The goal of this issue is to expose a Privacy challenge in Piwik, regarding the ability to spy on users tracked in Piwik over time.
The unique visitor ID is a 16 characters hexadecimal string. Every unique visitor is assigned a different ID and this ID is not changed after it is assigned.
The Visitor ID is stored in the Piwik database in the field
When tracking a new user, Piwik processes a fingerprint hash for this user. The hash is built from a list of user attributes such as IP address, screen resolution, browser plugins used, etc. (this is done in the method
getConfigHash.). The fingerprint hash is used by Piwik Tracking API to try to record the actions in the correct user visit. The fingerprint hash is used when the Visitor ID (in first party cookie) was not found (otherwise by default the Visitor ID is used).
Notes about fingerprint hash is created:
The fingerprint hash is stored in the Piwik database in the field
Imagine for example if a Piwik database is seized by ex-colleagues of Edward Snowden (spies) who would like to use the Piwik data to spy on users who were tracked in Piwik.
When seizing a Piwik Database:
Since our goal is to improve the Privacy by default for users being tracked in Piwik (#6160), we wanted to explain how this works.
Note that to improve Privacy in your Piwik server and prevent long term surveillance of users via the Piwik database, you can already do the following:
To help limit surveillance we should work on: #5907
Maybe there isn't much more we can do but feel free to leave a comment if you have suggestions.
I've documented in detail how the visitor recognition works here and in this FAQ: How does Piwik detect unique and returning visitors? (with User ID, Visitor ID from cookie and/or fingerprint)
Our privacy guidelines are documented in: https://piwik.org/docs/privacy/
Any further request or comment please comment here or create a new issue.
See also our
Privacy label for issues: https://github.com/piwik/piwik/labels/c%3A%20Privacy