@spackmat opened this Issue on September 5th 2017

Hi,

we as a public german university have a problem with the behavior of Piwik regarding DoNotTrack.

At the moment, if you configure Piwik to respect the DNT-header, visitors sending a DNT-header won't be counted at all (unless they come with IE, but that's another weird problem, see #9987). In my interpretation of the DNT-specification, a submitted DNT-header means, that a user doesn't want to be tracked, i.e. he/she doesn't want to get a cookie set (or any other method like fingerprinting) to be recognized as the same user on following visits. Or even within his particular visit, when it's interpreted strictly. This says nothing about counting his/her pageviews anonymized. It is called DoNotTrack, not DoNotCount.

So Piwik should count those visitors, but not track them, if the respect-DNT-setting is activated.

On my personal blog, I did some tests in 2014 and at this time, activating DNT in Piwik resulted in only about half counted visitors (from 100-150 visitors per day to 50-100 with DNT-feature activated). On other sites, I administrate, the impact was lower, but around 20% loss in counted visitors was standard then.

For our data protection commissioner it seems to be okay, if we then don't respect DNT at all, so we'll likely deactivate this feature. But this is a shame, since we want to respect the decision of our visitors, that they don't want to be tracked between their visits. But we also want reliable statistics.

I appreciate your comments on this.

Greets,
spackmat

@sgiehl commented on September 10th 2017 Member

Interesting point of view. For sure we could change implementation to count those visitors. But we would need to do some kind of "internal" fingerprinting, as otherwise each page view would be counted as new visit. Would be almost the same as for those not accepting cookies.
I don't see any useful possibility of counting DNT users without any kind of fingerprinting. That would mess up most numbers.

@spackmat commented on September 11th 2017

I see, then what about tracking within a session/visit with a session cookie, but not over several sessions? This respects DNT in a broader sense and is better than not respecting DNT at all to not lose the pageview-counts?

Our data protection commissioner wrote now, that from his point of view, we (and any other public german institution) cannot deactivate the "respect DNT" feature, if this means, that Piwik will create a profile for users with active DNT. I'll ask him, if it would be okay, when Piwik would only build intra-session profiles to distinguish visits from single page views.

@mattab commented on September 11th 2017 Member

Interesting idea to track anonymously the users. To ensure we track people anonymously we would need to take several steps:

  • no fingerprinting
  • no possibility to track a same person's visits across days (each visit needs to get a new idvisitor)
  • no storing of IP address at all (not even anonimised)
  • no geolocation (not even on the anonimised IP address)
  • no storing of personal data such as User ID
  • how do we restrict storage of personal data in Custom Dimensions or custom variables... possibly we need to discard all custom dimensions values?
  • and possibly more
@spackmat commented on September 11th 2017

@mattab that would be cool, since we only want to have reliable data about how our website is used and what pages are visited. we don't have any interest in (and strict laws against) profiling users. Geolocation on a per-country-basis is also sufficient for this usecase, no geolocation at all iss too strict, because then we shouldn't record any data enabling to fingerprint a user. This goes too far.

But this goes at all way far above my feature request to at least count users with DNT enabled. :) What technology is used by our users, how many come, where do they come from, which pages do they visit and which paths do they follow is all we want to know.

@mattab commented on September 18th 2017 Member

But this goes at all way far above my feature request to at least count users with DNT enabled. :)

The thing is that we can't just start tracking users with DNT without considering everything related to privacy. So we must go through the complex process of identifying everything that could lead to profiling users and remove the information, when DNT is enabled.

@bfg1981 commented on March 25th 2018

Chiming in on this, this is exactly the behavior I'm looking for. We aim to minimize user tracking while providing useful feedback for understanding how our sites are used, while respecting DNT.

Our choice to go with Piwik in the first place was based on a desire to have some reliable data on behavior while avoiding to give away data to Google analytics and friends. For our site we have >98% with DNT enabled at this point. In this situation we have a choice between enabling DNT-support, which we very much desire to do, or having almost no data at all.

@labolanimichele commented on September 3rd 2018

Hello,

I would like to follow up on this. We are currently using Matomo to track our users, and are considering soon moving to some of the Premium features in order to gain better customer and products insights.
However, it is today not 100% clear to us whether the anonymous tracking is in place or not:
I did some testing with my user (with doNotTrack ON, and it seems to me nothing gets recorded, not even anonymous counts).
@mattab would you have an update on this?

Thank you,
Michele

@sandeep1995 commented on October 3rd 2018

@mattab Do you have any update on this?

@mattab commented on October 3rd 2018 Member

Hi @sandeep1995 @labolanimichele,
we don't have any update and it's not one of our top priorities. Someone else could volunteer maybe, or simply disable DoNotTrack feature in the "Privacy > Opt-out" page.

@ampaze commented on June 6th 2019

May I ask why this not prioritized more?

Until a few minutes ago I too thought, that DNT means do not track, and not do not count at all. Nowhere is this mentioned in the admin page.

Would the following be sufficient to count the view but not track the user? (With DoNotTrack disabled in the Admin panel)

var dnt = (navigator.doNotTrack === "yes" || navigator.doNotTrack === "1" || navigator.msDoNotTrack === "1" || window.doNotTrack === "1");
if (dnt) {
_paq.push(["deleteCookies"]);
}
_paq.push(['trackPageView']);
@tsteur commented on June 6th 2019 Member

It would still track the user. There is no possibility to only increase a counter without tracking the user.

@ampaze commented on June 6th 2019

How would it track the user without the cookie? I got this from https://matomo.org/faq/how-to/#faq_187 which says

deletes existing tracking cookies to start the new visit

@Findus23 commented on June 6th 2019 Member

@ampaze You are still storing data of the visitor and depending on your definition this is tracking.
And without cookie you can also store personal data (e.g. with custom dimensions or the user id) which (at least in the EU) requires a minimum of a way to opt out.

And personally I consider a "Do Not Track" just like a click in the opt-out iFrame as a way of telling me that they don't want their data be store in any way.

@ampaze commented on June 6th 2019

@Findus23 Thanks for your answer. This is probably very debatable, but the fact that someone visited my site, is not really their data. I always thought of tracking as to follow someone between multiple pages or sites, even the do not track header itself was invented to stop ad companies from building a profile by following your around. Not to stop logging a visit.

@ampaze commented on June 7th 2019

When using the definition of tracking as per Wikipedia

Tracking is the collection of data regarding a particular user's activity across multiple distinct contexts and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

would my code snippet from above fit the bill? Meaning not track the user (across different pages) but still count the visit.
(For instance, would fingerprinting still recognize the user?)

@tsteur commented on June 7th 2019 Member

I would say if you go after this definition (which I think is a good definition and probably what they meant by DoNotTrack), then Matomo would never really track users across different sites.

If you don't want to track across different pages this would likely not work by just deleting the cookies I would say. You would probably also enable trust_visitors_cookies = 1 setting in config see https://matomo.org/faq/how-to/faq_175/ . You would probably end up having one visit per page view.

Note: I didn't test it so that's still up to you.

Powered by GitHub Issue Mirror