hooking up specific tracking after the fact using GA events.

Wowfunhappy16 hours ago

Doesn’t predatory pricing mean “we dropped our pricing below profitability in order to kill competitors (and presumably raise our own prices once they’re dead)”?

I think you’d have a very good case against Amazon, and probably Uber/Lyft, and I’ve long wondered why no one sued them over it. But in Google’s case, Analytics is profitable for the same reason Youtube is profitable—Google makes money off the data they gather.

permo-w16 hours ago

I did hear this in about 2014, so it could well have changed, but I thought Youtube wasn't profitable, or at the very most barely profitable

IX-10311 hours ago

As of 2019, I was still hearing it wasn't profitable. Though that may be starting to change: https://arstechnica.com/gadgets/2021/04/youtube-is-now-build...

dudus10 hours ago

Google Analytics has an enterprise paid version and it starts at 6 figures, Adobe has a very competitive product in the same space. So there's definitively room for a paid product in the market.

adrr5 hours ago

How many companies use GA as their only analytics system? It isn’t free. It has a free tier.

dx0345 hours ago

It's like with Cloudflare. The free Tier is what gets small companies and hobby developers in. And as they know your system but not the one of others, they'll recommend it to use when your company grows or their employer looks for an analytics system.

But I don't think it's predatory. It clearly worked for cloudflare and seems to work for Tailscale (they openly said they're using the same strategy). It would be predatory if others couldn't match that, but I'd argue many competitors could offer free plans for small websites if they wanted to.

tantalor17 hours ago

Lots of ways? Better features, better support, better performance.

If you can't beat the free offering, then go home.

bryan_w9 hours ago

"We've tried nothing and we're all out of ideas!"

- A French Ned Flanders, probably

reaperducer16 hours ago

If you can't beat the free offering, then go home.

In the real world of physical goods, there are laws against this. But Google's a tech company, so anything goes.

foota16 hours ago

It's not illegal to give things away for free unless it's dumping.

+1
reaperducer16 hours ago
minsc_and_boo14 hours ago

Which real world country?

In the U.S. most antitrust law is based on protecting what's best for the consumer, not protecting the competition from a free alternative.

jokethrowaway15 hours ago

What a horrible law.

The market should just create a better solution or find investors to call the bluff of the offending company and make even more money

vkou17 hours ago

One broad view is that anti-trust is supposed to protect consumers, not competitors.

If a competitor can't produce a quality product that people will pay for, consumers aren't being harmed by the prevalence of a free good-enough product.

In a consumer-protection world where a free and open source Linux had 98% market share in the OS market, Microsoft or Apple would have no leg to stand on to sue its developers over anti-trust. In a competitor-protection world, they would.

The US views anti-trust through a very consumer-focused lens[1], the EU sometimes views it through a more competitor-focused one.

[1] This doesn't mean I agree with it, and there are obvious problems with trying to prove harm in a court of law, if no alternative exists.

scarface7415 hours ago

If we enforced a law that said no product can be sold at a loss, we would get rid of almost every single startup and many recently IPOd former unicorns,

calibas15 hours ago

If I understand this correctly, the issue isn't Google Analytics specifically, but "because it transfers users’ data to the USA, which is a country without an adequate level of data protection".

So this could also apply to any company that sends PII to the USA?

solar-ice15 hours ago

At present, there is no legal basis for a company covered by the GDPR to send personal data to the US or a US-owned company. The US needs to repeal the CLOUD Act, and maybe one or two other things, in order to make this situation work again.

minsc_and_boo15 hours ago

Is that for US- or Italian-based users? What if this is an Italian company running a global website with data from non-GDPR country users?

solar-ice14 hours ago

You can find the scope of the GDPR in Article 3 of the GDPR: https://gdpr-info.eu/art-3-gdpr/

Read these as individual clauses; the Regulation applies if any one of them is met. An Italian company serving customers anywhere in the world is covered by the first clause.

jakubp14 hours ago

GDPR covers EU citizens. I don't think it says anything about non-EU citizens.

+1
k1w19 hours ago
quickthrower213 hours ago

Which is nebulous: someone whose grandad was Italian living their whole life in the US might be a defacto EU citizen.

tick_tock_tick6 hours ago

I'd be terrified if I was a EU company at this point. There is not logically way these same rules don't apply to using AWS, GCP, and Azure. There isn't enough other cloud hosting with nearly the same capabilities in Europe to handle that day.

makeitdouble5 hours ago

GCP and Azure have options to keep all data within the EU, I'm sure AWS has something to at this point. In France GCP is approved for public business, so it seems to be working fine.

On your general point, we're way past the point where a company is allowed to blindly use any random SaaS without caring about what it does with the data or where it goes. The pendulum is clearly swinging back.

hef198984 hours ago

There seems to be a difference between "B2C" stuff like ad tech and tracking and "B2B" like AWS. The latter seems to be more eager to be compliant, I assume only to prevent local / regional competitors to fill a gap but still. Plus all the nice public contracts to be had.

encoderer15 hours ago

There is really no reason to use Google Analytics anymore. There are many great alternatives now, mine is PanelBear.com. Other people love Fathom and Plausible. It’s great to see some unbundling happen.

quickthrower213 hours ago

I also believe (no proof though!) that you don’t need all that micro detail about your users and it is a distraction for a business.

A rough “how many came” is useful. At least to diagnose if the site had problems. Just talk to people and make your thing good!

dx0345 hours ago

I'm still a fan of Matomo. Very powerful, easy to self-host and you get full control over your data. Never tried their managed services though.

scale814 hours ago

The reason we built Scale8.com - Time to replace Google Analytics and Google Tag Manager :)

sixothree15 hours ago

Yeah, it was another one of those trojan horse programs. Offer something incredibly useful to website owners; something so compelling that they literally can't say no. An oh, it just happens to track the activity of every web user anywhere in the world.

The alternative offerings at the time were fairly awful compared to what google released.

sfifs11 hours ago

So reading the English text it is not clear what exactly is the unlawful part. Is the fact that data is flowing to US based servers (which I assume is trivially managed by changing GA server location to Europe) or the fact it is flowing to an American Headquartered company, regardless of where the data is flowing to?

Can someone comment if the Italian language text is clearer? Or ehat is in the judgement?

makeitdouble9 hours ago

There’s a bunch of steps, but jumping to the extreme, a foreign gov having access to the data is the awful part.

Data flowing to the US violates that, assuming Google US cannot refuse US gov requests, the headquarter having access to the data is also not accepted.

lmkg17 hours ago

This is consistent with decisions from the Austrian and French data protection authorities (DPAs). Note that Google is a Processor (for this product), meaning that Google itself does not violate GDPR, but only the websites that use it.

Following the Schrems II case, the "threat model" used by EU courts on these matters is "American law enforcement can serve a warrant to American companies." Long story short, any processing that Google does after collection is not considered to offer any protection, because American law enforcement can just tell them not to do that and they won't. Hence, the "Anonymize IP Address" setting in Google Analytics is not considered to have value for GA.

It might theoretically be possible to use GA compliantly by proxying data through an EU-owned service which obfuscates anything considered personal data, at minimum the IP address and various cookie values. This scenario hasn't been confirmed by anyone as compliant, but the regulators seem to always go out of their way to dance around it rather than just saying "GA is non-compliant, always, forever." Still, for the trouble to set up such a service you might as well just stand up a self-hosted first-party analytics solution.

This particular decision on GA is purely about the cross-border transfers, and doesn't seem to touch on whether using cookies for analytics requires consent. That's a separate issue (technically about a separate law).

V__17 hours ago

> meaning that Google itself does not violate GDPR, but only the websites that use it.

