How do the EU privacy regulations affect your website and what can you do with open source tools like Drupal and Piwik to offer your visitors a reliable and regulatory compliant website?
3. info@hcderaad.nl
www.hcderaad.nl
Whoami?
● OpenNovations
– Current company of Hans de Raad
– Dutch partner for Kolab Systems AG (btw, Georg says hi!)
● Chamber of commerce registration states:
– “The goal of the company is to deliver products and services in all aspects of the competence-,
personal interest-, and area's of expertise of the owner”.
● In other words, its mainly a vehicle to do something usefull and
nice and charging money for that.
● Some areas of interest:
– Information, communication, technology, workshops and consultancy.
● Do I stick to that?
4. info@hcderaad.nl
www.hcderaad.nl
How does Drupal fit into this?
● Both user and enthousiast since around 4.3/4.4ish
● After release of Drupal 7 decided to specialize on one
CMS/CMF platform
● One can just about build anything webrelated with Drupal
– It has a really great community!
– Volunteer and speaker for DrupalJam 2012
in Zoetermeer, DrupalCon 2013 in Prague
– Frequent visitor of DrupalCafe's
– Very much looking forward to Barcelona
this autumn!!!
6. info@hcderaad.nl
www.hcderaad.nl
The bigger picture
● Organizations/committees within the EU seem really concerned
about user privacy.
– “The right to be forgotten”
●
Spreading personal information across the internet is a financial risk.
– Which in turn becomes a governmental
problem (identity theft)
●
Also, a lot of information is stored
outside the EU
– Which basically means it's lost.
– Or, in a more cynical view, it's given
away for free to our competitors.
7. info@hcderaad.nl
www.hcderaad.nl
It became a nuisance
● It is pretty difficult to make the distinction between “functional” and
“analytics” cookies, especially when the WBP (Dutch Privacy Law)
gets involved.
● Cookie-walls started to appear, also on public sites, like NPO
– And actually, any webshop should probably have done the same.
● Also, the website-owner is responsible for all cookies set by the site
● Any site (owner) has to have a privacy/cookie statement.
8. info@hcderaad.nl
www.hcderaad.nl
And in come the penalties
● Unreported dataloss is actually punishable by law.
– And, these incidents will be made public.
● Prevention measures have to be publically announced and
explained.
● No actual financial penalty is enforced.
● But, how about usability
penalties?
– It pretty much is a minefield
because there is EU legislation,
which is then interpreted differently
by just about any member state.......
9. info@hcderaad.nl
www.hcderaad.nl
Then it became even more
confusing
●
Since june 2012 there have been 2 pretty big changes to the
interpretation of the Telecommunicationwet in the Netherlands
(and other countries are similar).
●
Minister Kamp introduced the
distinction between first and
third-party cookies
● OPTA's cookieFAQ change
from march 2013 introduced
some other concepts
●
Debate goes on until today,
also because of differences in
legislation (ie UK vs NL)
10. info@hcderaad.nl
www.hcderaad.nl
So what!? I use Google Analytics
● Sure, that is a really great tool... But... Do you
actually comply with the law?
● Go find a mirror, no really a glass one.
– I know i sure didn't.
11. info@hcderaad.nl
www.hcderaad.nl
Yeah, well: fsck the law!
● Ok, fine by me, but, even then, there actually
are some considerable use cases:
– What will you do if you have a question commercial
analytics software doesnt really answer?
– And, what will you do if actually
a user decides to press “no”.
– What is your exit-strategy from
the platform?
12. info@hcderaad.nl
www.hcderaad.nl
Ok, ok, and... Piwik?
● Born out of the ashes of phpMyVisites around 2007.
● Built using Zend Framework (yes, it is something fairly
modern PHP'ish)
● Integrates well with Drupal (and Joomla, Wordpress, yes
even Sharepoint).
● It's actually pretty userfriendly
(ever tried AWStats?)
● But, most importantly, it stores
your data locally.
● Used by ~ 500.000 sites today.
13. info@hcderaad.nl
www.hcderaad.nl
Ok, what does it do?
● Just about anything something like AWStats does, but, then
with the cookies (which basically means individual users).
● So, click-paths (page based), entry and exit pages, geo-ip,
referrers, browser-info, etc, etc. Yup, it's got it.
● But there is more:
– Annotations, like saving notes on analyses
– Goals, does a visited product page actually result in a shopping cart
addition
– E-Commerce integration, following customer spending (actually
Drupal Commerce does this quite well)
– Several custom variables, like campaign following, etc.
14. info@hcderaad.nl
www.hcderaad.nl
Is that all?
● Nope, it can also parse server logs!
● Privacy related options like:
– Anonymize IP addresses
– Purging of tracking data (but saving reportdata)
– Do-Not-Track and opt-out support
● For the site manager:
– Scheduled reports,
– Mobile App
● > 30 third party plugins
● Extendable plugin architecture
15. info@hcderaad.nl
www.hcderaad.nl
Any alternatives?
