https://www.ripe.net/ inappropriate javascript
https://www.ripe.net/ wants to load commercial javascript tracking ware from doubleclick.net and googletagmanager. is this necessary and appropriate? randy
On 02/05/2019 21:30, Randy Bush wrote:
https://www.ripe.net/ wants to load commercial javascript tracking ware from doubleclick.net and googletagmanager. is this necessary and appropriate?
My personal *opinion*: likely not and definitely not. However unless more people ask this question at least as politely as you do, nothing is likely to change. Daniel
I do agree with Randy that this seems wrong, I would prefer to not have any third-party tracking scripts on ripe.net. - Cynthia On Thu, May 2, 2019 at 9:57 PM Daniel Karrenberg <dfk@ripe.net> wrote:
On 02/05/2019 21:30, Randy Bush wrote:
https://www.ripe.net/ wants to load commercial javascript tracking ware from doubleclick.net and googletagmanager. is this necessary and appropriate?
My personal *opinion*: likely not and definitely not.
However unless more people ask this question at least as politely as you do, nothing is likely to change.
Daniel
On 2 May 2019, at 21:01, Cynthia Revström <me@cynthia.re> wrote:
I would prefer to not have any third-party tracking scripts on ripe.net.
+10000. The NCC should not be entertaining any form of spyware. Ever. I’m astounded that it’s even necessary to state such a fundamental truth. If we’ve reached the point where this has to get written down, something has gone badly wrong.
I would prefer to not have any third-party tracking scripts on ripe.net. +10000. The NCC should not be entertaining any form of spyware. Ever. I’m astounded that it’s even necessary to state such a fundamental truth. If we’ve reached the point where this has to get written down, something has gone badly wrong.
i am curious what technical and management decision processes which allowed this to happen. something broke. randy
On 03/05/2019 00:31, Randy Bush wrote:
I would prefer to not have any third-party tracking scripts on ripe.net. +10000. The NCC should not be entertaining any form of spyware. Ever. I’m astounded that it’s even necessary to state such a fundamental truth. If we’ve reached the point where this has to get written down, something has gone badly wrong.
i am curious what technical and management decision processes which allowed this to happen. something broke.
With my EB hat on, but at a jaunty angle. I'm inclined to think that this is accidental... cockup rather than conspiracy. It certainly didn't come near the EB, but then I wouldn't expect it to; we don't micromanage to this extent. Having said that, the discussion so far has been polite, and it's best to keep it that way. I think the displeasure has been noted. Nigel
i am curious what technical and management decision processes which allowed this to happen. something broke.
I'm inclined to think that this is accidental... cockup rather than conspiracy.
i did not mean in any way to imply conspiracy, and am a bit unhappy that you and nick seem to think i did. what i meant was that there was a decision process or weak auditing or the like. if so, that process could/should be repaired. randy
On 03/05/2019 13:05, Randy Bush wrote:
i am curious what technical and management decision processes which allowed this to happen. something broke.
I'm inclined to think that this is accidental... cockup rather than conspiracy.
i did not mean in any way to imply conspiracy, and am a bit unhappy that you and nick seem to think i did.
I was using the term in the usual way ie it was not intended (cockup), or it was intended (conspiracy). Not a literal conspiracy.
what i meant was that there was a decision process or weak auditing or the like. if so, that process could/should be repaired.
Indeed, my feeling entirely. Nigel
On 03/05/2019 15:50, Nigel Titley wrote:
On 03/05/2019 13:05, Randy Bush wrote:
i am curious what technical and management decision processes which allowed this to happen. something broke.
I'm inclined to think that this is accidental... cockup rather than conspiracy.
i did not mean in any way to imply conspiracy, and am a bit unhappy that you and nick seem to think i did.
I was using the term in the usual way ie it was not intended (cockup), or it was intended (conspiracy). Not a literal conspiracy.
And Mirjam has just confirmed it was cockup Nigel
On 3 May 2019, at 15:50, Nigel Titley <nigel@titley.com> wrote:
I was using the term in the usual way ie it was not intended (cockup), or it was intended (conspiracy).
Will the diversity police allow us to use terns like “cockup” these days? :-)
Randy Bush wrote on 03/05/2019 00:31:
i am curious what technical and management decision processes which allowed this to happen. something broke.
