offen/website
2
0
Fork 0
mirror of https://github.com/offen/website.git synced 2024-10-18 12:10:25 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #202 from offen/consent-article

Browse Source 
Consent article
This commit is contained in:
Hendrik Niefeld 2022-06-16 14:42:46 +02:00 committed by GitHub
commit 2e218ca930
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 169 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
homepage/content/articles/0100-matomo.md
View File

@ -27,7 +27,7 @@ On the technical side, the following issues are particularly apparent. Installin
### Operators and users as equal parties
To address the above mentioned issues we develop a fair, self hosted and lightweigt web analytics tool that treats operators and users as equal parties. It is called Offen and is [available as a production ready version.](https://www.offen.dev/get-started/)
To address the above mentioned issues we develop a fair, self hosted and lightweigt web analytics tool that treats operators and users as equal parties. It is called Offen and is [available as a production ready version.](/get-started/)
*Offen's default is to NOT collect any data.* Usage data is collected after opt-in only. If users choose to opt in, they have full access to their data. They can delete it any time or opt out completly.
@ -50,7 +50,7 @@ Our strict focus on data protection also means that there are some Matomo featur
We hope this overview helps you to get a better insight into the topic of fair web analytics. If you are passionate about ethical software and want *a truly lightweight and privacy focused alternative to Matomo* you should give Offen a try. Why not let both run parallel for a while and then see how it feels? We are looking forward to your [feedback.](mailto:hioffen@posteo.de)
Find further information in our [explainer](https://www.offen.dev/#bg-explainer), test it on your system or get everything you need to use Offen in production.
Find further information in our [explainer](/#bg-explainer), test it on your system or get everything you need to use Offen in production.
<div class="flex flex-wrap justify-center mt4 mb6">
<div class="w-100 w-40-ns mh0 mb3 mb0-ns mr3-ns">

6
homepage/content/articles/0120-opt-in-quality.md
View File

@ -13,13 +13,13 @@ bottom_cta: matomo
### Fair web analytics
A key feature of our fair and open web analytics tool [Offen](https://www.offen.dev/get-started/) is that data will only be collected after website users have opted in. This is absolutely necessary for a fair data transfer, but also comes with another, not so obvious implication.
A key feature of our fair and open web analytics tool [Offen](/get-started/) is that data will only be collected after website users have opted in. This is absolutely necessary for a fair data transfer, but also comes with another, not so obvious implication.
Collecting data only with *user consent has a significant impact on the quality of analytics* insights, especially for operators of smaller websites.
### Analyzing our own turf
Our own homepage [offen.dev](https://www.offen.dev/), on which of course an Offen instance is installed, can be described as rather small. It currently has an average of 280 unique users after opt-in and 660 verified page views per month.
Our own homepage [offen.dev](/), on which of course an Offen instance is installed, can be described as rather small. It currently has an average of 280 unique users after opt-in and 660 verified page views per month.
We estimate our opt-in rate, meaning the percentage of website users who agree to the data collection, to be about 40%. This figure is a subjective estimate and derived solely from the personal feedback of a relatively small group of test users.
@ -75,4 +75,4 @@ This is why the use of all available data is not the way to do better web analyt
If you are looking for a self hosted as well as lightweight alternative to common web analytics tools and want to optimize your website for quality you should give Offen a try. Why not let it run parallel to your current tool for a while and then see how it feels? We are looking forward to your feedback.
Give it a spin with our [demo](https://www.offen.dev/try-demo/) or directly head to our [get started](https://www.offen.dev/get-started/) section.
Give it a spin with our [demo](/try-demo/) or directly head to our [get started](/get-started/) section.

