matomo-org / matomo

Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
https://matomo.org/
GNU General Public License v3.0
19.85k stars 2.64k forks source link

Explain how the new fingerprint is limited and why consent is not needed (update the fingerprint FAQ) #16361

Closed mattab closed 3 years ago

mattab commented 4 years ago

Can we update the FAQ at https://matomo.org/faq/general/faq_21418/ to mention for example:

From #15886 #13655

Daten-David commented 3 years ago

Hello! I have been invited by @mattab to post my thoughts on consent requirements here.

I am afraid that all the great data protection conscious work by Matomo does primarily address GDPR. Under GDPR Matomo is pretty perfect and usage of Matomo without consent should be legal as a legitimate interest – under certain circumstances even if cookies are activated.

But – as most of us will be aware – the much more relevant law is the EU ePrivacy Directive of 2002 (since its 2009 update commonly called "Cookie Directive", officially Directive 2002/58/EC).

ePrivacy refers to all kind of data – no matter if personal, personal identifiable or non-personal. ePrivacy does not know legal justifications like legitimate interest, fulfillment of a contract or anything like the other justifications under GDPR.

If Art. 5 para. 3 ePrivacy Directive applies consent is mandatory to proceed.

This law does not refer to cookies. It refers to "the gaining of access to information already stored, in the terminal equipment of a subscriber or user". The most relevant question is whether Javascript Tracking means gaining access to information already stored in the enduser's device.

Art. 5 para. 3 ePrivacy Directive describes one scenario when consent is not required. This is the case if access to the enduser's device is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service". This exemption does not cover analytics because no user or visitor "explicitly requests" to analyze his website or app usage.

The relevant publication regarding this matter is Opinion 09/2014 by the Article 29 Working Party on device fingerprinting. The Opinion states under 7.1: "first-party website analytics through device fingerprinting do not fall under the exemption defined in CRITERION A or B and consent of the user is required."

So I guess any kind of Javascript analytics requires (previous) consent and means to withdraw consent later.

From my point of view the ePrivacy legislation is way too far reaching. GDPR is much more flexible and has a much smarter approach. The Working Party seems to share this opinion (at least in 2014). But at present: It is simply the law.

The issue is less about the details of how long data is stored. It is only about whether access to information inside the enduser's device takes place or not.

If Matomo shares my thoughts the advice to users should be that consent is always required if Javascript analytics is active.

mattab commented 3 years ago

whether Javascript Tracking means gaining access to information already stored in the enduser's device.

fyi: JavaScript tracking does not mean gaining access to the device info: in particular if you use Matomo in cookie-less mode, then the JS code will not access nor create the tracking cookies at all.

Daten-David commented 3 years ago

Dear @mattab, please do not refer to cookies. Cookies are legally irrelevant. Cookies are not mentioned in any law I am aware of. To focus on cookies does not answer the legal questions.

How does JS code gain any information on technical aspects of my device (e.g. screen size) without access to my device? As far as I know most information collected by JS code is not automatically sent to analytics server. No push of information by my device but a pull by JS code.

Please check Opinion 09/2014 of the Article 29 Working Party. This is where I take all my knowledge from. At which point describes the Opinion Javascript analytics in a way different to the process by Matomo? Why does the Opinion state that Javascript analytics without cookies requires consent?

I am really happy to learn if I am all wrong.

utrautmann commented 3 years ago

Hello @mattab this topic is becoming more and more important. I have some German data protection officers in my projects now in 2021 who refuse to use Matomo in cookie-less mode without consent. Their justification refers to the word "fingerprint", so the collection of information from the browser as Dave said.

Can you describe please which exact data is determined by the browser in order to create the fingerprint and why do you think that no consent is required? I actually thought that with the cookie-less variant, the fingerprint would not be created with Javascript and would be created at the server (with the http header informations of the client). I think we need more transparency.

Daten-David commented 3 years ago

@utrautmann: Thanks for picking up the issue. I experience the same as you.

I guess everybody follows on Google's FLoC initiative. But did you see that Google admitted legal challenges by GDPR and most of all ePrivacy for FLoC? https://www.adexchanger.com/platforms/google-will-not-run-floc-origin-tests-in-europe-due-to-gdpr-concerns/

From my point of view it is crucial to understand the difference between GDPR and ePrivacy. GDPR is (almost) no obstacle to web analytics. Under GDPR you can run Matomo as legitimate interest without consent even with cookies active.

The challenge is ePrivacy.

The latest draft for the future ePrivacy Regulation by Portuguese EU presidency presents an option to run statistics without consent. See: https://www.statewatch.org/media/1649/eu-council-e-privacy-presidency-proposal-5008-21.pdf. Or the updated full text at https://data.consilium.europa.eu/doc/document/ST-6087-2021-INIT/en/pdf. Look for Article 6b (1) (e) + (f) and Article 8 (2) (c).

The EDPB has published concerns about the draft ePrivacy Regulation: https://edpb.europa.eu/news/news/2021/european-data-protection-board-46th-plenary-session_de

Most relevant: The law tends to stay theoretical. The real work is done by Mozilla with Firefox or Apple with Safari and most likely by Google with Chrome in future. They control how tracking or analytics takes place in future.

Server-side analytics is no problem. It can't be controlled by browser. And it is not governed by ePrivacy law. But server-side analytics only provides very low level analytics. And server-side analytics is a trip back to the 90ties.

Findus23 commented 3 years ago

I have to say that I lost a bit the overview both with the new ePrivacy plans and what Google is trying to achieve with their new concepts.

Server-side analytics is no problem

Really? I always thought server-side analytics make things more difficult in other ways as e.g. there is no straight-forward way for people to opt-out.

Also the whole concept of FLoC seems like a really bad idea privacy-wise to me. It solves a few issues, but opens a bag of new ones at the same time. https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea sums up a few important points nicely in my opinion.

If you want to talk more about this I can only invite you to the forum as it is easier for general discussions than github issues. I would also be interested in other peoples opinions and ideas.

Daten-David commented 3 years ago

I always thought server-side analytics make things more difficult in other ways as e.g. there is no straight-forward way for people to opt-out.

Yes. There is no way to opt-out. But opt-out is not 100percent mandatory. Check Art. 21 (1) GDPR.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

A regular web log should be considered compelling legitimate grounds. The statistics derived by web log data is no personal data. The statistics are anonymous data and GDPR doesn't apply. The web log as raw data needs to be erased after a short period of time. But the statistics can stay.

I can only invite you to the forum as it is easier for general discussions than github issues

Thanks! I don't feel at home enough to start a new discussion in the forum. As soon as somebody did I am happy to throw in my 50 cents.

Daten-David commented 3 years ago

I transferred the discussion to the forum: https://forum.matomo.org/t/does-device-fingerprinting-require-consent/42869

mattab commented 3 years ago

The situation has been clarified as best as possible in the FAQ at https://matomo.org/faq/general/how-is-the-visitor-config_id-processed/ so I'm closing this now.

mattab commented 2 years ago

@Daten-David FYI the discussion may continue in #18448 and https://github.com/matomo-org/matomo/issues/15425