unless the ripe ncc has a hitherto unknown evil conspiratorial agenda, I'd assume this happened for the usual reasons: third party trackers allow incredibly detailed and useful telemetry information to be collected about the performance and usage characteristics of a web site, which provides invaluable feedback to the dev and mgmt team, and without which it would be really hard for them to do their jobs. The downside is that all externally-hosted trackers do exactly that: they track, and then correlate individual usage profiles across different web sites to build up profile information about individual users. And they provide no easy way of removing this information from their DBs, nor do they provide a consistent way of declining to contribute to this data pool. In relation to the GDPR, the CJEU is in the process of trying to figure out where the privacy responsibilities lie in Case C‑40/17 - Fashion ID vs Verbraucherzentrale NRW. Advocate General Bobek has made a non-binding suggestion to the court that this responsibility be shared between the web site and the third party tracker site, but no formal ruling has been made so far; nor is it clear what the practical implications would be for either party. It would be interesting to see what the consequences would be of requesting GDPR requests in the context of this judgement. How would the RIPE NCC handle a request from Jo Bloggs who wanted all her tracking data deleted and who wanted to opt out in future? How would the tracker IDs be identified in a way which was comprehensible to the average user? Did she provide informed consent in the first place, or does a footer notification at the bottom of the site constitute informed consent that she was ok about being tracked from the RIPE NCC to her favourite political web site, then to a civil rights site, then to an online store, then to a religious advocacy site before settling on her favourite online news sources? - at which point the tracker operator has gleaned more information about her than she probably knew herself. The RIPE NCC can't fix this issue, but it would be a good starting point to note that the use of trackers raises deeply uncomfortable questions about online privacy, with no clear answers. Nick
On 3 May 2019, at 11:47, Nick Hilliard (INEX) <nick@inex.ie> wrote:
third party trackers allow incredibly detailed and useful telemetry information to be collected about the performance and usage characteristics of a web site, which provides invaluable feedback to the dev and mgmt team, and without which it would be really hard for them to do their jobs.
That may well be true for the oxygen thieves from planet marketing. However I fail to see how any of this guff is remotely relevant to the NCC, the people who oversee after our web site(s) or the broader RIPE community. If someone at the NCC needs to use spyware to do their job, they’re probably in the wrong job. There are plenty of openings at other places of business for people who want to sell adverts or analyse tracking data.
Jim, I'm not sure if you've worked doing web development, but I agree with Nick that you can get a lot of performance data from these services (not just tracking or marketing) which is incredibly useful. People visit websites with all sorts of combinations of browsers, OS'es, and extensions -- and no matter how good of a test system you have, you'll never be able to accurately predict each combination and weird side effects will happen. On Sat, May 4, 2019 at 6:08 AM Jim Reid <jim@rfc1035.com> wrote:
On 3 May 2019, at 11:47, Nick Hilliard (INEX) <nick@inex.ie> wrote:
third party trackers allow incredibly detailed and useful telemetry information to be collected about the performance and usage characteristics of a web site, which provides invaluable feedback to the dev and mgmt team, and without which it would be really hard for them to do their jobs.
That may well be true for the oxygen thieves from planet marketing. However I fail to see how any of this guff is remotely relevant to the NCC, the people who oversee after our web site(s) or the broader RIPE community.
If someone at the NCC needs to use spyware to do their job, they’re probably in the wrong job. There are plenty of openings at other places of business for people who want to sell adverts or analyse tracking data.
to be constructive, from a message sent privately to mirjam explaining
what i meant by auditing:
o the ncc web infrastructure incorporates elements from non-ncc sites
o as we learned from the youtube incident, those sites can deliver undesirable javascript
o if we audit manually today, we can assert we're clean today
o but one or more of the incorporated contents could change tomorrow and include undesirable javascript
o ncc softeng could write code to traverse the site regularly to audit for new javascript
if i developed web sites, i would like such a tool randy
It is quite refreshing that this discussion started quite politely. Let us continue in that way please even or especially if we hold strong opinions Daniel --- Sent from a handheld device.
On 4 May 2019, at 16:39, Leslie <geekgirl@gmail.com> wrote:
Jim, I'm not sure if you've worked doing web development, but I agree with Nick that you can get a lot of performance data from these services (not just tracking or marketing) which is incredibly useful.
AFAICT nobody’s disputing that Leslie. I simply question that gathering and analysing such data is worthwhile or appropriate for RIPE. After all we aren’t in the marketing business or running a social networking site (same thing really).
People visit websites with all sorts of combinations of browsers, OS'es, and extensions -- and no matter how good of a test system you have, you'll never be able to accurately predict each combination and weird side effects will happen.
All the more reason to avoid needless cruft that gets in the way of interoperability. Too many web designers seem to ignore this. It shouldn’t/needn’t be necessary to crunch through a raft of web analytics to learn that either. As my gran used to say, you don’t need to jump into the Clyde to find out if you’re going to get wet.
People visit websites with all sorts of combinations of browsers, OS'es, and extensions -- and no matter how good of a test system you have, you'll never be able to accurately predict each combination and weird side effects will happen. All the more reason to avoid needless cruft that gets in the way of interoperability. Too many web designers seem to ignore this. It shouldn’t/needn’t be necessary to crunch through a raft of web analytics to learn that either. As my gran used to say, you don’t need to jump into the Clyde to find out if you’re going to get wet.