2
homepage/content/articles/0140-privacy-cookies.md
View File

@ -37,7 +37,7 @@ In case your conclusion is that you do need to collect the data, don't be afraid
Regulations around data protection and collection often distinguish essential and non-essential features, and this makes a lot of sense. If a user can log in to your service and you have to store a session identifier in a cookie to enable this, it is perfectly fine to do so without consent. Having to provide credentials over and over again for every request made against your server would render your service unusable, hence it is an essential feature.
Non-essential features are usually revolving around performance and analytics. Collecting analytics data for a website definitely is not required for the user to use your service. This means it is non-essential usage and you should be asking for consent before doing so. Regulations around this topic only cover cookies, but taking privacy seriously, you would apply this principle to all techniques. On a side note, [quantity does not necessarily mean quality in web analytics](https://www.offen.dev/blog/opt-in-quality/).
Non-essential features are usually revolving around performance and analytics. Collecting analytics data for a website definitely is not required for the user to use your service. This means it is non-essential usage and you should be asking for consent before doing so. Regulations around this topic only cover cookies, but taking privacy seriously, you would apply this principle to all techniques. On a side note, [quantity does not necessarily mean quality in web analytics](/blog/opt-in-quality/).
Most importantly, both essential and non-essential segments require making sure their technical implementation is secure and respects user privacy as much as possible.

4
homepage/content/articles/0180-analyticstxt.md
View File

@ -15,7 +15,7 @@ The variety of data protection regulations and the range of methods used to coll
### Learning from building Offen
We recently drafted a standards proposal that allows websites and services to disclose information about their use of analytics software and user tracking. As this is related to our work on [Offen](https://www.offen.dev/), we wanted to provide some insight here into our motives, implementation and state of affairs on this matter.
We recently drafted a standards proposal that allows websites and services to disclose information about their use of analytics software and user tracking. As this is related to our work on [Offen](/), we wanted to provide some insight here into our motives, implementation and state of affairs on this matter.
Offen is a fair web analytics software that treats operators and users as equal parties. Operators can self-host Offen and gain insights about how users interact with their services while ensuring that users remain in full control over their data.
@ -27,7 +27,7 @@ In the course of the development of our software, we came across a fundamental p
### What today's web lacks
Sure, terms like "data protection", "privacy-focused" or "privacy-friendly" are widespread and appear reliably in consent banners and privacy statements of of websites and services. But what do they actually [stand for?](https://www.offen.dev/blog/privacy-friendly-and-fair-web/)
Sure, terms like "data protection", "privacy-focused" or "privacy-friendly" are widespread and appear reliably in consent banners and privacy statements of of websites and services. But what do they actually [stand for?](/blog/privacy-friendly-and-fair-web/)
In many cases, users still don't know what data is being collected and how it is being used. This leaves them confused about their situation and does not help to reduce the underlying mistrust towards operators and the web in general.

4
homepage/content/articles/0210-offen-protocol.md
View File

@ -9,7 +9,7 @@ author: Frederik Ring
must_read: True
bottom_cta: cookie
# Say Hi to the Offen Protocol
# Introducing the Offen Protocol
The most unique feature Offen has to offer is the ability of users to discover their data and manage it in a "self-service" fashion. This might seem like a highly unique feature at first glance, it's also a requirement mandated by GDPR for everyone that collects data. The “rights of the data subject” are defined as:
@ -55,7 +55,7 @@ The Offen Protocol is designed to be used in a server/client setup where both th
The Offen Protocol explicitly does not prescribe anything about what kind of data is being shared between clients and the server and how the server models and stores the data itself. The only hard requirement is the use of a user identifier that is handled using HTTP cookies. This also means the protocol is not a good fit when the client is not a browser.
Using cookies might sound invasive at first sight, yet if you evaluate the options on the table without any bias, it is [the most privacy friendly, secure and robust option](https://www.offen.dev/blog/privacy-cookies/) there is. Collection of usage data requires the user to consent in any case, so to us, there is no reason not to use this approach.
Using cookies might sound invasive at first sight, yet if you evaluate the options on the table without any bias, it is [the most privacy friendly, secure and robust option](/blog/privacy-cookies/) there is. Collection of usage data requires the user to consent in any case, so to us, there is no reason not to use this approach.
### The specification

135
homepage/content/articles/0230-consent-tool.md Normal file
View File

@ -0,0 +1,135 @@
title: Say hi to the Offen Consent Tool
description: A lightweight solution for managing user consent on websites.
date: 2022-06-16
slug: consent-tool
url: /blog/consent-tool/
sitemap_priority: 0.7
image_url: /theme/images/offen-blog-230-consent-tool.jpg
author: Hendrik Niefeld
must_read: True
bottom_cta: protocol
# Say hi to the Offen Consent Tool
This article is about our new Offen Consent Tool *[Fast forward to the details here.](#consent-tool)*
---
### Whats wrong with consent?
“Cookie banners are just a pain in the ass.” or "Why are there so many buttons? I just dont care.” - that's what you hear when a conversation revolves around today's web experience.
But if we consider solely the situation within the EU, the scenario is actually quite simple. GDPR states that data processing, any compelling reasons aside, is only legal if consent is freely given, specific, informed and unambiguous. However, the fact that this implies a real choice by the data subject is often where the problems start.
The very fact that consent requests are often described as “cookie banners” is the first major misconception here. Relevant requests to invade the privacy of users are thereby framed as useless information about the use of certain technical specifications. This is all the more disappointing as cookies can actually be [quite useful for protecting privacy.](/blog/privacy-cookies/)
it is usually not the consent request that is annoying but the fact that so many operators do not accept a possible “no” from the user. A whole arsenal of dark patterns and UX gimmicks is employed to willfully circumvent the actual intention of the GDPR, the informed decision of the user, and force a "yes". So it's not surprising that so-called "consent management tools" have become established, which suggest to be able to increase the rate of user consent.
Lucky are those who have found a way to completely avoid consent requests. But unfortunately, all too often, data collection is not abandoned here, but only some technical loophole is exploited that lies in some grey area of jurisdiction.
### Our take
As we develop a [fair and lightweight web analytics software](/) that treats operators and users as equal parties our attitude to the issue of consent is clear: Consent is a must. Absolutely. We need the user's consent for anything that may contribute to their identification.
We are committed to privacy and the rights of users, but we also support the legitimate interest of operators to improve their services. Requesting consent is, in our opinion, the only way to mediate meaningfully between these two aspects. And as a side effect, the [quality of the collected data is significantly improved.](/blog/opt-in-quality/)
> *Nevertheless, the simplest option is all too often ignored: Do you really need all this?*
We believe that a large part of the operators collect data even though they have neither time nor sufficient experience to evaluate it for any real benefit. Similar questions arise when using other third-party services. Why, for example, not integrate fonts yourself into a website with little effort?
Not at least this is due to the fact that many developers of SaaS tools are still not willing to support the operators in properly implementing the applicable laws. They are hesitant about an important principle when it comes to consent. Accept a "no" as much as a "yes”.
<div id="consent-tool"></div>
This leads to another essential question of principle that is asked far too rarely. Does a service “make no sense” if some of the users want to remain anonymous? Then maybe there is something wrong with it in the first place…
### The Offen Consent Tool
Having outlined the reasons for a consistent implementation of consent, lets consider the technical aspects. Many elements that are implemented on web services today provide no or at best inconvenient solutions. For operators of small and medium-sized services it is very tedious to integrate these different consent requests correctly.
Your analytics tool thinks it doesn't need a consent request? There are tweets embedded in your blog articles? Whats with that TikTok you want to share with your readers? The nice font featured on your page, is it provided by a third party? How do you collect consent for all of this?
Well, we have developed a tool for these needs. Say hello and give it a try. We used it to conditionally embed the following Tweet.
<div class="consent-container w-100 flex justify-center mt3">
</div>
<div class="tweet-container mb4">
</div>
<script src="https://consent.offen.dev/client.js"></script>
<script>
const client = new window.ConsentClient({
host: document.querySelector('.consent-container'),
ui: {
styles: {
position: 'relative'
}
}
})
client.acquire('twitter')
.then(function (result) {
if (result && result.decisions && result.decisions.twitter) {
const blockquote = document.createElement('div')
blockquote.innerHTML = '<blockquote class="twitter-tweet"><a href="https://twitter.com/hioffen/status/1510854517092491270?ref_src=twsrc%5Etfw"></a></blockquote>'
document.querySelector('.tweet-container').appendChild(blockquote)
const script = document.createElement('script')
script.src = 'https://platform.twitter.com/widgets.js'
document.querySelector('.tweet-container').appendChild(script)
}
})
.catch(function (err) {
console.error(err)
})
</script>
The *Offen Consent Tool* keeps your data footprint small by never storing data about consent decisions on your end. As a lightweight solution for managing user consent on websites, it focuses on these objectives:
- No server side persistence of consent decisions
- No need to assign user identifiers or similar, meaning no additional tracking vectors
- Consent decisions are secured from interference of 3rd party scripts
- Users can revoke their consent decisions and any traces at any time by clearing their cookies or using the provided UI
- Operators can customize the UI elements in use to match their design
Installation requires you to be able to configure deploy a simple web server to a dedicated domain. Linux binaries and a Docker image are provided, or you can build the server for any other platform. However, it is not a solution to the requirements of GDPR. Operators must comply with the applicable regulations themselves.
### Get started today
The *Offen Consent Tool* is using 1st Party Cookies to store user's consent decisions. To enable this mechanism, you need to deploy the respective server to a sibling domain, i.e. if you plan to use the tool on `www.example.com`, it should be served on a domain like `consent.example.com`. The tool can serve any number of domains at once, so it's possible to use the same deployment for multiple domains at once.
Next deploy the application to a domain like `consent.example.com`. On the host site `www.example.com` embed the client script:
```jsx
<script src="[https://consent.example.com/client.js](https://consent.example.com/client.js)">
```
which exposed `window.ConsentClient`. In your client side code, construct a new client instance pointing at your deployment and request user consent for the desired scope(s):
```jsx
const client = new window.ConsentClient({ url: '[https://consent.example.com](https://consent.example.com/)' })
client
.acquire('analytics', 'marketing')
.then((decisions) => {
if (decisions.analytics) {
// load analytics data
}
if (decisions.marketing) {
// trigger marketing tools
}
})
```
##### The *Offen Consent Tool* further allows you to create the binary yourself and provides a development setup. It can also be used as a library and be integrated into any web server written in Golang.
[Learn more](https://github.com/offen/consent){: data-button="full"}
##### Read the Docs for further assistance with installation and use.
[Open Docs](https://github.com/offen/consent/blob/main/MANUAL.md){: data-button="outline"}
### Please let us know
This is our latest development in [a series of privacy-friendly tools](/about/) designed to make the web a better place.
If you have any feedback, comments or bug reports about this or other project, we would love to hear from you. Open an [issue](https://github.com/offen/consent/issues) or send us an email at [hioffen@posteo.de](mailto:hioffen@posteo.de).

