How we protect visitors privacy

ProcessOne
· 2 min read
Send by email

We recently announced our intention to become a Facebook-free business. We are happy to report that all our Facebook Pages have now been permanently deleted, and all Facebook widgets and buttons have been removed from our websites.

But it wasn’t our first step towards minimising corporate surveillance for our users. In fact, for several years now on all our websites we have a rule to avoid external resources (like public CDNs), avoid externally linked scripts and not use excessive tracking technologies.

Our ProcessOne homepage uses a single session cookie. Our WordPress blog doesn’t create any cookies or use local storage at all. Currently, the only external script and tracking technology we use comes from, you guessed it, google-analytics.com. However, even upon implementing Google Analytics (GA), we made a choice to minimise its impact on our users.

We modified the script to disable IP detection, disable cookies and local storage, and distinguish our visitors just by a custom fingerprint that is useless to GA scripts on other sites and domains. This way, our users can’t be tracked from site to site. The customisations are based on this cookieless-google-analytics repo I cooked up back in 2014.

However, as you may imagine, Google goes to some lengths to make this anonymisation process difficult. On our new XMPP, MQTT & SIP realtime platform called Fluux we wanted to implement the latest version of the GA script. However, the so called gatag.js has removed some of the useful customisation options I mentioned earlier.

For example, you can’t fully disable cookies or local storage. This decision was probably made by the same person who decided that YouTube embeds from youtube-nocookie.com domain store all of the old-school cookies inside the local storage. Technically, it’s indeed nocookie, but in fact it’s still tracking users, with values named like yt-remote-device-id

In the end, we decided to keep the previous, cookie-less version of the GA script. Additionally, we removed the YT embed in favour of an inline base64-encoded JPG. We are also testing Vimeo embeds in our blog posts. They do use cookies, but they increase overall decentralisation.

When browsing ProcessOne sites and services, you can be sure we spent a significant amount of time to minimise what we collect, or do not track you at all. Because we care about your privacy as we care about our own.

It’s very hard to stay untracked while browsing the web. Google, Facebook and many others have their business models based on extensive tracking. But a lot of fault lies on us, the Webmasters, for using seemingly helpful and time-saving technologies that are brilliant and free – but are they? In the end, if we are not careful, we pay with our data, and the data of our users. And all the nasty consequences that come with it.

We can change that state, one site at a time, with just a little bit of effort and cooperation. We can minimise the exposure of our users. We can switch to locally stored code and customised scripts. We can do more. We can do better.