Only block analytics subdomain for Coveo to prevent search pages loading issues

[larosek]

Domain(s) to review. Separate them by comma.

coveo.com

Rationale for removing, adding, or recategorizing.

Search pages loading is broken

Where domain(s) observed. Separate them by comma.

No response

Additional notes

Hi Coveo is a service provider offering search tools to its customers. We capture analytics data in order to help our platform enhance the search results we provide to our customers. All the data we capture is unique to each customers, we don't share any analytics data between customers.

We also respects users' privacy preferences. When a user opts out of tracking or sends a do not track header with their requests, we won’t collect any analytics data. Our documentation about data tracking can be found here.

Adding the apex domain coveo.com directly in your list is currently breaking some of our customers search pages, preventing them from loading properly. An example can be found here with one of our demo environment. The page does not load because static.cloud.coveo.com is being blocked

To address this, we provide distinct analytics domain to help services such as disconnect.me to properly block any analytics while keeping the functionality of our service intact. These are the subdomains that we use :

• <organizationId>.analytics.org.coveo.com
• <organizationId>.analytics.orghipaa.coveo.com
• analytics.cloud.coveo.com
• analytics-eu.cloud.coveo.com
• analytics-au.cloud.coveo.com
• analytics-ca.cloud.coveo.com
• analyticshipaa.cloud.coveo.com
• usageanalytics.coveo.com (being deprecated by Dec 9 2024)
• usageanalyticshipaa.cloud.coveo.com (being deprecated by Dec 9 2024)

Would it be possible to add only these subdomains to your block list? Thank you

[spirillen]

Adding the apex domain coveo.com directly in your list is currently breaking some of our customers search pages, preventing them from loading properly.

Then the site is written very purely and should be considered as broken by webmaster...

[disconnectme]

Thank you for bringing this to our attention. This issue is under review.

Our technical and policy review determined that certain Coveo subdomains do meet our definition of Tracking (See https://disconnect.me/trackerprotection).

Would you be willing to make the following statement in your privacy policy or other public facing data policy and resolve any inconsistencies with current statements: “Nothing in this policy contradicts the following statement: Except for subdomains [LIST OF ALL TRACKING SUBDOMAINS], Coveo’s domain coveo.com does not collect, retain or share any data regarding a particular user or device (including IP addresses and user identifiers) on sites or apps not owned by Coveo.”

Please note, in the event coveo.com is eventually removed from our Services list and replaced by sub-domains, this does not guarantee that this domain will not be included in any other of our lists, or necessarily determine how our upstream partners choose to integrate our lists.

[larosek]

Thank you for taking the time to review our issue. I asked our legal team to look into this request and will get back to you.

In the mean time, would it be possible to have the list of identified domains/sub-domains?

[larosek]

Quick update, I talked with our legal team yesterday. They will come back with an answer very soon.

@spirillen asked us a question in another repo. My colleague posted a detailed list of what endpoints are used for what here.

Like my colleague said in that comment, we really want to be transparent in all of this. I forgot to include our dev and staging endpoints in my request above, sorry for that. He is also adding other endpoints our marketing team are using that I was not aware of.

[Mblanchetdeverly]

@disconnectme We understand that you have determined that certain Coveo subdomains meet your definition of Tracking and have therefore decided to block the entire coveo.com domain.

While we recognize the mission and purpose of your list and your concerns, we believe blocking the entire coveo.com domain also restricts legitimate activities by Coveo that do not fall under your definition of tracking. Coveo’s SaaS platform handles the on-site search for thousands of third party websites (see description below). By blocking the entire coveo.com top-level domain, the main search functionality on all of these sites is fully disabled, including well-known, high-traffic eCommerce sites. We are willing to cooperate and would consider including a statement in our privacy policy as you suggested, but we ask that you first review Coveo’s activities conducted under the coveo.com domain. Based on this review, we would kindly ask that you:

• Remove the coveo.com top-level domain from your deny-list.
• Inform us which of our subdomains, if any, still meet your tracking definition and limit your deny-list to those subdomains.

Coveo’s activities:

1. Activities on our corporate website www.coveo.com, where we collect and process information exclusively for our own purposes, mainly marketing activities. For these activities we:

• Comply with all applicable privacy laws and require users to transparently and explicitly opt in to data collection and retention, or provide them with an option to opt-out, depending on the applicable law in their jurisdiction.
• Respect users’ Do Not Track (DNT) or Global Privacy Control (“Sec-GPC”) preferences
• Do not use, to our knowledge, our corporate website to collect, retain or share any data regarding a particular user or device on sites or apps not owned by Coveo.

2. Activities related to Coveo’s search and relevance platform offered to customers. In this scenario, our customers have access to our SaaS platform and implement a search user interface on their own web properties. Two main components are at play:

• The search interface, which allows users to search content from multiple sources simultaneously, providing a single, unified search experience. The search component is a crucial part of Coveo’s offering and operates independently of tracking or analytics (see below). Disrupting this essential functionality has significant consequences for our customers’ users as it effectively breaks the search experience. Currently, multiple high-traffic eCommerce sites are lacking core product search functionality when the Enhanced Tracking protection is enabled.
• In addition to search, Coveo’s platform collects analytics in order to deliver more relevant content. Coveo provides the tools and endpoints to collect these analytics, but does not have full control or responsibility for implementing tracking and related obligations - this lies with the integrating customer, who does so on their web property. That being said, our platform and tools are designed to ensure that users are tracked only on a single domain using first-party technologies, never across domains. The analytics collected in this manner are exclusively stored on behalf of the first-party site owner and are never combined with data from other customers.

