Hacker News new | ask | show | jobs
by kohtatsu 2218 days ago
https://dashboard.usertrack.net/sites/usertrack.net/visitors...

Collecting scroll and mouse movements is enough to build a fingerprint on people. It's also creepy, this kind of stuff needs to be opt-in. You could record first and only send to the server after they've granted permission with a clear dialog like "can we send your mouse movements and page interaction to the webmaster?"

No idea on how that plays into GDPR, but you'll want to take that into account with something like this.

Overall it's better than Google having all that data, and congrats on building something cool, I like it minus the minutiae that you capture.
2 comments
XCSme 2218 days ago
Thanks for the suggestions!

There is an option to display a consent window before tracking. Currently I have it disabled on my site, as it's more for demo purposes.

I do agree that it feels a bit creepy to see a recording of yourself, but for static landing pages (where no private data is shared) it poses no privacy risks. I do plan to working on improving the privacy of the platform itself, by allowing better granularity of the things that are tracked (eg. you don't care about recordings? you can disable them).

Currently all the tracking is done cookie-less, there is some more info about privacy here: https://docs.usertrack.net/personal-data-information

> Overall it's better than Google having all that data, and congrats on building something cool, I like it minus the minutiae that you capture.

With userTrack I don't try to replace Google Analytics with a self-hosted platform that is only more "creepy", but also offer a self-hosted alternative to services like Hotjar and FullStory. The difference is that those services not only have the data across multiple domains, but also store the entire HTML content and all changes on the page, meaning that if you have a Chrome Extension that adds some private content to a page (eg. you have a snippet extension that loads reply templates and displays them on the page), this content will also be stored and sent to their servers. userTrack only stores the URL of the page and all actions done (clicks, movements, scroll, window resize, optional text input), meaning that it doesn't actually track your private information if it is added to a login-protected page (eg. your private user dashboard).

Overall I think this can lead to a huge privacy boost for both users and webmasters, while still empowering webmasters with data: * No single authority has the browsing data of a user across domains * No more 3rd party cookies and requests, you can host everything on the same domain as your site * You decide how intrusive you want the tracking to be, not the platform.

I still have work to do when it comes to privacy, but I do see this as being the future for responsible webmasters.

link
XCSme 2218 days ago
> Collecting scroll and mouse movements is enough to build a fingerprint on people.

I never thought of this, I do see the potential fingerprinting but I don't think it actually works as currently the mouse position and scroll is tracked only ~200ms, so you just get some random positions, not enough to generate an accurate fingerprint. Plus it would require a lot of data and ML, which I highly doubt would be worth the effort.

> This kind of stuff needs to be opt-in As I mentioned in the other comment, you can display an opt-in dialog if you want to. Some related info: I don't know if you heard of Hotjar before (probably you did, as their ads are everywhere), but it was on like 25% of alexa top 100 sites and on over 500k sites, and probably all of them just bundle the consent with the other cookies or don't show any information at all. I think the problem is that GDPR mostly referrs to tracking and personal identifiable data, and all those movements, heatmaps and actions are not really enough to identify a person.

My current opinion about this: Although I agree it feels creepy, as I user I don't really care if my actions are tracked on the website I go on, if there's no connection made to my person or to other websites I visited. Also, tracking mouse movement feels more creepy, but tracking all the content that you see and buttons/links that you click on in order to show targeted ads is probably worse. I think the big difference is that once you go to site X, you expect the site to get some information about your usage on their site (what pages you visit, what information was useful for you, where you got stuck on the page) in order to improve your experience and for them to improve conversions, but you don't expect for another 3rd party to get all this info about you and use it for other purposes such as advertising or selling of personal information

link
kohtatsu 2218 days ago
I'm happy to see you're putting this much thought into it, I appreciate it a lot.

I think it is a dozen orders of magnitude better than 3rd party services considering it's self hosted, which mostly nullifies fingerprinting concerns. I firmly believe opt-in should be required for the scrolling and movements, but I understand the climate isn't there yet.

Thanks for taking time to consider privacy, making it a priority, and taking the time to respond here. I reckon you're well on the good side of the fight for privacy just by decentralizing this data.

link