[ probably not really appropriate for this list, but ... ] we should have seen that this was inevitable when we first saw a URL in someone's advert on the side of a bus or lorry. our safe isolated nerd world grew an increasing intersection with the 'normal' world of late stage capitalism. so our organizations, such as ripe, ietf, ... felt the need to have their front facing presence be 'normal' marketing. i am no longer the primary customer, and i am still trying to get over it. i'm happy if it is even possible to find what i need on these sites with less than 42 clicks. so if the webfolk know how to make it easier and faster to get through those 42 clicks without invading my privacy, cool with me. of course, that last bit is, as you point out, not simple. randy
On 5. May 2019, at 17:26, Randy Bush <randy@psg.com> wrote:
... i'm happy if it is even possible to find what i need on these sites with less than 42 clicks. so if the webfolk know how to make it easier and faster to get through those 42 clicks without invading my privacy, cool with me. of course, that last bit is, as you point out, not simple.
It is not complicated either! Not as simple and convenient as the googles of this world make it if one sells one’s visitors‘ privacy in exchange for that convenience. But it is certainly possible, just not as convenient and possibly more expensive. We need to be vigilant for individuals or organizations falling into that trap. And we need to keep educating professionals in our industry to recognize such traps and temptations. Violating the privacy of others is just too easy with the technology we have created. A sound education in professional ethics and constant vigilance is the only effective way to mitigate these risks. This is neither easy nor convenient but the alternatives are bad enough to make it necessary. So thank you Randy for asking the pertinent questions politely and thank you others who expressed that they care. I am sure the RIPE NCC will fully fix this glitch after already applying a partial fix very quickly. Enough for Sunday evening. Daniel (not speaking for the RIPE NCC)
... i'm happy if it is even possible to find what i need on these sites with less than 42 clicks. so if the webfolk know how to make it easier and faster to get through those 42 clicks without invading my privacy, cool with me. of course, that last bit is, as you point out, not simple.
It is not complicated either! Not as simple and convenient as the googles of this world make it if one sells one’s visitors‘ privacy in exchange for that convenience.
But it is certainly possible, just not as convenient and possibly more expensive.
i have no expertise in the space. but Christoffer Hansen pointed out https://matomo.org/ randy
Randy Bush wrote on 05/05/2019 23:19:
i have no expertise in the space. but Christoffer Hansen pointed out https://matomo.org/
This is already used on the web site: www-analytics.ripe.net/piwik.php www-analytics.ripe.net/piwik.js Piwik changed name to Matomo in 2018. Nick
On 3 May 2019, at 11:47, Nick Hilliard (INEX) <nick@inex.ie> wrote:
The RIPE NCC can't fix this issue, but it would be a good starting point to note that the use of trackers raises deeply uncomfortable questions about online privacy, with no clear answers.
All the more reason for the NCC to keep well away. Perhaps we do need to have a formal policy on this issue.
https://www.ripe.net/ wants to load commercial javascript tracking ware from doubleclick.net and googletagmanager. is this necessary and appropriate?
My personal *opinion*: likely not and definitely not.
assumed. this is pretty ugly. ianal; but i wonder what gdpr says about the ncc attempting to track me in this way. it is worse than cookies.
However unless more people ask this question at least as politely as you do, nothing is likely to change.
yes. but how do i/we encourage that without being rude? randy
On 02/05/2019 21:30, Randy Bush wrote:
https://www.ripe.net/ wants to load commercial javascript tracking ware from doubleclick.net and googletagmanager.
If ncc sticks with a self-hosted solution (e.g. https://matomo.org). No complaints from me. personally I block the common 3rd-party commercial trackers. christoffer
Hello everyone, On 02/05/2019 21:30, Randy Bush wrote:
https://www.ripe.net/ wants to load commercial javascript tracking ware from doubleclick.net and googletagmanager. is this necessary and appropriate?
Thanks for bringing this to our attention. The doubleclick.net JavaScript comes from an embedded YouTube video on the ripe.net homepage. We have now replaced this with a locally-hosted version. This was an oversight on our part, as we hadn't properly considered that these videos would allow third-party JavaScript to be injected. We will conduct an audit of the website to find the best approach for hosting videos. We use Google Tag Manager to improve the browsing experience on ripe.net. We have a lot of content, and with people using our website for a range of different purposes, it helps us to check that our website layout is fit for purpose. We are not using this to monitor or track individual users, it is purely to give us insight into how users interact with the website. Kind Regards, Mirjam Kühne Senior Community Builder RIPE NCC
hi mirjam, thanks for the clue bat.
Thanks for bringing this to our attention.
no extra charge :)
The doubleclick.net JavaScript comes from an embedded YouTube video on the ripe.net homepage.
oooooo. thanks for the warning about embedding youtube (he says as if he was ever going to develop a gl!tzich web site).