This is so baffling to me. Google has subsidiaries in the EU. The fact that it's ok to give a product to a EU client which can't be used in accordance with the law, and the client is responsible, is just idiotic.

humanistbot17 hours ago

To be compliant, Google can just set up data centers specific to GA in one of those EU subsidiaries, so GA admins can choose to have their visitors' data stored only in an EU data center (and promise to not transfer that data to the US). This wouldn't be that hard to do.

gostsamo17 hours ago

No, they can't as far as I get it. The american cloud act entitles US law enforcement to serve orders to US companies and their foreign branches. So, if you are american with a company in the EU, the important part is that you are an american, not that the company is in a foreign jurisdiction.

closewith17 hours ago

Yes, specifically the CLOUD (Clarifying Lawful Overseas Use of Data) Act, which was enacted following a case in 2014 where Microsoft refused to hand over emails stored in the EU (Ireland, in that case) on foot of a domestic US warrant.

The CLOUD Act expressly brings data stored by US-based companies anywhere in the world under the purview of US warrants and subpoenas.

https://en.wikipedia.org/wiki/CLOUD_Act

+1
tempestn17 hours ago
nisegami16 hours ago

It really makes no difference where the data is stored once it's accessible by a US company:

"The CLOUD Act primarily amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil."

from https://en.wikipedia.org/wiki/CLOUD_Act

openplatypus16 hours ago

As mentioned by other commentators, this is not enough. Schrems II ruling exposed the risk here. If servers are in EU but are undereffective control (even via proxy) of country with inadequate control (US, RU, CN), then you can't use data location as argument.

MrQuimico17 hours ago

The problem is not only the geo location of the datacenters. As long as these subsidiaries are under the control of a USA corporation, this is illegal, since the USA corporation can be requested by the USA gov to share any data they may have not matter where it's stored. Only options are a 100% GDPR compliant solution (European or from a country with similar laws) or self-host. Hopefully another Privacy Shield like agreement will be in place soon.

ClumsyPilot17 hours ago

> another Privacy Shield

its real name should have been privacy hole

dylan60417 hours ago

It wouldn't be hard for Googs to do this on their own so that they comply with the rules/laws in the markets they are operating vs giving it to the end user as an option in the configs. Most people using GA probably wouldn't know what any of that meant anyways. They just want the numbers so their marketing people can tell them what to do next. I'm talking the people running sites on Wix type sites vs having an actual dev team that can push back against a marketing department

shadowgovt17 hours ago

Building out the infrastructure necessary for Cloud to be compliant with region-stored data was a multi-year project.

Huge swathes of Google's architecture (especially its legacy architecture) have deeply-ingrained location-agnosticism assumptions. It turns out to be extremely complex and expensive to remove those assumptions given the way Google handles data once it hits their datacenter fabric.

(Not impossible, mind, just that this assertion that it wouldn't be that hard to do is in "I could build Twitter in a weekend" territory).

+1
robin_reala17 hours ago
leephillips17 hours ago

I don’t find it idiotic. It was the client’s decision to spy on its users. I have no sympathy for companies who make that decision.

pessimizer15 hours ago

Why do you have to be sympathetic to the client in order to also condemn Google? If someone was selling bleach as a cure for autism through a network of distributors, do you have to be sympathetic to the distributors in order to condemn the manufacturer?

V__17 hours ago

> It was the client’s decision to spy on its users.

Calling it spying is a little far-fetched I think, when the problem was the transfer ip addresses to US servers, not Analytics itself.

+1
leephillips16 hours ago
rattlesnakedave16 hours ago

It was the client’s decision to use the service.

leephillips15 hours ago

Which is a decision to spy on the users.

gretch17 hours ago

What about Italian websites that serve customers outside of Italy?

V__17 hours ago

If they serve customers outside the EU, then they should comply with those laws or not serve them at all.

bradgessler9 hours ago

I've slowly started ripping Google Analytics out of my Rails projects and replacing it with https://github.com/ankane/ahoy.

It's so much better! I can just use SQL to see what's going in and not get overwhelmed with 100's of visualizations and complicated dashboards.

nathan_f778 hours ago

I use Ahoy too, but I don't have very good visibility into the data. I should spend more time building queries and creating charts. I should probably set up blazer as well: https://github.com/ankane/blazer It would be really nice if Ahoy came with a web UI that covered all the basics.

bradgessler8 hours ago

Agreed. It would be a really great open source project to have a dashboard with all the basics in addition to standard Ahoy event captures.

louhike16 hours ago

The CNIL in France is really pushing companies to not use Google Analytics, and you better listen to them here. It seems US companies should really make changes to how they host/manage data to be able to able to work in EU in the near future. (It isn’t a criticism, simply an assesment).

f1refly14 hours ago

There's nothing US companies can do to make themselfes legal to use here. The legal framework in the US allows dragnet spying on every non-american and american companies are forced to participate in that effort.

jeroenhd13 hours ago

They're perfectly legal if they don't process any PII. If a US company serves static content there's no need to fear the EU; they'll just have to disable illegal external integrations like Google Analytics/Fonts/etc.

A company doing business with other companies might find themselves in a position where they can comply perfectly. Not every company needs to collect PII, though these days every company likes to pretend they do.

IX-10311 hours ago

When PII includes IP addresses it's kind of hard not to process. How else are you supposed to group metrics over a session (since cookies are also forbidden)?

This seems to ban third-party analytics by any US company. The cynic in me feels this is a little convenient in how it advantages EU organizations over foreign ones...

jeroenhd5 hours ago

You don't strictly need automated analytics to sell services to foreign customers.

Collecting most if not all analytics is forbidden, for sure, but analytics and metrics aren't inherently required for businesses.

dx0345 hours ago

Session cookies are allowed if the user agrees. And if the user doesn't agree, you have no right to process PII to group metrics over a session. That's the big shift here, assuming you have a right to build a profile on a user (or even evaluate their behavior) without their consent is not legal under GDPR.

And as a European, I'm very glad that's the case. I know, we're still not close to compliance with GDPR, but it has changed the privacy discussion more than any other part.

+1
koyote9 hours ago
tannhaeuser15 hours ago

Well HN, how about a badge for links indicating whether it uses ga? We have to start somewhere don't we? Or we'll continue to see the web decline. Actually, from my PoV, it might be too late already. Maybe it's just me or people in EU being harassed with banner popups, but I hardly go to any link anymore, and so do many other people I know. It's just not worth it.

aembleton2 hours ago

> how about a badge for links indicating whether it uses ga?

Sounds like a browser plugin would be best for this, then all links across the web could show it. Or you could just block it in uBO and not think about it again.

butterNaN14 hours ago

A bit individualist solution but you can block it with NoScript on your browser

ronsor15 hours ago

I'm an American, but I occasionally use an EU VPN. I don't understand how EU residents can tolerate the number of cookie/privacy/GDPR/whatever popups every site has, even on the sites of EU companies.

solar-ice2 hours ago

My impression is the lawmakers assumed that companies would do what they go on about in their blogs and marketing material all the time - ensure the best user experience for their customers, which they could do by properly complying with the GDPR.

Instead, the companies took their masks off and decided to beat us over the head with illegal consent popups to trick us into believing that a damaged user experience is the only possible outcome of the GDPR.

iLoveOncall15 hours ago

We don't. Outside of a few greybeards the vast majority of the population would gladly send all of their data including dick pics and credit card numbers to remove those popups.

The law was absolutely useless because 99% of the websites have an illegal implementation and still added a major annoyance in the form of the popup / banner.

jokethrowaway15 hours ago

We Europeans are generally used to do whatever the government tell us.

We don't have the same culture as Americans.

Don't get me wrong, you had a pretty bad deal as well: without much fanfare, your government grew up so much in the last 200 years that it became the largest employer in the world. You pay loads of taxes (even more than several EU countries) and get very little benefits.

And yet, I'm sure that if we will get to a political solution to the ever-growing cancers that governments are, that solution is more likely to appear in the states than in Europe.

Europe is a hopeless - albeit beautiful - land. The people gave up change 50 years ago.

trasz49 minutes ago

>We Europeans are generally used to do whatever the government tell us.

As opposed to those who used to do whatever the private companies tell them?

tannhaeuser14 hours ago

Err, just to avoid further misunderstanding: I'm pro-GDPR ;) and think it's right to confront users with the hydra behind the crap on the web. What I think has destroyed the web is attention economy, monopolies, the race to the bottom, and lack of incentive for quality content.

Agree though that Europeans could do with more libertarianism and less trust in state; it's something that's been a big issue for me since at least CoVid hysteria.

AdriaanvRossum13 hours ago

Regarding forbidden countries, it’s not forbidden in the Netherlands, yet. They will announce a verdict in a form of a report by the end of 2022 [1].

To give people an option and pink something else over Google Analytics, I have built an alternative, Simple Analytics [2].

It doesn’t use cookies or any form of tracking and you get still the useful data that 80% of the website owners need.

[1] https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/interne... (in Dutch)

[2] https://simpleanalytics.com

jeroenhd13 hours ago

Worth mentioning that DPAs tend to work together to prevent conflicting laws across the EU. Following Austrian, French, and now Italian rulings, it's almost guaranteed that the Dutch authority will come to the same conclusion.

apd_7 hours ago

How do you track "visitors"?

nathan_f778 hours ago

I'm actually just about to get rid of Google Analytics on DocSpring.com. I set up a self-hosted instance of Plausible Analytics on Render.com yesterday. I really like it so far. I set it up on a custom subdomain so it's not blocked by any ad blockers, so it's really nice to see analytics data that's almost 100% accurate (unless visitors disable JavaScript.) Especially since DocSpring is a developer tool, so most visitors are using an ad blocker extension. Also it doesn't use any cookies, so I don't need to show a cookie banner. It really feels like a breath of fresh air.

zugi15 hours ago

I use NoScript and block Google analytics, facebook, etc. It's nice that they use a domain separate from google.com, making it easy to block.

leephillips13 hours ago

Yes. I have all their analytics and ad network domains blocked in my hosts file.

hbfdhfdhadfhnfa15 hours ago

Meanwhile, COVID-19 certificate app for Czech Republic citizen's uses Google Analytics. We are not the same. Good job Italy!

dclusin16 hours ago

Suppose I run a website in the us and a user in Italy connects to it. Does this mean I’m now breaking the law serving them the website? My connection logs now have pii.

What if I use a cdn that has points of presence in Italy and still pings my server with a head request and the end user ip?

Am I also now breaking Italian law by using google analytics?

peoplefromibiza16 hours ago

> Does this mean I’m now breaking the law serving them the website?

As the article specifically states:

The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.

So, unless you are collecting EU citizens user data, transferring it to US and have the capabilities to enrich such data through additional information you hold, no.

curiousllama16 hours ago

IIRC, it basically only applies if you're actively doing business in the EU, or courting future business.

So, if you have a personal blog that grabs IPs? Not illegal. If you start a merch shop for your blog (or put in ads/sponsored content, etc.), then the whole site needs to be GDPR compliant.

tpxl17 minutes ago

> If you start a merch shop for your blog (or put in ads/sponsored content, etc.), then the whole site needs to be GDPR compliant.

And you do business in the EU. If you have a merch shop, but don't serve EU users (no EU shipping, not accepting EUR as a currency, no EU specific languages (German, French...), ...) there is no problem.

kmlx16 hours ago

https://en.m.wikipedia.org/wiki/HTTP_451

> After introduction of the GDPR in EEA it became common practice for websites located outside EEA to serve HTTP 451 errors to EEA visitors instead of trying to comply with this new privacy law. For instance, many regional U.S. news sites no longer serve web browsers from the EU.

freyr8 hours ago

I’m supporting of privacy, but it’s amazing how heavy-handed European regulation can be, and how difficult it can make understanding even basic metrics about our business and how those metrics have shifted over time. I suppose their intentions are good though.

makeitdouble7 hours ago

Suppose you had an internal tracking library, aggragating data fetch from your own site and mobile clients, all data saved in a data center managed by your country's most reliable provider. EU directives would be a no-brainer.

That scenario has always been an option, and would be the most common case if Google didn't provide their own service for free or at cost. What's happening with the EU feels disruptive only because Google had such an unatural position in the market.

realusername6 hours ago

All of that is because of the cloud act, non american companies won't have as much issues. The obvious solution is to remove this spying law breaching EU laws and common sense.

naet16 hours ago

As more and more country specific legal regulations are raised, I wonder who will be the ultimate gatekeepers of the general internet when certain actors behave against the "rules". The current landscape is a complex system of seeming contradictions straddling different levels of public and private, centralized and decentralized, anarchical and moderated, etc.

Will ISPs be forced to cut off traffic from certain areas? Will centralized companies like Google and Reddit be forced to comply with regulations or cut off services in certain areas? Will governments set up firewalls? Will the buck of responsibility be passed upwards to service providers like GA, or downwards to individual site administrators?

UncleEntity15 hours ago

Nah, they’ll just slap them with a fine now again as a substitute for direct taxation and let them do what they do basically unchanged.

Once the Europeans have to use a foreign proxy to see the regular internet, like the Chinese, then we will have a real discussion on online privacy.

djbebs14 hours ago

Have you tried to go to rt.com hany time recently?

aembleton2 hours ago

Still works for me from the UK

djbebs14 hours ago

We already do.

scoutt4 hours ago

I wonder what will happen with websites that use payments integration like PayPal or Stripe.

cardosof16 hours ago

Hindsight is 20/20 but wasn't it clear that the company selling ads shouldn't be in charge of metrics for traffic and ads? Just like the TV channels had to rely on media rating firms.

youngtaff15 hours ago

Not sure an ad company should he in charge of a browser either

cardosof15 hours ago

Oh and don't forget a major OS

badkitty9916 hours ago
humanistbot17 hours ago

From the article:

> A website using Google Analytics (GA) without the safeguards set out in the EU GDPR violates data protection law because it transfers users’ data to the USA, which is a country without an adequate level of data protection.

> Upon expiry of the 90-day deadline set out in its decision, the Italian SA will check that the data transfers at issue are compliant with the EU GDPR, including by way of ad-hoc inspections.

This follows similar decisions by France [1] and Austria [2].

[1] https://iapp.org/news/a/cnil-is-latest-authority-to-rule-goo...

[2] https://iapp.org/news/a/far-reaching-implications-anticipate...

sylware13 hours ago

I don't understand.

They can host locally the data and remotely query it.

What's important is the "intelligence" the data does provide: giving critical and unfair advantage for those who have the whole data.

For instance, microsoft has an unfair advantage almost anywhere because they have access to the whole linkedin database.

jeroenhd12 hours ago

European companies are not allowed to share PII with American companies. That goes for companies with a headquarters in the USA or subsidiaries that may be forced to share data thanks to laws like the US Cloud Act.

Previously, the EU exempted the USA through an "adequacy decision". That was later deemed illegal under EU law as American laws could not guarantee the privacy of EU citizens to the extend the GDPR prescribes. Then the EU tried again, and again such a decision was also overturned in court. The EU is working on another attempt at letting the USA track PII of EU users, but until they do that again (probably for another few years) it's illegal to share PII with American companies in almost all situations.

This is the third time a data processing agency has declared the use of Google Analytics illegal so it shouldn't really come as a surprise to those following tech news.

What's important is that the data is PII and that it's going to a place that can't guarantee privacy to an acceptable standard. Business advantage is irrelevant. The intelligence the data provides is also irrelevant. European privacy laws serve people, not businesses.

de6u99er12 hours ago

15 years ago Google Analytics was cool. But ar some point Google ditched the "Don't be evil" culture and tried to get as much out of Google Analytics for themselves, that it became unethical.

