[lightswitch05]

I think grouping server-side tracking with JavaScript based tracking is an oversimplification. JavaScript tracking is much more invasive and can access significantly more data. From something as straightforward as fingerprinting to potentially even more invasive data such as geo-location, battery status, webcam, microphone - you name it. Server access logs aren't going to track my eyes.

I think we can all agree there are different levels of acceptable tracking and use of that data- but the degrees of acceptance are going to be different depending on the user and service. I don't consider bypassing my restrictions to run unauthorized code to be an acceptable tracking method and raises serious concerns about how the data will then be used.

[arp242]

Anyone can do all sorts of things. I can punch anyone I see on the street in the face. Doesn't mean they're actually doing it.

Now, I have a vested interest in this as I work on one of those tracking tools, but it actually collects less data than those Apache access_logs that people have been keeping for 25 years. Plus, the JS is unminified and easily examinable if you want (as is the HTTP request), so you also have more insight in what is being collected exactly.

"It's using JavaScript" and "it can do [..]" are massive red herrings; browsers are actually fairly sandboxed and there are millions upon millions of lines of code on your computer that can do much more than JavaScript inside a webpage.

[lightswitch05]

> I can punch anyone I see on the street in the face.

Yes, and then you would be charged with assault. It is great that you work on a tool that respects peoples privacy. I suppose I failed to put an emphasis on trust. With server side logs, less trust is required because there is less that can be done. Paired with VPN, I can have reasonable belief that server side logging is not logging anything unreasonable and it does not require trust that they are not fingerprinting me. As you say, just because someone can do something doesn't mean they will - but trust is required, especially if there are no repercussions if that trust is violated.

[throwaway894345]

OTOH JavaScript tracking is an easy way to filter out a lot of the bots. I use a little bit of JS-based tracking for exactly this reason, but I'm not extracting anything that wouldn't show up in server logs (eventually I also want to get some "time spent on page" metric so I have some idea how useful my blog posts are (are people clicking and leaving right away or are they sticking around to read). You pretty need JS for this. In whatever case, web analytics like these aren't "tracking"; you're looking at user behavior on your own site; not trying to follow them around the Internet or otherwise identify them.

[dalu]

Matomo doesn't track all that much. Screen size, which is wrong for Firefox vs Chrome. Visit time and unique user and visit ID. Also some ecommerce parameters if you set them. As well as if your browser supports whatever tech like flash, silverlight etc. It's a slightly better server log.