This was an oversight on our part, as we hadn't properly considered that these videos would allow third-party JavaScript to be injected. We will conduct an audit of the website to find the best approach for hosting videos.
if you develop a generalized auditing tool, it might be useful to others.
We use Google Tag Manager to improve the browsing experience on ripe.net.
i decided to spend five minutes trying to learn what google tag manager actually was. though i have not actually measured, i suspct it would need at least an hour to get below the marketing fluff. sheesh! but this list is probably not the place to try to educate an old geek on web tools. thanks again for looking into this. randy
On 03/05/2019 14:30, Mirjam Kuehne wrote:
We use Google Tag Manager to improve the browsing experience on ripe.net. We have a lot of content, and with people using our website for a range of different purposes, it helps us to check that our website layout is fit for purpose.
We are not using this to monitor or track individual users, it is purely to give us insight into how users interact with the website.
o https://alternativeto.net/software/google-tag-manager/?platform=self-hosted o https://piwik.pro/tag-manager/ May I suggest conducting a screening for - what alternatives can be found to Google Tag Manager, and - can be self-hosted, and - still offers the necessary level of functionality needed. - Christoffer
Mirjam Kuehne wrote on 03/05/2019 13:30:
We use Google Tag Manager to improve the browsing experience on ripe.net. We have a lot of content, and with people using our website for a range of different purposes, it helps us to check that our website layout is fit for purpose.
We are not using this to monitor or track individual users, it is purely to give us insight into how users interact with the website.
Hi Mirjam, thanks for the update on this. No-one is suggesting that the RIPE NCC is tracking individual users by using Google Tag Manager, but as data controller for the web site, can the ripe ncc confirm what data Google is collecting via this JS module and how it's processed? CJEU Case C‑673/17 looks like it's heading towards confirming informed opt-in rather than informed opt-out for cookies. The current site configuration has no opt-out. Do you have plans to move this to opt-in for third party cookie collection? Nick
Hi Mirjam,
Thanks for bringing this to our attention.
The doubleclick.net JavaScript comes from an embedded YouTube video on the ripe.net homepage. We have now replaced this with a locally-hosted version.
Thanks! Sander
On 3 May 2019, at 13:30, Mirjam Kuehne <mir@ripe.net> wrote:
We use Google Tag Manager to improve the browsing experience on ripe.net. We have a lot of content, and with people using our website for a range of different purposes, it helps us to check that our website layout is fit for purpose.
I don’t know what’s worse, the NCC intentionally using spyware or a respected senior member of staff parroting this sort of marketing bullshit. Was the NCC Services WG ever consulted about the use of things like Google Tag Manager? "improve the browsing experience” - really? This is not the sort of language I’d ever expect to find at RIPE. If the community is happy or unhappy with the web site, they are quick to tell the NCC. [See the current thread. QED.] There’s no justification or need to bring in toxic waste like Google Tag Manager* (or whatever) as an intermediary. And no, “everybody else’s web site is doing this” is not a valid excuse. * Once evils like this worm their way in, they metastasise and become impossible to remove. And more and more of our Personal Data get handed over to our google overlords without proper oversight or control. Nice.
Hi all, Sorry for the delay, but we've been taking steps to resolve the issue. As others have pointed out, with the large amount of content available on ripe.net, it's no easy task to make sure users can quickly find the information they need. The redesign we carried out a few years ago helped tackle the issue by improving the navigational structure and functionality, but it was only a first step. Our continuing work here relies on getting a more thorough understanding of how people actually use the website. In the past, this meant testing small user groups, but our user base soon grew too large and diverse for this to be effective. We then started using Piwik/Matomo to get a clearer picture. Later, we started using Google Analytics, which offered a number of features not available in Piwik at the time. With that said, we appreciate the concerns that have been raised, and we've taken another look at our approach. With two analytical tools that now deliver pretty much the same insights, we have made the decision to continue with Piwik only. Therefore, we have disabled Google Analytics on all the websites we manage. The data we collect via Piwik is anonymised (IP addresses are truncated to include only the first three bytes) and hosted internally by us. Alongside this, we will of course continue to follow developments in EU case law and modify our cookie practices accordingly as relevant changes occur. Kind regards, Mirjam Kühne Senior Community Builder RIPE NCC
thank you for the update, mirjam. this looks pretty sane to me. randy
Mirjam, Thank for the very clear explanation and historical recap there! Positive feedback; and addressing of initial question; very much appreciated. :) -Christoffer
participants (10)
-
Cynthia Revström
-
Daniel Karrenberg
-
Hansen, Christoffer
-
Jim Reid
-
Leslie
-
Mirjam Kuehne
-
Nick Hilliard (INEX)
-
Nigel Titley
-
Randy Bush
-
Sander Steffann