As long as they haven't died ...

yrgulation12 hours ago

Time to get off my arse and write a self hosted privacy oriented analytics tool. Whatever happened to awstats. The question is - how to monetise on it?

tmoneyfish17 hours ago

I'm building my own open source analytics solution exactly for this reason.

tqi15 hours ago

2008-2018: Banking reform

2018-202?: Data privacy

I wonder what the next trendy thing government officials will pretend to care about/fix in order to garner media attention. Something crypto related, maybe?

onphonenow15 hours ago

At what point do operators just start blocking access from EU countries. It's hard to imagine its worth jumping through all the complexities here at some point.

phatfish13 hours ago

Bring it on. Anything that disconnects people from the American tech industry and encourages domestic competition is a good thing.

amitparikh3 hours ago
panzerboiler15 hours ago

Sure. Block access to 450 millions people because it is inconvenient to respect their privacy.

dogman14412 hours ago

Man, wish we’d do that in the US. Not sure what else to insightfully add after all these years.

ec1096858 hours ago

Google needs to do what apple is doing with PrivateRelay and putting double blind proxies in place so PII can be stripped before Google gets its hands on it.

Traubenfuchs3 hours ago

Aren‘t there like about 100 google analytics clones available that do exactly the same thing?

rkagerer13 hours ago

These guys are my heros

mrkramer16 hours ago

Google is sucking in so much data that at the end it will be outlawed everywhere.

takethat16 hours ago

anyone runs self hosted matomo/piwik instance for analytics?

leephillips17 hours ago

Good. US citizens should be, at least, disappointed that their government is so bad at protecting their privacy, that US law is so far behind the times.

To those companies and people who find these EU decisions baffling or inconvenient: tough. If you had had respect for your users this would not be an issue. You would already not be spying on them.

To website visitors: if you see a cookie banner, the site is asking permission to spy on you. If that concerns you, close the tab.

NaturalPhallacy12 hours ago

I'm not disappointed I'm infuriated. Because the US uses technology companies to get around the 4th amendment all the time: https://www.salon.com/2013/04/24/government_giving_att_other...

The US isn't "behind" it simply has no intention of moving in that direction, despite the 4th amendment making it really clear they're not allowed:

>The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

aliasxneo16 hours ago

> To website visitors: if you see a cookie banner, the site is asking permission to spy on you. If that concerns you, close the tab.

There was a recent ACM article on this. They found there was a large number of sites that don't actually ask permission for anything, they are simply informing you of the spying. Not surprisingly, the ones that did allow modifying cookies were all setup in a predatory fashion which discouraged the disabling of tracking.

The whole system is broke at the moment.

Swenrekcah15 hours ago

It’s because they’re allowed to use the word “cookies” for it.

If they were required to use specific wording, like for instance “injecting surveillance artefacts” people would probably care a bit more.

aliasxneo12 hours ago

Not necessarily. The team that wrote the ACM article did a small user-test using various versions of the "disable cookie" banner. In all cases they concluded that the user was indeed aware of the negative impact of cookies, however, the need to just "get back to the content" often overruled that distaste.

Not surprisingly, the most effective banner they found was the one which had a single "disable all cookies" button. It was something like an 80% hit rate. So, people care, but not enough to dig into another prompt to uncheck a bunch of boxes. This is what the ACM writers referred to as predatory (abusing human nature).

gattilorenz14 hours ago

Hardly. It's like the requests for administrative rights in Windows Vista, or the installers with many browser addon bars...

Nice idea in theory, but if it's too frequent the awareness will, at some point, just disappear.

googlryas15 hours ago

Pragmatically, to what extent do you believe the European laws have protected Europeans above and beyond how American laws have protected Americans?

Basically, what class of badness are Americans subjected to due to behind-the-times data protection laws, that Europeans are protected from?

ApolloFortyNine15 hours ago

It's possible for a company, which is seemingly providing you a service since you visited the site, to make money off a targeted ad in exchange for free video streaming/content/entertainment.

The whole thing has always seemed overblown to me. Websites make much more money off targeted ads, allowing them to do things like allow anyone to upload a video of any length and quality for free. And view other videos people upload. In most cases it seemed to me like a fair trade to make. Yet as people point out all the time, technically a website isn't allowed to deny access to someone who refuses targeted ads (through the cookie pop-up), so they're essentially being forced to provide that user content at a loss. Untargeted ads are often worth 90% less or more than their targeted equivalent.

Privacy privacy privacy though, as if someone at Google is manually looking through your history laughing at you.

nerdponx9 hours ago

> Privacy privacy privacy though, as if someone at Google is manually looking through your history laughing at you.

Part of the problem is that it seems more or less impossible to get large companies to keep their data secure. In fact Google stands out as maybe the only big tech company that has not been involved in a major breach.

Notwithstanding the legal and political issues that arise when (not if, but when) this data gets into the hands of law enforcement agencies.

And yes, there have been individual instances of employees misusing sensitive user data.

Privacy is security.

Generally I agree that content providers should be allowed to make money somehow, but this way has proven to be untenable and something needs to change.

stjohnswarts14 hours ago

Give me the option to pay more if it lets me get more privacy. Otherwise I keep using fake accounts, VPN, antifingerprinting methods, ad blockers, etc.

trelane14 hours ago

Some places do. Many German news sites have a "Pur" version you can subscribe to and not get ads.

cm201214 hours ago

You won't get a good answer to this because there isn't one. These no realistic, practical harm to people that this EU law is preventing.

baconmania6 hours ago

Given your comment history, it’s clear that you’re driven by motivations that aren’t at all universal.

More bluntly, you’ve decided that consumer-surveillance-as-a-service is harmless. I’m thankful that the European regulatory apparatus disagrees. Now if only we could remind the American federal government why regulation is a worthwhile effort.

franciscop10 hours ago

I believe a part of the data-privacy laws and sentiment in Europe comes both from the WWII and the civil wars/dictatorships/etc that happened across EU. When in our grandparents time (YMMV) the government was compiling list of citizens or checking what they were doing in their private lives, it was not to give them flowers. And while that still sounds pretty far from me, it was also fairly recent in the past so that there's some social residue of the sentiment.

BUT to answer the question directly, credit checks to the level they are performed in the USA sound like a horrifying thing and a total privacy breach for us EU citizens.

jacooper13 hours ago

European laws are pushing to end Chat providers control over social interactions(which is something that shouldn't be done for profit any way) in the Digital markets act, which forces big apps to provide federation APIs.

The EU with the GDPR made an incentive to not use trackers, dont want that ugly tracker on your site ? Then stop selling data, that's why private analytics like Plausible and Umami have sprung to life. And also made it clear how much tracking is on the web.

There is also finally a movement to let the US host everything because really, the US isn't trust worthy.

So, the EU laws, gave better awareness about tracking, gave incentives to not use trackers, and is now working on improving the user experience by stopping the monopolization of social interactions.

Adrox13 hours ago

Have you heard of Robo-calls? Basically there are no Robo-calls in EU, because you can just add yourself to a Government no-call list. If any company doesn’t respect that, they get a huge fine.

mattmcknight15 hours ago

> To website visitors: if you see a cookie banner, the site is asking permission to spy on you.

Or you know...count how many unique visitors they have and how to make the site more useful. Do you avoid using cookies on this site but still manage to log in?

Kovah15 hours ago

Cookies needed to properly provide user authentication, i.e. user session identification, are counted as "technical necessary" cookies and do not need a cookie banner. You only need to ask for cookie consent, if you track visitors with third-party services. And, to counter your unique visitors claim: you don't need cookies, or any third party service, for that. Everything can be done locally without disrespecting user privacy.

leephillips14 hours ago

Exactly. HN doesn’t need a cookie banner because they’re not spying on their users. No barrier to keeping track of sessions.

leephillips14 hours ago

Do you know the difference between cookies and a cookie banner? Do you understand why this site can have login sessions, and even keep track of the number of unique visitors, yet is not required to have a cookie banner?

tensor13 hours ago

Have you researched to know if this site is hosted on a US server? I wouldn't be surprised if it is and I also wouldn't be surprised if your IP address was additionally stored in a log somewhere for a period of time. In the US.

jeremyjh12 hours ago

Yes but they are not tracking you with third party services, so regardless of where the server is they would not need a banner. The banner is a request for surveillance permission.

