Opened 3 years ago

Closed 3 years ago

Last modified 2 years ago

#2233 closed New feature (fixed)

User Privacy plugin, consolidate privacy protection features

Reported by: matt Owned by:
Priority: critical Milestone: 1.x - Piwik 1.x
Component: Plugins Wishlist Keywords:
Cc: Sensitive: no


Proposal for a consolidated User Privacy plugin

  • Move AnonimizeIP functionnality to this new plugin
  • Allow changing count IP bytes to remove in the UI. A Radio button allows to remove 1, 2 or 3 bytes of the IP.
    • for backward compatibility, if the config setting is found and the UI wasn't used yet (ie. no setting found in the _option table), then we can use the config file setting. This is similar behavior to "General Settings" options.
    • Currently the IP is cleared just before recording the data in the log table. #2095 proposes that the IP should be cleaned as early as possible in the process, to ensure no other plugin etc. could use the full IP.
  • UI allows to enable "Do not record Referer information". While I personnaly don't like this recommendation, we could offer it as it was recommended by German privacy group. When enabled, and setting stored in _option table (and cached in the tmp/cache/tracker/general.php file), then the parameters urlref and _ref in the piwik.php GET request will be cleared at the start of the Tracker process, to ensure no plugin or process can use / record the referers.
    • When clicked to enable, the Referers plugin would also be disabled.
  • The Opt out plugin feature would be moved to this plugin as well.
  • These settings/ features would all be available under the new Admin menu called "User privacy"

Change History (14)

comment:1 Changed 3 years ago by peterb (peterbo)

The consolidation of the privacy plugins within the User Privacy plugin is a good solution for consistency in the UI.

Should the cookie lifetime also be editable here or will that remain a tracker method from 1.2 upwards?

I also don't like the referer being not tracked. Webanalytics is somehow losing its intended purpose here. I think it will be enough to work on it with low priority.

comment:2 Changed 3 years ago by vipsoft (robocoder)

We can set the third party cookie expiry in the UI. The tracking code generator could use this value.

comment:3 Changed 3 years ago by matt (mattab)

I think we don't have to implement the Referer hiding even, nobody will use it.

The cookie lifetime is a task for the ticket #1845

See also Privacy & Web Analytics

comment:4 Changed 3 years ago by matt (mattab)

  • Priority changed from normal to major

comment:5 Changed 3 years ago by matt (mattab)

See also: customize some specific CSS of opt out frame: #1929

comment:6 Changed 3 years ago by vipsoft (robocoder)

The ip anonymization could also be by netmask or cidr notation. May offer separate masks for ipv6 vs ipv4.

comment:7 Changed 3 years ago by absynth

I mentioned this on Twitter so I thought I should elaborate a bit more. In IPv6, IP anonymization is not achieved by stripping the last byte of the IP address; anything in the second 64 bits of the address can be device-specific (i.e. used to identify a specific MAC address, see for problem statement and current solution.

In fact there is currently no definitive way of obtaining this privacy because most ISPs and DSL providers have not announced their rollout plans yet.

It might be sufficient to strip the last 4 tupels of the IP address (i.e. only retain 64 of the 128 bits that an IPv6 address has), but it might even happen that this is not enough. OTOH, stripping all but the first 48 bits is maybe better.

This insecurity is why a configurable netmask/CIDR is probably the best idea for the AnonymizeIP plugin in v6.

comment:8 Changed 3 years ago by peterb (peterbo)

(In [4856]) PrivacyManager / Delete old statistics from database; Refs #2233, #53, #5

comment:9 Changed 3 years ago by matt (mattab)

  • Resolution set to fixed
  • Status changed from new to closed

(In [4861]) Fixes #2233, Refs #5

  • enable new plugin on upgrade
  • Display message "your changes have been saved"
  • fix link redirect without idSite by using smarty function {url ...}

comment:10 Changed 3 years ago by peterb (peterbo)

(In [4868]) Refs #2233, #53, #5

  • tweaking / optimizing / commenting

comment:11 Changed 3 years ago by matt (mattab)

  • Priority changed from major to critical

comment:12 Changed 3 years ago by JustinClift

For clarification, does this plugin replace the functionality of the DoNotTrack plugin from ticket #2048?

Reading through the ticket info is unclear.

Uncertainty about Piwik compliance with recent DoNotTrack legislation is stopping us from using it on our new Aeolus Project website. Having this clearly understandable for people, ie which plugin-to use, and is it sufficient, would be really useful. :) (maybe an item in the FAQ?)

comment:13 Changed 3 years ago by vipsoft (robocoder)

Justin: in Piwik 1.5, the Privacy plugin does not replace the DoNotTrack plugin because DoNotTrack is not part of the core distribution; it runs independently, so if you want that functionality, just install the DoNotTrack plugin.

comment:14 Changed 2 years ago by peterb (peterbo)

(In [5772]) Refs #2233, #2095, #2902 - set ip_address_mask_length and ip_address_pre_mask_length on anonymizeIP-plugin activation. Synchronize both variables on PrivacyManager call.

Note: See TracTickets for help on using tickets.