Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Yeah, at some point we're going to have to address that (internet) communication is a two way street.

Until then, your HTML is interpreted by my browser, any resources are going over my network (and only my network if they're 3rd party) and the JavaScript is running on my machine . So I'll be having them obey my rules.



I’m not sure I understand your point. It’s you who requests those resources, nobody pushes that data towards you. Are we debating adblockers? Because that is a different topic than server side log analysis and I agree that we should be picky about what we process (but it’s a thin line, you are using resources from the owner of that service though).


So a cryptominer won't bother you then.


It’s you who requests those resources,

That does not matter, at least in the EU where citizens are protected by the GDPR. Article 6 of the GDPR:

Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;


You are now changing the argument from a moral one to a legal one. The GDRP may or may not proscribe certain things, and it may be a good law or an unjust one.

However, OP does not understand why you are so entitled to want to use their website for free, and then also want to tell them that they is not allowed to make note of you having done so.


You are changing directions with your comment.

"his or her personal data"

Analytics is not personal. No one shares their names or social security number. And I strongly agree with people above mentioning The Visitor is the requester. We provide services, they use it, we want to understand what we are doing by checking analytics. Nothing immoral about this.


You don’t get to redefine ‘personal data’ ;). The GDPR is clear about that:

* ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;*

In the legal opinions that the EU provides with the GDPR, random tokens that are associated with a person are PD. An IP address is also considered personal data:

https://ec.europa.eu/info/law/law-topic/data-protection/refo...

Nothing immoral about this.

What is ethical is a personal opinion, but collecting personal data (following the definition above) is simply not legal without consent in the EU.


IP addresses might not even get associated with analytics events - just used for basic counting of different users before aggregation? At that point you have no right to it.


Item (f) in that same Article 6 can be applied to collect data without explicit consent:

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.


IANAL, but privacy regulators in various countries (but also the GDPR) have been fairly explicit that this cannot be used for blanket collection of data. E.g. GDPR recital 47 states that there must be a reasonable expectation of the data subject that such data is collected, e.g. because they data subject is a client (in the non-technical sense) of the controller. The purpose for the collection should be specified and properly communicated. Also AFAIK all the rights of the data subject are retained. E.g. they can request the data and ask that the data is removed.

General analytics on a website are probably not covered under f, since it is not necessary and not what you’d expect when you visit a website to which you have no customer relation.

There are clear cases where one has to collect data, even without consent, such as fraud prevention.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: