Am 08/13/2011 12:30 AM, schrieb Rob Weir:
On Fri, Aug 12, 2011 at 5:48 PM, Marcus (OOo)<[email protected]> wrote:
Am 08/12/2011 10:42 PM, schrieb Rob Weir:
On Fri, Aug 12, 2011 at 4:14 PM, Eike Rathke<[email protected]> wrote:
Hi Rob,
On Friday, 2011-08-12 13:29:00 -0400, Rob Weir wrote:
Before taking that step, it's worth asking if the project actually
has a need for web analytics yet. They were included on OO.o site
mainly because Sun was using the data as part of its business
metrics. It's not obvious that the same need exists in AOOo.
I think it is an essential tool to optimizing the web experience for
our visitors. It is part of a feedback loop where we look at the
traffic stats, how our website is actually being used, the
demographics of the visitors, etc., and then iteratively improve the
website to make it more useful.
So first question is: analytics yes or no, which affects also the
Privacy Policy.
On the question of Piwik (open source, used, for example by
LibreOffice) versus Google Analytics, I'm very familiar with Google,
so I could help more there. But I don't have an informed opinion on
the virtues of each. I've never heard of Piwik until today.
The big difference is that with Piwik the data collected stays inhouse
at Apache, whereas with Google it goes to Google that does whatever you
don't know. This again implies that at Apache measures must be taken to
protect the privacy of collected data. The German "Landeszentrum für
Datenschutz Schleswig-Holstein" (center of data protection) has a few
documents about tracking [1], unfortunately only in German, why Google
Analytics doesn't comply with the German data protection law [2] and how
Piwik can be configured to be used in compliance with the law [3].
Does this law matter if the servers are hosted in the US, not in
Germany? (I'm assuming that the Apache servers are in the US).
No, but it not a secret that the protection of private data is, hm, not the
best in the US compared with other. So, why stick with this?
Remember, even if we used Piwik, the data would be in the US. All
user accounts for Apache, all wiki accounts, all mailing lists
subscription data, etc., is in the US. We have a jurisdiction.
So, it's in our hands to protect them and don't have to trust others
(companies).
As you know trying to comply with the laws of every country is nearly
impossible. If we try to do that, then we'll immediately run into
That's not the point. Of course we cannot follow every law as you also
cannot satisfy everybody's favorite feature. But we could go with a law
that has a great protection.
problems, like the status of Taiwan (Chinese Formosa), which has come
up previously:
http://openoffice.org/projects/www/lists/discuss/archive/2003-06/message/38
Could be easily solved when using the term "Chinese (Taiwan)" or better
"Taiwanese". But this doesn't matter here.
Storing the data ourselves is a double-edged sword. If we store it,
then we are responsible for any problems with that data.
I don't think that would be more difficult than what Apache is storing
anyway (mail addresses, user names, passwords). I don't think that we would
be interested in IP addresses, postal addresses, etc.
Any web analytics package is going to track IP address and store a
cookie. That is how it knows what country you are from and whether
you are a new or a returning user.
But there is a difference if you track and analyze the IP address (e.g.,
via a GeoIP library) but store only the country or if you store the
whole IP address. ;-)
I agree that it is not much more difficult. If we use Google, then we
need to secure and control access to the login for Google Analytics.
If we use Piwik then we need to control access there. And if we just
use web logs and run reports on those, then we need to control access
to the raw http logs.
Yes, so we should discuss this in more details and should really decide
on concensus.
For any of these options, we'll have some information that we need to
keep secure. The PPMC has the ability to do this, via a private area
in SVN.
The main part would be to know the user's browser data (OS, language,
browser app and version). For me no special data that should get special
treated.
Google states what they can do with the data, but it is rather broad,
as you know.
When you are really concerned about protection of private data, then you
wouldn't use Google Analytics. ;-)
Or you would disable cookies and Javascript from your browser, right?
Maybe. But I doubt that it would give you a real protection against
analytics methods.
Actually, that is a great goal for this project: We should try to
make sure that our website, downloads, etc., all work, even if
Javascript and cookies are disabled. This is a good thing for
accessibility as well.
That's what we've already done on the old project.
[1] https://www.datenschutzzentrum.de/tracking/
[2]
https://www.datenschutzzentrum.de/tracking/20090123_GA_stellungnahme.pdf
[3] https://www.datenschutzzentrum.de/tracking/piwik/
Eike
Marcus
Marcus
