@mattab opened this Issue on March 27th 2011 Member

Proposal for a consolidated User Privacy plugin

  • Move AnonimizeIP functionnality to this new plugin
  • Allow changing count IP bytes to remove in the UI. A Radio button allows to remove 1, 2 or 3 bytes of the IP.
    • for backward compatibility, if the config setting is found and the UI wasn't used yet (ie. no setting found in the _option table), then we can use the config file setting. This is similar behavior to "General Settings" options.
    • Currently the IP is cleared just before recording the data in the log table. #2095 proposes that the IP should be cleaned as early as possible in the process, to ensure no other plugin etc. could use the full IP.
  • UI allows to enable "Do not record Referer information". While I personnaly don't like this recommendation, we could offer it as it was recommended by German privacy group. When enabled, and setting stored in _option table (and cached in the tmp/cache/tracker/general.php file), then the parameters urlref and _ref in the piwik.php GET request will be cleared at the start of the Tracker process, to ensure no plugin or process can use / record the referers.
    • When clicked to enable, the Referers plugin would also be disabled.
  • The Opt out plugin feature would be moved to this plugin as well.
  • These settings/ features would all be available under the new Admin menu called "User privacy"
@peterbo commented on March 28th 2011 Contributor

The consolidation of the privacy plugins within the User Privacy plugin is a good solution for consistency in the UI.

Should the cookie lifetime also be editable here or will that remain a tracker method from 1.2 upwards?

I also don't like the referer being not tracked. Webanalytics is somehow losing its intended purpose here. I think it will be enough to work on it with low priority.

@robocoder commented on March 28th 2011 Contributor

We can set the third party cookie expiry in the UI. The tracking code generator could use this value.

@mattab commented on March 28th 2011 Member

I think we don't have to implement the Referer hiding even, nobody will use it.

The cookie lifetime is a task for the ticket #1845

See also Privacy & Web Analytics

@mattab commented on April 28th 2011 Member

See also: customize some specific CSS of opt out frame: #1929

@robocoder commented on May 3rd 2011 Contributor

The ip anonymization could also be by netmask or cidr notation. May offer separate masks for ipv6 vs ipv4.

@anonymous-matomo-user commented on May 4th 2011

I mentioned this on Twitter so I thought I should elaborate a bit more. In IPv6, IP anonymization is not achieved by stripping the last byte of the IP address; anything in the second 64 bits of the address can be device-specific (i.e. used to identify a specific MAC address, see http://www.ietf.org/rfc/rfc3041.txt for problem statement and current solution.

In fact there is currently no definitive way of obtaining this privacy because most ISPs and DSL providers have not announced their rollout plans yet.

It might be sufficient to strip the last 4 tupels of the IP address (i.e. only retain 64 of the 128 bits that an IPv6 address has), but it might even happen that this is not enough. OTOH, stripping all but the first 48 bits is maybe better.

This insecurity is why a configurable netmask/CIDR is probably the best idea for the AnonymizeIP plugin in v6.

@peterbo commented on June 3rd 2011 Contributor

(In [4856]) PrivacyManager / Delete old statistics from database; Refs #2233, #53, #5

@mattab commented on June 4th 2011 Member

(In [4861]) Fixes #2233, Refs #5425

  • enable new plugin on upgrade
  • Display message "your changes have been saved"
  • fix link redirect without idSite by using smarty function {url ...}
@peterbo commented on June 4th 2011 Contributor

(In [4868]) Refs #2233, #53, #5

  • tweaking / optimizing / commenting
@anonymous-matomo-user commented on June 26th 2011

For clarification, does this plugin replace the functionality of the DoNotTrack plugin from ticket #2048?


Reading through the ticket info is unclear.

Uncertainty about Piwik compliance with recent DoNotTrack legislation is stopping us from using it on our new Aeolus Project website. Having this clearly understandable for people, ie which plugin-to use, and is it sufficient, would be really useful. :) (maybe an item in the FAQ?)

@robocoder commented on June 26th 2011 Contributor

Justin: in Piwik 1.5, the Privacy plugin does not replace the DoNotTrack plugin because DoNotTrack is not part of the core distribution; it runs independently, so if you want that functionality, just install the DoNotTrack plugin.

@peterbo commented on February 7th 2012 Contributor

(In [5772]) Refs #2233, #2095, #2902 - set ip_address_mask_length and ip_address_pre_mask_length on anonymizeIP-plugin activation. Synchronize both variables on PrivacyManager call.

This Issue was closed on February 7th 2012
Powered by GitHub Issue Mirror