Therefore, we believe that none of the activities related to our SaaS offering fall under disconnect’s definition of tracking. If you disagree with this interpretation, we would appreciate an explanation of your rationale and are open to discussing it further. Coveo is committed to user privacy and fully supports privacy-enhancing tools. However, we believe these tools are not intended to disrupt significant functionality and user experience on a large number of websites, as is currently happening.

Thank you for taking the time to consider our request.

[spirillen]

Well, this is a lie...

Comply with all applicable privacy laws and require users to transparently and explicitly opt in to data collection

Respect users’ Do Not Track (DNT) or Global Privacy Control (“Sec-GPC”) preferences

You are right, this isn't done by coveo.com, but you are using fingerprinting scripts from https://a0771a152cbe.f82a6d53.us-east-1.token.awswaf.com/a0771a152cbe/4dcfedf560e6/b6f8a8faf0b8/telemetry (https://github.com/mypdns/matrix/issues/562), and if the browser are prohibiting your from generate a fingerprint, you are not allowed access to your site.

If you like us to trust you, please do tell the hole truth.

So despite I accepted NOT to blacklist you by wildcard, I do so in my personal RPZ zone.

[disconnectme]

Thank you for the additional information. Our technical and policy review determined that subdomains of coveo.com meet our definition of Tracking (See https://disconnect.me/trackerprotection), and that those subdomains are properly classified.   Our technical review revealed Request URLs from coveo.com’s subdomains are present on thousands of 3P sites. We are seeing what appear to be tracking requests (originating 3P domain information, location, and “analytics”) from subdomains including but not limited to the following:

• platform.cloud.coveo.com
  • Example https://help.salesforce.com/s/ Request URL https://platform.cloud.coveo.com/rest/search/v2/querySuggest?locale=en_US
• platform-eu.cloud.coveo.com
  • Example https://www.iittala.com/en-gb Request URL https://platform-eu.cloud.coveo.com/rest/search/v2?organizationId=fiskarsbrandsproductiond1hh33ez
• static.cloud.coveo.com
  • Example: https://www.cardiosmart.org/ Request URL https://static.cloud.coveo.com/coveo.analytics.js/coveoua.js
• org.coveo.com
  • Example: https://engineering.barca.group/barca-spa/search Request URL https://barcagroupproductionkwvdy6lp.org.coveo.com/rest/search/v2?organizationId=barcagroupproductionkwvdy6lp

Per https://github.com/mypdns/matrix/issues/561#issuecomment-2168015706, there are also the subdomains specifically used for Coveo’s analytics:

• analytics.org.coveo.com
• analytics.orghipaa.coveo.com
• analytics.cloud.coveo.com
• analytics-eu.cloud.coveo.com
• analytics-au.cloud.coveo.com
• analytics-ca.cloud.coveo.com
• analyticshipaa.cloud.coveo.com
• usageanalytics.coveo.com
• usageanalyticshipaa.coveo.com
• analytics.orgdev.coveo.com
• analytics.orgstg.coveo.com
• analyticsdev.cloud.coveo.com
• analyticsdev-eu.cloud.coveo.com
• analyticsstg.cloud.coveo.com
• usageanalyticsdev.coveo.com   In addition, several portions of the Coveo policy and website marketing seem to support the current classification, including but not limited to the following:   Website marketing:
• “But, Coveo is entirely engineered for true 1:1 personalization. From the very first click, all your site’s content adapts to each unique visitor: The menu. The blog. Every digital experience. It’s complete personalization that skyrockets your conversions.” https://www.coveo.com/en
• “First-time shopper? Returning customer? Hesitant buyer? Offer the most relevant personalization experience to your shoppers with contextual, marketing, first-party, and zero party data.” https://www.coveo.com/en/solutions/ecommerce-search-platform/personalization
• “Recommend the most relevant content, based on a visitors’ context, browsing, and conversion behavior. Our relevance engine and recommendation models are easy to set up – including interest-based, similar behavior, frequently viewed together, and more.” https://www.coveo.com/en/solutions/website-search
• “With Coveo, automate the personalization of content and discovery by responding to each person’s unique context and intent.” https://www.coveo.com/en/platform/personalized-experiences   Data Processing Addendum https://www.coveo.com/en/company/legal/terms-and-agreements/data-processing-addendum talks about data collection:
• “1.1. “Application Usage Data” means usage and operation data in connection with Customer’s admin users’ use and configuration of the Hosted Services, including query logs and meta data about Customer’s instance of the Hosted Services.”
• “1.6. “Customer Data” means data that is submitted to the Hosted Services by or on behalf of Customer, including information which reflects the use of the Hosted Services by Customer’s end-users and specifically excludes Application Usage Data.”
• “Customer may submit Personal Data to the Hosted Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, the following categories of Personal Data:
• Usage data
- IP Address                 
- Globally unique identifier (e.g., Client ID)
- User Agent (e.g., user browser information)
- User ID
- Session ID
- Geolocation information                 
- Browsing history and interests                 
- Commercial information (e.g., products or services considered, purchased, consumption history)
- Typing and speech utterance (e.g., query terms, chatbot, input prompts)
- Individual's preferences
- Any other data category transmitted by Customer
• Content data
- Documents that relate to an individual
- Contact data (first name, last name, position, e-mail address, street address, phone number, etc.)
- Professional or employment-related data (company, position, employer, employee number, etc.)
- Any other data category transmitted by Customer
• Sensitive data
- The contents of a consumer’s mail, email, and text message to the extent this is defined as sensitive pursuant to Privacy Laws
- Any other sensitive data category as transmitted by Customer, to the extent permitted by the Agreement”

We will remove the coveo.com TLD from our Services list, and we will add the above subdomains to our Services list instead. If blocking one of these subdomains causes breakage, please provide specific examples of the breakage for us to review.

Based on observed breakage when the org.coveo.com and static.cloud.coveo.com subdomains were blocked, these subdomains will be added to our Content category.