● Sure!
– Open Web Analytics
● Pretty much comparable, but a little older (especially the Drupal
integration module) and not focussed on legal-compliance.
– CrawlTrack
● PHP based, latest release > 2 years ago, claims to do more than
just analyse visitors (block hack attempts)
– AWStats, Webalizer, Analog, W3Perl
● Perl or C based, static log parsers, look like something from the
early days of space-travel (or webmin)
16. info@hcderaad.nl
www.hcderaad.nl
Drupal?
● Any introduction necessary?
● World class Content Management Framework
– Used for all kinds of web applications
● Websites
– Including Sony BMG, The White House, European Commission, etc
● Ecommerce
– Drupal Commerce
● Conference organization
● Etc, etc
17. info@hcderaad.nl
www.hcderaad.nl
Drupal integration
● There is a module for that! (and a theme?)
● What does that do then?
– Place some JS into your theme, to call the Piwik server.
– Offer reporting to (authorized) users through the
Drupal admin interface.
– Customization of what to track and store from
the source (the Drupal site)
● You still need something like Cookie
Control to be compliant, but.... You are one
step closer to being compliant by not sharing
data with third parties!s
20. info@hcderaad.nl
www.hcderaad.nl
But i already use some other tool!
● Keep breathing, there are solutions at hand:
– Google2piwik
– Logfile imports
– Directly insert CSV data
into DB
– Custom plugins
● But mainly, enjoy
playing with the reports!
22. info@hcderaad.nl
www.hcderaad.nl
Just one more thing!
● Roundcube Next!
– The worlds most used open source web client
– Fundraiser for the next iteration of the platform
● Already > $ 25.000,- raised!
– Help to shape
the future of email!
https://roundcu.be/next
Do I stick to that?
Hacker festivals (OHM and HQE)
Also used to business manager of a classical choir, the Bachkoor Holland, and project lead for openSUSE Conference and Kolab Summit.
Now also organizing the Huygens Festival in the Netherlands.
Dutch technology partner for Kolab Systems AG.
So, why should i?
“Cookie law” or “Telecommunicatiewet” 5 june 2012:
Distinction between 2 types of cookies:
Functionally necessary cookies (like shopping carts, session cookies)
“Analytics” cookies
Assumption is that “analytics” cookies always contain personally identifyable information, unless the webmaster can prove otherwise (“rechtsvermoeden”)
“Functional” cookies are legal as long as the user is informed about them.
Any cookie related to personal (or identifyable) information is only legal if a user explicitly accepts them.
Then also privacy law (WBP) is applicable
“Analytics” cookies are always considered as personal-information -related.
WBP has several disctinct categories of information, and there is no such thing as functional or analytics. It's either personal info or not (in several degrees of importance).
Cookie-walls started to appear, also on public sites, like NPO
NPO stated they we're lawfully obligated to analyse their visitors to justify their public information duties.
But since they were also obligated to require explicit consent, they decided to do something really user-unfriendly.
Also, the website-owner is responsible for all cookies set by the site, which includes cookies set by advertisers/affiliates.
So you better know who is placing stuff at your visitors computer.
Minister Kamp introduced the distinction between first and third-party cookies
So, actually “analytics” cookies we're placed in the less-restricted category, as long as the information stored is anonymous and not shared with others.
This has not made it into the law up to this day.
OPTA's cookieFAQ change from march introduced some other items:
Which actually made it clear that “statically” logged serverlogs can be used without user consent.
But “on any information sent after the initial request the law is still applicable”....
And how about browser fingerprinting?
But, the cookie to indicate that no cookies may be stored, is still legal (but just dont do anything smart-ass like storing a uuid to indicate that this specific session doesnt want to be logged)... “nocookies=1″
Sure, that is a really great tool... But... Do you actually comply with the law?
I really mean, do you actually start using if AFTER your user has explicitely consented in sending their personal data to some third party entity they don't know or, even better, should not have to know at all?
And, what will you do if actually a user decides to press “no”.
How's your data? How are your reports?
What is your exit-strategy from the platform?
Isnt open-source about choice in the first place?
Just about anything something like AWStats does, but, then with the cookies (which basically means individual users).
Wait, isnt an IP address a unique identifier?
Nope, it can also parse server logs
Which in fact means you also get a picture of your site users who say “no” to cookies.
Privacy related options like:
Anonymize IP addresses
Purging of tracking data (but saving reportdata)
Do-Not-Track and opt-out support
For the site manager:
Scheduled reports,
Mobile App
> 20 third party plugins
In the Drupal module, these reports:
Visitors
Visits, trends, visit times, geo-location
Actions
Entry and exit pages, page visits, outlinks and downloads
Referrers
Search engines and keywords (also from the internal Drupal search engine), websites, etc.
Goals
If any.