2OEH8eoCRo016 hours ago

America is the LTS branch of Democracy.

hallway_monitor16 hours ago

Privacy improvements will be pulled in along with independent political parties in the next kernel update.

feet11 hours ago

You guys are getting kernel updates? Our supreme court is taking us back to v0.1 from 1800

feet16 hours ago

I think the support contract ended a while back

peoplefromibiza13 hours ago

more like the archived repository on Github

takethat16 hours ago

and global wealth.

nix2316 hours ago

More like the bitrotting prototype ;)

SkinTaco16 hours ago
baisq16 hours ago

If a modern democracy requires an ever-growing government I think I will stick to Democracy Stable.

tclancy15 hours ago

Here in NH we have a group of people trying to compile their own. I never thought of them as distro hipsters, but it tracks.

nerdponx9 hours ago

My impression of these people is that they generally use very out-of-date versions, and they misunderstand/misuse configuration settings to the point that their builds are illogical for anyone's needs, despite their surface-level appeal upon skimming the manual & ancient mailing list messages. So the government performs efficiently for some very specific workloads, but generally lacks necessary features to run society at web scale.

mxuribe16 hours ago

Agreed i'm not interested in "ever-growing"...not for a distro nor a gov...but i am interested in an evolving one for the better - i.e. improve effectiveness, and reduce bloat if it adds nothing of value. ;-)

feet16 hours ago

Europeans seem to have it pretty nice, social housing in Austria is absolute fire and enables incredible stability in the population

In the US we put spikes on concrete so the dirty poors can't rest

baisq16 hours ago

Thinking that the situation of the majority of Europeans is the same as the propaganda that you read is a big, big mistake.

+1
jokethrowaway15 hours ago
whimsicalism14 hours ago

An equivalent regulation to the one banning GA in the US would not ban GA because the data centers are in the US.

stjohnswarts14 hours ago

No one is asking for exactly the same law, just the same results: more privacy.

dmix13 hours ago

> To website visitors: if you see a cookie banner, the site is asking permission to spy on you. If that concerns you, close the tab.

I'd love to see how often people do anything besides click okay anyway (I'd be very surprised if it wasn't 99%+).

lolinder13 hours ago

Unless there is a very simple "reject" button, I click okay. Between Firefox's native protections, DNS-level blocking and uBlock, I have a lot more confidence in my own protections than I do in their honesty, and it's not worth it to me to uncheck a bunch of boxes.

dmix11 hours ago

Yeah clicking anything but okay or reject all (which I rarely ever come across) is usually a maze of options no one has time for except some tiny dedicated minority.

290830113977788 hours ago

Really? I could have sworn the EU regulation requires dropping all non-essential cookies in 2 clicks or less - and that tracks with nearly every site I interact with that has a cookie banner.

nerdponx9 hours ago

Sometimes it's easier on mobile to just accept all the garbage cookies and then clear my cookies & site data after I'm done with the page.

But they are probably fingerprinting my phone anyway through other means.

tick_tock_tick15 hours ago

If I thought the EU was doing this to protect privacy I'd be all for it. They really don't give a fuck as seen by ever bit of legislation they are pushing for. Yes I also do understand that the EU in general view privacy from the government as illegal rather then a right.

SahAssar14 hours ago

The EU has both enacted the most promising and some of the most backwards, stupid and regressive privacy laws. I'm guessing that it depends on what representative guides it and forms it through the various processes, and what the courts do with it. Overall I think they have moved the needle towards more privacy.

> Yes I also do understand that the EU in general view privacy from the government as illegal rather then a right.

That is absolutely not true, at least not by enough people for anyone to be able to make that sort of blanket statement. I'd also wonder what reasons you have for thinking that, it seems to me like all of the 5-eyes used each other to spy on themselves (besides all of the things done by normal police, various levels of federal police, etc.)

encoderer15 hours ago

Well I’m not an expert but I think the main issue is that American citizens have protections that non-Americans do not. The government cannot spy on Americans without a court order.

SahAssar14 hours ago

Unless they have an intelligence sharing agreement with a nation that happens to pick up signals from americans, from who they can request that data. And maybe there exists a network to share the raw data, wouldn't that be convenient? Or you could have a secret court system (FISA) to bypass most of the protections normally granted by due process?

skrtskrt15 hours ago

> The government cannot spy on Americans without a court order.

Have I got news for you. Specifically at least 100 years of news.

darknavi15 hours ago

The word "spy" is so loose these days. I'd consider the vast swaths of metadata other companies compile on me "spying" to an extent.

judge202015 hours ago

> You would already not be spying on them.

Can you point me to the part of the ban that says it's about protecting users from "spying in general" and not "protecting users from spying by US companies instead of EU companies that EU member states can obtain PII from at any time"?

mhitza14 hours ago

> "protecting users from spying by US companies instead of EU companies that EU member states can obtain PII from at any time"

I want to quantify this quote. Each EU country can spy on its citizens to similar extent as 3 letter agencies from the US, but in a less analytical/big meta data way (part of it being the US brain draining EU countries for those working in tech).

However, if EU country A wants to have access to its citizens user date on website X located in EU country B, is not an easy process; involving a strict judicial system between those countries.

leephillips14 hours ago

I think your logic may be a bit muddled, or I misunderstand your question (but, if I take it literally, my answer would be “no”.)

Not spying ⇒ not using GA ⇒ this ruling moot.

BolexNOLA16 hours ago

My buddy is a manager at a chemical plant, and your comment reminds me of a very astute statement he made recently.

“I don’t generally like unions. I’ve worked at both union and non-union plants. But anytime someone else complains about unions, I remind them that if they have a union at their plant, they earned it.“

saas_sam16 hours ago

When union plants are shuttered in favor of non-union plants, did they earn that too? Or does this logic only apply in one direction?

jrajav16 hours ago

I think it's fair to say that most unions have been established as a sole result of proportional human effort, while the same cannot be said for the success of most businesses. There are many instances where an existing imbalance in power or resource ownership is a significant factor in a business' success.

tbihl16 hours ago

Yes? Why wouldn't they?

feet16 hours ago

Sounds like a manager's take on unions, at least he sounds somewhat reasonable. Good on him

scarface7415 hours ago

Yes “we care about privacy. But we also want a back door to all encrypted communications”.

https://appleinsider.com/articles/22/05/11/eu-plans-to-requi...

tensor13 hours ago

If you feel this way I hope you do research before visiting any website at all, because you might accidentally connect to a server in the US and your IP address will be in the TCIP stack of that server and probably the logs too. US servers that are intended to serve US customers have no obligations to you.

drstewart16 hours ago

What about Australian citizens?

ryanmcbride17 hours ago

I've been using clicky on a few of my sites and even though they _assure_ me that it's totally compliant with gdpr I don't really believe them, does anyone have a decent alternative for analytics that respects people's privacy? I just want to see when I get new vs returning visitors on a page. Cloudflare's analytics are okay but I like how granular clicky can get, but if there's no good way to do that I think I'm just gonna ditch clicky and make do with the cdn analytics. Hell, I bet the cdn already does everything I need and I just don't know how to use it right, or I'm not paying for the right tier or something.

ClumsyPilot16 hours ago

matomo is something you can self host

tensor13 hours ago

Note that you must make sure that your host is not in the US as well.

solar-ice15 hours ago

There's several self-hosted solutions, as well as several GDPR-compliant SaaS solutions. They generally work pretty well; I've seen people set up, for example, Plausible, in a couple of hours on a cheap VPS.

scale814 hours ago

This is why we built Scale8.com !

