[ukutaht]

This is how I understand GDPR as well. Just hashing the IP address along with other static values is too easy to reverse and not considered anonymization under GDPR.

For https://plausible.io we added a daily salt to the hash for this exact reason. By deleting the salt at the end of each day, the hash becomes impossible to reverse and visitor data can be considered anonymous.

We lose unique visitor tracking beyond one day, but for most sites this is a small price to pay to remove annoying consent banners.

[nolito]

That's only from your perspective.

Website owners are still sending visitors IP-addresses your way. They have to trust you to do the hashing and deleting the salt (and pepper?) and not delivering data to others (4th party).

Another problem you - and others like goatcounter have - is described here https://blog.paranoidpenguin.net/2020/07/plausible-analytics....

[arp242]

I thought that "CNAME cloacking" was already addressed by uBlock and most similar tools last year already? I don't think it's a very effective method to bypass them.

At least, that's what I can gather from the linked issue and https://github.com/gorhill/uBlock/releases/tag/1.25.0 – so I'm not sure if I understand that article.

In goatcounter the whole CNAME thing was just intended as a cute "shortcut" so you can have "stats.example.com"; I assumed that all adblockers would deal with that correctly, and it was never intended as a way to bypass them (and certainly never advertised as such).

As for "selling IP address", how do you know "blog.example.com" isn't just collecting and selling that? Or HN for that matter?

[nolito]

Then use a shortcut :)

What about the (naive) users that d'ont use uBlock and similar tools and d'ont even know they exist?

BTW Goatcounter collects potential personal data. The querystring is not removed, is stored and presented to the website owner.