[aviaviavi]

Hi HN, a comment to give a little more backstory here:

At Scarf, we aim to give open source developers more visibility into how their software is being used. As people with experience distributing binaries and artifacts hosted on platforms like GitHub Releases and S3, a repeated struggle was not having any visibility into downloads. Which versions of the software were being downloaded the most? On which platforms? Where in the world? Which companies were downloading?

This year we built Scarf Gateway, which acts as a redirect/analytics layer for any container registry. Supporting other kinds of artifacts was a natural extension, and arbitrary file downloads is perhaps the most general extension we could build!

Curious to hear what people think.

[inetknght]

> Curious to hear what people think.

How would someone opt-out of being tracked that something's been downloaded?

[aviaviavi]

This still needs to be added to our docs. A `dnt=1` query param in a download URL is interpreted as an end-user opt-out. We plan to add more forms of opting out based on user feedback. We want to ensure it's low-friction to opt out of tracking.

[milkytron]

Why not check the Do Not Track or Global Privacy Control header? Having a query param seems like more friction.

https://en.wikipedia.org/wiki/Do_Not_Track

[aviaviavi]

Great suggestion, very appreciated. Global privacy control wasn't on my radar but this looks like what we should do. DNT is considered deprecated, at least according to MDN docs.

[smarx007]

I think this is great as long as you respect GDPR. Tracking is not inherently bad. And I had some pain tracking downloads of our OSS project files, thankfully Eclipse Foundation has some tools for gathering anonymous statistics (I think the term "anonymous statistics" will fare better with the HN crowd than "tracking" or "measure"). Added your service to bookmarks for the next time I need such functionality.

However, you seem to have an incomplete understanding of GDPR judging from your homepage. For example, you don't provide a way for people to opt out on your homepage. This may indicate that you are thinking about GDPR in American "PII" terms instead of thinking about "processing purposes" and "personal data" (not necessarily identifiable, such as a 5-star rating for a taxi driver) as intended by GDPR. You can store my home address without my consent if you need it to deliver a book to me. You may not pass my non-anonymized IP address to anyone except your secops (legitimate business need has been explained by EU courts to mean a need to fulfill user's need, not company need, e.g. to show ads).

Further down the thread you also discuss the opt-out mechanisms. Again, this is only legal under GDPR for opting out of the kinds of processing you have a legitimate business need for. Things that require a consent may not be worked around with an opt-out.

Not a lawyer but a person in EU who sent GDPR requests and complaints to company DPOs and regulators. Hope your service grows well!

[aviaviavi]

Glad to hear and thanks for the kind words!

Fully complying with GDPR is a requirement as we build this out. Our data policies and practices have been thoroughly reviewed by our legal team. If we are doing anything incorrectly with respect to GDPR, it will be promptly addressed.

It turns out that the data we are actually storing about end-user traffic do not meet the criteria that trigger requirements for explicit consent. Scarf also operates a data processor with respect to GDPR, rather than a controller.

[smarx007]

Ah, shrewd move! For others reading this: your project using Scarf will bear responsibility for GDPR compliance regarding processing purposes as the controller and Scarf is just a processor like AWS (not that I buy it completely but I am sure smart folks at noyb.eu will look at this when time comes).