An open-source and privacy-friendly alternative to Google Analytics & Google Tag Manager :)

GA is simply not compliant...

https://scale8.com/blog/is-ga-gdpr-compliant/

throwawayjun2117 hours ago

everyone should avoid google products/services like a cancer.

clairity16 hours ago

i’d support any legislation that booted google, fb, ms, adobe, salesforce, and a whole host of other surveillance tech companies from any and all levels of government. it’s literally as important as the separation of church and state. in fact, i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones, in all facets of civic life (e.g., campaign finance).

abarwick15 hours ago

This is just naive. Government offices/agencies are so tightly coupled with packages like office 365 that forcefully separating them would require home built solutions which would always be terrible, less secure, and more expensive to the tax payer. There’s a lot of good these products can provide, granted they are properly audited and have high security requirements.

jcelerier14 hours ago

Idk here in France there are cities and state-wide administrations with free/libre stacks based on Linux, LibreOffice, Zimbra and others and things seem to JustWork™. For instance the french Gendarmerie, the cities of Rennes and Arles...

pyrale14 hours ago

Arles is getting suckered by Microsoft, sadly [1]. Unfortunately all it takes is one idiot to get in office once to kill this kind of successful initiative that has been running for almost two decades.

[1]: https://larlesienne.info/2022/02/22/la-municipalite-de-carol...

spoonjim13 hours ago

Are there any high functioning large companies that use Linux/LibreOffice/Zimbra? I suppose governments rarely aspire to be high functioning.

+2
quadrifoliate12 hours ago
PontifexMinimus11 hours ago

> would require home built solutions which would always be terrible, less secure,

I disagree. It would be relatively straightforward to build such systems on Linux and open source.

> and more expensive to the tax payer

As a proportion of Italy's GDP, the cost would be negligible, especially given that this is a matter of national security, something governments tend to be keen to spend money on.

stickfigure10 hours ago

> As a proportion of Italy's GDP, the cost would be negligible

After how many failed rewrites that never deliver a working product?

ehnto9 hours ago

The assumption here seems to be that the government would be writing the software, but it would go out to market. This would be a fantastic opportunity for a local software company to put out something in the space. I'm foreseeing more of this kind of thing as data sovereignty becomes a more considered issue by governments.

The other undertone I'm getting from this thread is that people think America has a monopoly on building software, and that's simply not the case. It's not hard to find companies doing really good work outside of the US. There is also nothing special about Office 365, it doesn't have a technology moat, it just has a surmountable interoperability moat and a social moat.

alsetmusic14 hours ago

I didn’t read it as government can’t use commercial products. Just that the corps couldn’t influence politics. But I’m not the OP, so I can’t speak to what was intended.

scale814 hours ago

More around the storing of data. This is why Scale8.com is on EU servers...

ekianjo12 hours ago

your whole argument is based on the assumption that proprietary software is superior in every single metric. thats just patently false.

itronitron14 hours ago

Most developed countries have several offices/agencies that already run 'home built' solutions, they just don't get talked about much.

jacquesm13 hours ago

They get talked about incessantly at the local Microsoft HQ.

clairity15 hours ago

ah, the ad hominem, never a good sign for the proceeding argument.

there are a number of other office suites that are entirely adequate for bureaucratic organizations to build methodical processes around (which is what bureaucracies do). the capabilities of the underlying tools don’t matter much in this regard.

also, audits aren’t meant to prove anything (like security), but instead to shift liability.

mmanfrin15 hours ago

> ah, the ad hominem, never a good sign for the proceeding argument.

An ad hominem means using an insult as the basis for rejecting an argument, e.g. 'that is wrong because you are [attack]'. Saying an argument is naive and then explaining why is not an ad hominem.

+3
clairity15 hours ago
Jcowell15 hours ago

> ah, the ad hominem, never a good sign for the proceeding argument.

GP never says that you’re naive, but the comment was.

+2
clairity15 hours ago
scarface7415 hours ago

The average large organization uses over 100 SaaS products

https://www.statista.com/statistics/1233538/average-number-s...

I would love to see you replace all 100 of those with open source software.

Have you ever dealt with large technology migrations?

+1
quantum_magpie14 hours ago
+1
clairity15 hours ago
rapind14 hours ago

100 SaaS products in one org sounds like a security and logistics nightmare.

+1
throw82747473713 hours ago
einpoklum14 hours ago

> are so tightly coupled with packages like office 365

Are they though? Do you know this for a fact? I mean, sure, MS Office is very popular in government settings, but does this really go beyond the possibility of just replacing it with LibreOffice if they so decided?

TurningCanadian13 hours ago

Sharing a link to a document that others can edit in the cloud is much more convenient than emailing around a _final_v3(2).docx document.

einpoklum2 hours ago

Well... there's Collabora online:

https://www.youtube.com/watch?v=xbQFTkFaYlo

or Box/DropBox/other cloud storage services, which is less convenient than proper collaborative in-pace editing, but you can still get the file at the link, edit it and upload it.

abarwick12 hours ago

I obviously can’t speak for all, even most, but back in my consulting days I can say the many US federal and state agencies use Azure AD and a litany of AWS services that are core to vital work streams. Enough that having to shut them down would neuter the department.

oska10 hours ago

> Enough that having to shut them down would neuter the department.

You've just identified one very good reason that they shouldn't be dependent on a single, proprietary vendor.

Really, I was surprised to find your original comment on Hacker News, especially with you ironically fronting it with calling other people naive.

daniel-cussen14 hours ago

Russia has that. Just typewriters and stationary.

Terry_Roll14 hours ago

Rubbish, there has been a concertive effort by the US to undermine other countries including so called NATO allies in order to dominate the world, its been going of for decades.

I refuse to use the NHS here in the UK because of the widespread use of Microsoft everywhere.

sam0x1714 hours ago

Sounds like it would create jobs too, that's a plus not a minus lol

tvink14 hours ago

"Creating jobs" to inefficiently solve a solved task is not a good thing, it is society burning it's tax income. It is only good to create jobs when the output of those jobs is increased value.

+1
the_other14 hours ago
sam0x178 hours ago

If there isn't anything generally available that doesn't have telemetry, then productivity software w/o telemetry isn't a solved task. If you accept LibreOffice and the like, then it's a solved task but you'll still need someone to manage it, hence job creation.

throw82747473713 hours ago

less secure? can it get worse than ms, outlook and active directory foo? they incepted their own industry around their unsecurity, lol.

terrible and more expensive is also a joke, but not as big, you still could got to ibm or oracle if you want to pay more for less, admitted

inopinatus9 hours ago

The legal and moral question is one of data sovereignty, not tools vendor. I suggest the GP comment be read with that context in mind.

majormajor15 hours ago

How far does "separating corporate interests from governmental ones" go?

Can the government purchase a car? Hire a private corporation to build a road? Hire a consulting company to check the security of their (now-free-and-without-a-support-contract FOSS?) computer setup?

Noughmad15 hours ago

It's actually quite simple. The government can buy things services from specific providers, but it cannot force you to buy services from specific providers. In other words, it can buy BMWs for government use, but it cannot say "you have to buy a BMW to enter the municipal office".

The same applies to websites. If a government website uses Google analytics, it is essentially requiring you to do business with a specific company (in this case Google) in order to use a government service.

inlined15 hours ago

And if the government uses Cloudflare or GoDaddy or aws it’s requiring you to do business with those companies. This goal is impossible to achieve with any government run service.

kevincox10 hours ago

It's easy. You just need the government to run fiber to every citizens house so that the can connect directly to the government data center.

Of course some citizens are living over seas so we can provide a satellite uplink for them.

Noughmad6 hours ago

No, those do not see any benefit from me visiting the site beyond what the government is paying them for. Analytics does, they get my data.

killjoywashere14 hours ago

> cannot force you to buy services from specific providers

But government can impose requirements, like TAA compliance (1) and SHB requirements (2) on its service vendors, forcing those vendors to purchase from a fairly constrained number of hardware providers.

https://www.dtra.mil/Portals/61/Documents/Business%20Docs/ev...

https://www.afcea.org/site/sites/default/files/files/2-ColLi...

Arainach15 hours ago

If the government takes your data and runs an analysis on an old IBM mainframe, are they forcing you to do business with IBM?

Phrodo_0014 hours ago

Is this a bad faith argument? I can't see how the difference of google having the data vs the government (or whatever entity you interacted directly with) is so easy to miss.

wutbrodo13 hours ago

Could you expand on the definition of "doing business with" an entity that you're using here? It seems quite non-standard.

