Also this was requested by FSF as part of making Piwik a GNU package: #5276

• Could you make IP address anonymisation the default? Protecting users' privacy is an important responsibility.

Also:

• Show user that DoNotTrack is enabled by default. let them disable.
• See also: Notify Piwik user if Privacy options are not configured according to local legislation #5350 Notify Piwik user if Privacy options are not configured according to local legislation

See also Let users deactivate DoNotTrack feature during installation #6566

Could we maybe explain also if this has any impact on some features (like geolocation, user tracking)?

For example me I'm not familiar enough with every feature of Piwik and that's an information I would like to have: I would be OK to leave this option enabled but I would need to know the tradeoffs.

@mattab I wasn't sure where to put the form honestly. I gave it a go, any feedback?

I'm planning to add #6566 afterwards.

Nice!

feedback:

• if the user reloads the "Congratulations" page then the IP anonimiser will not be enabled and it will load the dashboard. Somehow it's important that we enable by default and let user deactivate it. So maybe you can activate it in the background of JavaScript Tracking Code step, and then let user deactivate it.
• make the default anonimisation two bytes instead of one (A.B.0.0)
• maybe the border around settings can be removed
• set by the law -> set by the privacy laws

if the user reloads the "Congratulations" page then the IP anonimiser will not be enabled

Actually the anonymizer is enabled when the page is shown. Then the form is optional: if you submit it, what you checked gets saved. If you don't, the default was already applied.

maybe the border around settings can be removed

That's how forms are rendered. I took example on the other steps of the installation to have the form, I have no idea how to customize it, especially since the form library is an old PEAR library and I couldn't find any decent doc online (no docs either on developer.piwik.org). Anyway maybe it's not so bad because I'll be adding #6566 and we'll have several checkbox so borders make sense.

make the default anonymisation two bytes instead of one (A.B.0.0)

By default today it's 1 byte. Should I change the default in the class? Or should I manually set 2 bytes in the installation?

I'm afraid that:

• if I change the default in the class, will it affect previous installs that haven't changed the default value?
• if I don't change the default in the class, then that's completely messy: the default setting value will be 1, but actually the installation process overrides it by storing in database a new default value of "2" (for every new Piwik install)

I'd rather go with changing the default value in the Config class TBH.

OK so actually I think we need to discuss this further and find a consistent solution with #6566

Here is the default config in the code:

namespace Piwik\Plugins\PrivacyManager;

class Config
{
    private $properties = array(
        'doNotTrackEnabled'         => array('type' => 'boolean', 'default' => true),
        'ipAnonymizerEnabled'       => array('type' => 'boolean', 'default' => false),
        'ipAddressMaskLength'       => array('type' => 'integer', 'default' => 1),
    );

• do not track is enabled
• ip anonymization is disabled
• ip anonymization mask length is 1

Currently in my branch I manually enable "ip anonymization" in the controller (during the installation), which will store true in database thus overriding the class default. I think that's useless to do that if we can simply change the default value in the class. Same for the mask length.

I should only store the setting value in database if it differs from the default PHP value (I'm talking only about the install steps).

What do you think?

 Actually the anonymizer is enabled when the page is shown.

sounds good!

Anyway maybe it's not so bad because I'll be adding #6566 and we'll have several checkbox so borders make sense.

+1

will it affect previous installs that haven't changed the default value?

I don't think it would as we 'should' have stored the number of bytes.

By default today it's 1 byte. Should I change the default in the class?

+1 - created an issue so it's notified in changelog #6579

I think that's useless to do that if we can simply change the default vale in the class. Same for the mask length.

Sure, changing default is better.

There is this requirement:

• new default privacy settings should affect only new installation of piwik
• existing installation that use IP anon or DNT (or don't use it) should not be affected by upgrading to 2.9.0 (especially we shouldn't enable IP anonimisation and DNT if user had it disabled before upgrade)

so is that OK to change the default values in the Config class then?

I guess so but I haven't tested so I can't confirm

I have tested with a new account: no value is stored in database (so the default options are used from the config files). If I change the settings of the user, then settings are stored in database afterwards.

So if we change the class default values:

• users that have modified the preferences will not see changes
• users that haven't modified the privacy preferences will see changes, e.g. IP anonymization will be enabled in 2.9 whereas it wasn't in 2.8

So I guess that we can't use that solution…

I propose that you change the default and then add an Upgrade file for 2.9.0 that will disable IPAnon if it was "unset". So that for users who upgrade that never changed it, we keep their old settings (no IP anonimisation)

OK I think we have 3 options:

• change the default value and users that haven't enabled IP anonymization will have it enabled in 2.9: bad per the requirements
• leave the default value "disabled", and enable it in the installation process: bad IMO, what is the point of a default value if it is overridden by a different default in every new install… This will be confusing as hell, especially when we forget about this ticket and wonder why it works that way. And is that possible to install Piwik without going through the web installation process? Then IP anonymization will be disabled by default…
• in the 2.9 upgrade we set "IP anonymization" as "disabled" when it is not configured, and we change the default value as "enabled". That way old installs will keep working the same, and new installs will use the new default value ("enabled"). A bit better, but requires a migration.

By the way the last solution is just a patch up and doesn't prevent the whole thing from happening again, or happening for other settings too…

ha missed your comment! OK so that's the solution I prefer too!

👍

see also #6160