37
homepage/content/pages/about.md
View File

@ -6,6 +6,27 @@ sitemap_priority: 0.3
# About
Hi, we are [Frederik Ring](https://www.frederikring.com/) and [Hendrik Niefeld.](http://niefeld.com/) We want to make the web a better place. Here are a few tools we have developed that may help with this.
#### *[Offen Web Analytics](/#bg-explainer)*
The fair web analytics tool. Let your users access their data and gain valuable insights at the same time. Open source, lightweight, self hosted and free. [Learn more.](/#bg-explainer)
#### *[analytics.txts](https://www.analyticstxt.org/)*
A proposed standard which allows websites and services to disclose information about their usage of analytics software and user tracking. [Learn more.](https://www.analyticstxt.org/)
#### *[Offen Protocol](/blog/offen-protocol/)*
A specification for the discoverable exchange of data over a single HTTP endpoint. [Learn more.](/blog/offen-protocol/)
#### *[Offen Consent Tool](/blog/consent-tool/)*
A lightweight solution for managing user consent on websites. [Learn more.](/blog/consent-tool/)
---
### What is this thing called "my data" and why does seemingly everyone want to get hold of it?
It has a ring, gives a slight spine-chilling sensation and generates a whole lot of clicks: consumer magazines like German "Computer Bild" caution about ["Google espionage"](https://www.computerbild.de/artikel/cb-Ratgeber-Kurse-Wissen-Was-weiss-Google-ueber-Sie-2799009.html) just like the internet has countless tutorials on turning off numerous ["data leeches"](https://praxistipps.chip.de/datenkrake-windows-10-so-schalten-sie-auffaellige-funktionen-ab_99652). Interestingly, diving into these realms will have you accidentally catching the next toolbar, malware infection or [even worse](https://blog.malwarebytes.com/cybercrime/2012/10/pick-a-download-any-download/).
@ -24,8 +45,6 @@ As a regular user of the internet, are you really being spied upon? *What exactl
We would like to turn the tables on this much quoted statement and apply it to the operators of services and websites instead of their users. The analytics software Offen *transparently and uncompromisingly discloses what data is being collected and what it is being used for* to the users.
---
### For users
Visiting a website or using a web application that utilizes Offen, the user gains access to and ownership of the usage data collected. As a guiding principle, data collection is Opt-In only. Consent can be revoked at any time, just like users can choose delete their data retroactively. The cookie used by Offen allows viewing all of the associated metrics so that users can *assert themselves what is being collected and what isn't*. Data is being displayed in an accessible and articulate manner and each metric comes with explanations about its usage, relevance and possible privacy implications.
@ -48,9 +67,9 @@ We want to exemplify that it is time to depart the age of ["data capitalism"](ht
<img class="smaller-image mt2" alt="Detour" src="/theme/images/gfx-deepdive-C.png"/>
</div>
### Offen as a technology
### Technology
At runtime, Offen is just mediating exchange between users and operators. Usage data is collected in conformance to GDPR and with the concept of ["Datensparsamkeit"](https://martinfowler.com/bliki/Datensparsamkeit.html) in mind. All user data is encrypted in the browser so that it can only ever be accessed by the users themselves or the matching operator. While being collected in the context of a website or application, neither operators nor third party scripts have any possibility to access the usage data. Offen itself doesn't have any way of decrypting, processing or even selling the gathered data at any point.
At runtime, Offen Web Analytics is just mediating exchange between users and operators. Usage data is collected in conformance to GDPR and with the concept of ["Datensparsamkeit"](https://martinfowler.com/bliki/Datensparsamkeit.html) in mind. All user data is encrypted in the browser so that it can only ever be accessed by the users themselves or the matching operator. While being collected in the context of a website or application, neither operators nor third party scripts have any possibility to access the usage data. Offen itself doesn't have any way of decrypting, processing or even selling the gathered data at any point.
The software itself, as well as *all the used tools are open source*, [project planning and technical specification](https://github.com/offen/offen) take place in the open and actively solicit feedback from the general public.
@ -62,20 +81,10 @@ Users and operators are given intuitive and accessibility-focused tools for anal
Developing and running Offen can only work out when it is entirely *free of any kind of economic constraints or goals* and its only objective is *contributing to the common good*. Development of a prototype is reliant on public grants or similar funding sources. Long term development and maintenance of the software is tied to resources granted by foundations or being donated by the public.
### Status Quo
Offen is created by [Frederik Ring](https://www.frederikring.com/) and [Hendrik Niefeld](http://niefeld.com/) and is currently being conceptually designed and in active development, both as a product as well as as a software.
[![NLnet Foundation](/theme/images/nlnet-logo.svg){:width="160px" height="60px" class="mt4"}](https://nlnet.nl/)
We are happy to work with [NLnet Foundation,](https://nlnet.nl/) which actively supports our efforts as part of its [Next Generation Internet](https://nlnet.nl/NGI/) initiative.
### Beyond Offen
Taking Offen as a reference point, we are proposing a standard named [analytics.txt](https://www.analyticstxt.org/) that allows websites and services to disclose information about their use of analytics software and user tracking.
Furthermore, we have outlined a new [protocol](https://offen.github.io/protocol/) that supports the discoverable exchange of data over a single HTTP endpoint.
### Contact
*Feel free to contact us with any kind of feedback.* From criticism and praise to contributions or support, everything is welcome. Get in touch.

BIN
homepage/theme/static/images/offen-blog-230-consent-tool.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 526 KiB

2
homepage/theme/templates/base.html
View File

@ -6,7 +6,7 @@
{% block title %}{{ title }}{% endblock %}
</title>
<meta charset="UTF-8">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' *.offen.dev; frame-src 'self' *.offen.dev; style-src 'self' 'unsafe-inline'">
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self' 'unsafe-inline' *.offen.dev platform.twitter.com; frame-src 'self' *.offen.dev platform.twitter.com; style-src 'self' 'unsafe-inline'">
<meta name="referrer" content="origin">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=5">