If you open the door to a govt office, are you doing business with the company who installed the doors? If you use the toilet, are you doing business with the company that janitorial services are contracted out to?

Levitz13 hours ago

No, when you leave that govt office you don't have any link to those companies.

When you visit a site with Google Analytics, they still have your data after you leave.

jollybean14 hours ago

This analogy does not apply.

The gov. is using some service and therefore some citizen data is subject to the T&C's and that's it.

If Google were a German or UK company it would be the same thing - everyone subject to those T&C's.

feet14 hours ago

The gov is forcing me to pay the crony corporations through taxing me

l33t232815 hours ago

Can the government own a BMW bus?

inopinatus9 hours ago

The issue (per original article) is one of data sovereignty, and I’d identify a sibling concern of adopting open data formats.

If those are sacrosanct, the choice of tools vendor matters far less.

clairity15 hours ago

where to draw the line is a fair question in any policy debate, and one i'd expect to draw plenty of lively discussion. it's pretty clear to me that surveillance tech is on the outside of that line, but i'm open to reasonable arguments otherwise.

hulitu15 hours ago

They tried with the church and did not succeed. Why do you think they can succeed with SW.

skrebbel14 hours ago

FWIW I think the "church and state" analogy is genius, it totally resonated with me. I'm going to steal that!

adamrezich15 hours ago

> in fact, i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones

I don't think you comprehend the scope of what you're suggesting.

I work for a school district and I'm currently migrating our system from using one commercial bus routing service to another... using Windows, SQL Server, Teams, etc. from Microsoft... using a laptop, dock, three monitors, keyboard, and mouse from HP... and today the elevator was broken so we called a repair company to come fix it... oh, and some company makes the school buses, and the networked phone on my desk, and the printer around the corner, and all of the paper in it... the fluorescent bulbs above me don't grow on trees...

you can't just expect governments, even at the national level, to roll their own everything without interfacing with corporations in any way—this is a hopelessly naïve view of the world. I am just as uncomfortable as you are with data being shared with corporations, but you're going to have to figure out a more realistic set of political goals than what you've outlined here.

clairity15 hours ago

it's not really aimed at governments, so much as corporations that feel entitled to sneak in ancillary interests into their products, like surveilling the public. basically, it's to force companies like microsoft to remove all that other shit and provide just the core software, if they want access to government largess. this has beneficial externalities for us, the residents of said governments.

adamrezich14 hours ago

sure, and like I said, I agree completely. but you can't just say "i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones", unless you're proposing that all corporations should be state-owned and -operated, and that's not really a viable solution, plus it introduces a whole host of other problems.

but even if you just mean to say "government should not share citizens' data with corporations", well, there are presently two (until our license with one is up at the end of summer) separate corporations that both know where every kid in my school district lives, what their special ed needs are, what their parents names are, what their parents' contact information is, if they live between multiple households, and so forth, because that is the explicit purchase of their business, and that why we purchased their software. the same goes for another piece of SaaS we recently purchased a license to involving food service management for the school system. when designing the data export we opted to not follow the part of the schema that wants SSNs for the students (because why would they need that?!), but that might not be the case for other districts using the same software.

my point is there are a lot more interconnected corporate software services sharing citizen data at play in contemporary government systems than you probably think, and, once again, even though I agree with your position with regards to sharing citizen data with corporations... I think that ship might've pretty much sailed sometime in the past few decades.

+1
clairity14 hours ago
dragonwriter15 hours ago

> i’d love to see a constitutional amendment explicitly separating corporate interests from governmental ones

How is that possible, since corporations are, by definition, creations of government through law?

clairity15 hours ago

i mean, that's like asking how is it possible to compartmentalize anything. as elaborated elsewhere, it isn't about literally separating all interests, just those that harm the public. it's about removing the negative externalies that companies like google impose on us via such government contracts.

ta_562895213 hours ago

> just those that harm the public

But it’s not that simple. What harms the public? Many would argue being able to use data google collects (legally through subpoenas or grey-legally through any of the number reports that have come out since Snowden) helps government agencies by increasing public security—thus the opposite of harm. Being

clairity12 hours ago

in that case, it's pretty simple. the snowden leaks elucidated the government's desire to create a surveillance state with the help of corporations, not that a surveillance state would be a net-good for society.

throwntoday9 hours ago

I agree 100%. I have nearly all google domains blocked in my hosts file and was frustrated to find out google captcha was required on a few government websites. I understand rolling your own can be difficult or expensive but it's the government we're talking about here. They're no strangers to spending.

saiya-jin14 hours ago

Not only state... I see absolutely 0 reason for my swiss ebanking in the secured web interface to se google analytics and similar trackers. I can clearly see them being blocked by the likes of ublock origin and ghostery in my firefox. Why the f*k should google know where I go in such private matters (and there are tons more, ie if you are lgbtq+ in one of the many restrictive locations, have some less mainstream political preferences etc.). The data once acquired have no reason to be deleted, ever. Too juicy info, and 7 billion humans is not that large group to aspire to track.

I get why google et al want it for their growth/sales, but they are a private entity not owning internet in any way, extremely foreign to Europe with no clear friendly intentions. One of few times I can say I am proud to be living on old continent.

clairity14 hours ago

exactly, we need to decentralize power, and knowledge (information) is power. it seems innocuous when we each leak a little here and there, but surveillance tech is vacuuming up every tiny bit of it.

living in europe doesn't much matter, given the reach of these companies and their interweaving into government systems, along with reciprocal surveillance agreements (however-many-eyes countries).

strawhatguy11 hours ago

I understand the feeling, but that's not possible, and moreover, after reflection, why should it be so?

If government can literally fine/shutdown your business arbitrarily (as they do for lockdowns, permits, etc.), then they should have a voice in the government that could treat them so terribly.

Unless you mean to say that government should be so much smaller that it doesn't impose separate business taxes, import/export controls, require permitting and licensing and follow arbitrary regulations on those businesses, which I could get behind. Ideally, if there's no advantage or penalty to avoid by petitioning government, won't everyone stop paying attention to government? No gaming the game can happen then!

The problem is that we can't have it both ways, can't restrict a group from petitioning and then pose rules they MUST follow, without a say. That's not democracy at all.

Companies are just groups of individuals after all, and should have just as much voice as an activist group does, like ACLU or Americans for Tax Reform or whatever.

danielheath11 hours ago

The government of Italy makes rules that apply to Italians and those doing business with them.

If you’re Italian, you do have a say, and if you’re doing international business in Italy then you accept the sovereign risk of dealing with a foreign state.

clairity11 hours ago

you seem to be arguing from the corporate personhood stance. corporations still have an outsized voice via their rich owners. they shouldn't, however, be privileged with extra voice unaccorded the ordinary citizenry.

asasidh8 hours ago

this is the start of the unbundling of alphabet

reaperducer16 hours ago

The last time I checked, the Google Analytics' Terms of Service explicitly prohibited its use on web sites involving healthcare companies.

That gives you an indication of how invasive it is — that even Google doesn't want to handle the personal information, because it can't be made HIPAA-safe.

Naturally, the majority of healthcare web sites use Google Analytics, because nobody ever reads the Terms of Service.

paulcole16 hours ago

> The last time I checked, the Google Analytics' Terms of Service explicitly prohibited its use on web sites involving healthcare companies.

You're missing a key part of the sentence you're remembering:

> If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.

Healthcare companies can absolutely use GA on their websites as long as the website isn't involving PHI or ePHI.

current_thing16 hours ago

ottime notizie. vietare google e monetizzare le bellissime spiagge, e mangiare pasta autentica.

ciarcode14 hours ago

I don’t think you’re really Italian ahahah

nonsapreiche14 hours ago

e w la fica

ciarcode14 hours ago

You do maybe

aliswe17 hours ago

What is a watchdog in this case, isn't it a non-governmental organization?

in that case how can they ban anything and what does that mean?

gruturo17 hours ago

This is an English translation from "Garante" which is actually a stronger word - more like Guarantor. It is an official authority with teeth.

etagate17 hours ago

Exactly. Just to clarify, this is the authority responsible for those multi-million dollars fines against faang

noneeeed17 hours ago

Certainly in UK English we use watchdog to mean any organisation that has an oversight role, frequently government ones. For example the Financial Services Authority might be described as “the banking watchdog”, it is very much a government agency.

chrisseaton17 hours ago

Why do you think watchdogs have to be non-governmental?

For example:

https://www.theguardian.com/technology/2022/may/05/uk-watchd...

x0x017 hours ago

It's likely a bad translation.

The Italian SA is the Italian Data Protection Agency (DPA), one of the per-country European regulators https://ec.europa.eu/justice/article-29/structure/data-prote... . Which acts under the GDPR and predecessor data protection laws, and is very explicitly a governmental regulator.

iLoveOncall16 hours ago

Those decisions are good in theory, but in practice they will kill the free web.

The only people that have the work power to put equivalent alternatives in place are the big corporations, that will anyway find a loophole.

I run my small blog, and I can't spend days or even weeks to setup a subpar analytics solution. I won't even start talking about self-hosting an analytics solution which would probably double my monthly server cost for a website on which I earn 0€.

In 2030, if we continue on that trend, websites will be in two categories: belonging to huge companies, or running illegally. It's baffling that people are applauding the end of the free web.

freeone300016 hours ago

Why does your small blog need an "analytics solution" in the first place, if you earn $0?

iLoveOncall16 hours ago

Because I want to know where my readers come from, which Google terms they searched, etc.? There's a million reasons to want to know stats like this without earning money...

progman3215 hours ago

As a user, I don't want to give this info. I'm glad the EU is giving folks an avenue to express this preference.

+2
iLoveOncall15 hours ago
stevoski15 hours ago

> which Google terms they searched, etc.

GA doesn't tell you which terms they searched. They mostly stopped doing this in 2013.

Google Search Console _does_ tell you the search terms, and without any tracking on your website.

Nextgrid10 hours ago

Honestly, at this stage the "free web" can fuck right off. The "free web" you speak of generates a lot of negative externalities everyone else has to put up with. If your "free" web needs to attack everyone with spyware for it to exist then it's not really "free".

> I run my small blog, and I can't spend days or even weeks to setup a subpar analytics solution.

tail -f /var/log/nginx/access.log

plandis14 hours ago

The US should economically retaliate.

GDPR and these other regulations in the EU exist because EU cannot stomach the fact that they got beat on tech and instead of innovating they are regulating to try and even the playing field.

Nextgrid10 hours ago

> the fact that they got beat on tech

What tech is the EU missing out on?

All the recent "tech" I see from the US is all about novel ways to screw & exploit people for profit, at the expense of turning society into a dangerous wasteland full of outrage and saturated by advertising.

No thanks.

gnuj314 hours ago

Hmmm, or maybe they exist because EU has a little bit more respect for privacy of its citizens than US?

olalonde16 hours ago

I wish GDPR compliance would have been opt-in. For example, a GDPR compliant website could have sent a custom header indicating compliance, which the browser could have displayed in the address bar (a bit like HTTPS). Consumers would then have been free make the decision to not use websites which aren't GDPR compliant. Consumers who are more concerned about privacy could have set their browser to automatically block any non GDPR compliant website.

closewith16 hours ago

Bizarre idea. Should websites be allowed to opt out of anti-fraud legislation? Anti-money laundering? Human rights protections?

nnq16 hours ago

Yes? ...this was the original dream of non-national cyberspace and we almost had a hope at getting it. Then the second chance with web3 but this was also spoiled by people getting too greedy and too nasty too fast.

A parallel anonymous-and-free-for-all-but-with-payments-included, smth. like Tor-but-powered-by-IPFSv9-and-Etherv7, will probably emerge in a couple decades done right after a couple failed iterations. Some techs need hardware to catch up to be cheap enough, and only after a few failed attempts they manage to grow a trend... and it will probably will last until it's used to finance a proper starting of WW3 and by then banning it will be too late.

Anyway, we'll enjoy the hell out of ourselves on the new patreons-but-for-snuff-p03n, so it will all have been worth it :)

Nextgrid10 hours ago

> Then the second chance with web3 but this was also spoiled by people getting too greedy and too nasty too fast.

Maybe the laws & regulations you complain about are actually necessary because otherwise people will keep being greedy & nasty and eventually outnumber honest people?

progman3216 hours ago

I believe your argument simply boils down to "laws shouldn't apply to people". Am I mistaken?

+1
nnq15 hours ago
peoplefromibiza13 hours ago

> this was the original dream of non-national cyberspace

cyberspace was about freeing the people and the flow of information between people, not the corporations that silo the data in their data centers for ptofit.

olalonde16 hours ago

No, just GDPR? I don't see any valid reason a user might want to "opt out" of anti-fraud legislation but I do see a reason why a user might want to access the non-GDPR web.

peoplefromibiza16 hours ago

How would you write such a law?

You can't make exceptions based on what's convenient for some business.

Why should GDPR be opt-in but not the consumer minimum 2-year guarantee against faulty products?

> ? I don't see any valid reason a user might want to "opt out" of anti-fraud legislation

To commit frauds, for example?

+1
olalonde16 hours ago
eulenteufel16 hours ago

The Venn diagramm of the websites that have a Cookie-Popup right now and the websites that would choose to not be GDPR-compliant is a circle.

This change would mean most website couldn't be used by privacy concious people anymore and that the websites in turn are free to track the sh*t out of everyone else. From my perspective that sounds a lot worse.

The web is a mandatory part of public live for most people by now and it's good and healthy that corporations get push back for not respecting privacy.

kmlx16 hours ago

> This change would mean most website couldn't be used by privacy concious people anymore

wouldn’t the market react?

Nextgrid10 hours ago

The market would only react if people were actually aware of the privacy violations. This is what the GDPR is trying to address by making data processing require informed consent.

The vast majority of people (some even on HN) have absolutely no clue how advanced the stalking actually is. You hear every so often these anecdotes about people suspecting Facebook of listening to them; it's actually more creepy that the tracking is advanced enough to successfully infer conversations without actually listening in.

eropple16 hours ago

> Consumers who are more concerned about privacy could have set their browser to automatically block any non GDPR compliant website.

It may not be your intent, but defaults matter and what you're wishing for here is de-facto scuttling of the GDPR.

olalonde16 hours ago

Are you implying that the vast majority of consumers aren't concerned with their privacy and would keep using GDPR-compliant websites? If that's the case, isn't the regulation somewhat against the spirit of democracy?

peoplefromibiza16 hours ago

> Are you implying that the vast majority of consumers aren't concerned with their privacy and would keep using GDPR-compliant websites?

False premise.

Users simply aren't aware, but once they learn about it, they become concerned,

> If that's the case, isn't the regulation somewhat against the spirit of democracy?

That's a really weird argument.

Anyway, that's not the case.

la6471016 hours ago

This kind of ridiculous laws do not understand the boundless nature of internet. If you want to protect privacy of netizens simply make a universal law instead of having different laws in different countries.

adfm15 hours ago

Since the Internet is not a fiefdom, universal law is moot. Nation states will draft tracking laws that are only only enforceable through tracking in an attempt to gain their slice of authoritarian pie. Pointing to the Google or US is typical strawman BS and gives people a false sense of security because they should assume everyone, not just the Google, is tracking them. Getting people to own their data is an uphill climb, but is ultimately what will curb the negative behavior we're witnessing.

tgv16 hours ago

I’m afraid it does understand the boundless nature of the internet, and it wants the owner of the server to do something about it.

pessimizer15 hours ago

Other countries may not want to protect privacy at all. Italians are making rules to protect Italians.

IncRnd16 hours ago

How does one "simply make a universal law"?