Today's Deep-Dive: Offen Fair Web Analytics

Web analytics, it's one of those things that, for most people with a website today,

feels

like a necessary evil.

The tools are technical, they're often built to track every single click, and it

just feels

like a pretty unfair and impenetrable business.

It does.

And that's really the core problem we're looking at today.

For anyone who is just sick of the information overload on data privacy and trying

to figure

out how to be compliant without losing all your insights, well, often fair web

analytics

is the subject of our deep dive.

It's a really clear, actionable model for doing this ethically.

And that's our mission today, to unpack often for you, especially if you're a

beginner.

We want to look at its key features, the tech behind it, like encryption and self-hosting,

and really get into this mindset shift.

It is a big shift.

Treating the user as an equal party in the conversation, not just a data point.

Right.

The vision here is, well, kind of revolutionary.

It lets you, the operator, get valuable insights, unique sessions, top pages, that

kind of thing.

Well, your users can actually see and control their own data.

And the sources describe it as open, lightweight, self-hosted, and free.

Permanently free, which is a big deal.

And before we jump right into all that, we want to thank Safe Server for supporting

this

deep dive.

Safe Server focuses on hosting software and supporting your digital transformation.

So for tools just like this one ethical self-hosted tools, they provide the

infrastructure.

To learn more, just head over to www.safeserver.de.

That's www.safeserver.de.

Okay, so let's start with section one, the core philosophy of fair analytics.

For a beginner, what does fair actually mean here?

Often really stands on three pillars.

The first is that it's secure and free.

The code is open source, so anyone can check it, and they promise it will always be

free

to use.

And that leads right into the second pillar, which is self-hosted.

I think this is where it gets really interesting for anyone dealing with, say, GDPR.

Absolutely.

Self-hosting is fundamental.

I mean, you own the data.

You control the whole relationship.

So let's pause on that, because self-hosting is really the key to transparency here,

isn't

it?

What does it actually stop from happening?

It stops third-party data leakage.

It stops data brokerage.

By self-hosting, you're guaranteeing zero ads, zero outside data companies, and the

system

exclusively uses something called first-party cookies.

Right.

We hear cookies all the time.

Can you just quickly break down the difference?

First-party versus the third-party ones that cause all the privacy headaches?

Yeah, for sure.

A first-party cookie is just set by the website you're on, and it's for basic

functions, like

remembering your login or, in often's case, if you've agreed to analytics.

Okay.

Third-party cookies are set by totally different domains that are embedded on the

site.

Those are the ones ad networks use to follow you around the internet.

I see.

So often, sticking to first-party cookies really limits the tracking just to your

own

site.

Exactly.

And that brings us to the third pillar, which is maybe the most radical, fair and

undrilled,

by choice.

The opt-in requirement.

Strictly opt-in only.

A user has to actively say yes, and if they don't, the sources are really clear on

this.

They will never leave a trace.

Wow.

So no session data, no fingerprinting, not even a tracking script is loaded.

That feels like it would cause a massive drop-off in data compared to, you know,

the opt-out

by default model.

As an operator, this changes my job, right?

I'm not just installing software.

You're entering into a trust contract with the user.

That's a perfect way to put it.

The operator's responsibility really shifts.

The sources list four key tasks.

Okay.

What are they?

First, you have to self-host it and protect that data.

Second, you integrate the code snippet.

Third, and this is the fairness part, you have to make your users aware that they

can

access their data.

So it's a built-in obligation.

And the fourth?

You use the fair, transparent insights you get to actually improve your services.

Yeah.

It becomes this ethical feedback loop.

I like that.

Okay.

Let's move into section two and look under the hood.

How does often keep things secure while still giving you useful stats?

It starts with data minimization, right?

Right.

It's core to the design.

The whole goal is to collect the absolute minimum amount of data you need for

meaningful

stats.

So what are some of the things that specifically avoids collecting?

The source material is very explicit here.

It does not look at or collect IP addresses at all.

Okay.

And it doesn't look at user agent strings.

Which are?

They're little bits of text your browser sends out that can reveal a lot about your

operating

system, your browser version, your device.

It's a way to fingerprint you.

I see.

And ignoring those, it basically eliminates that possibility.

Totally.

But if they're minimizing so much, how do I know the data's secure once it's on my

server?

Doesn't self-hosting just mean I'm the one responsible for a data breach?

That is where the technical brilliance of end-to-end encryption, or E2E, comes in.

Okay.

Think of it like this.

When a user opts in, their browser, the client, encrypts the usage data.

It locks it in a digital safe before it ever leaves their computer.

So the data arrives at my server, but it's in a locked safe.

Do I have the key?

No.

And that is the critical point.

Your server, the thing storing the data, cannot decrypt it.

It has no idea what's inside.

It's just storing scrambled text.

That's incredible.

So it really addresses that fear of an accidental data leak.

If my server gets compromised, the attacker just gets a bunch of useless encrypted

data.

Exactly.

It makes those leaks harmless.

So if we're only collecting this minimal encrypted data, what kind of insights do I

actually

get as an operator?

I still need to know where my traffic is coming from.

Oh, yeah.

You get all the essentials you need to improve your service.

You can still filter your data by URL, location, refer, landing pages, and exit

pages.

And what about things like marketing campaigns?

You can also filter by UTM parameters.

Can you explain those quickly?

They're just tags you add to the end of a URL.

So if you send out a newsletter, a UTM tag can tell you a click came from your

summer

2024 newsletter instead of just a generic source.

It's vital for measuring what's working.

Got it.

And how long does this data stick around?

Is there a risk of it just piling up forever?

Nope.

There's a hard data retention rule built in.

User data is stored for six months, and then it's automatically and permanently

deleted.

Six months.

That's it.

That's it.

Let's jump into what I think is the most compelling part in Section 3.

Transparency in action.

They call this the auditorium.

Right.

And this is what really sets it apart.

This is the user benefit side of the whole thing.

Beyond just opting in or out often gives users real control.

So they can delete their data or opt out at any time?

Any time.

But the truly radical part is that users can review their own data.

They don't just see a toggle switch.

They get to see the actual metrics with explanations of what everything means.

And the best way to understand this is to contrast the two views, right?

What the operator sees versus what the user sees.

Exactly.

So let's start with the big picture.

What does the operator see on their dashboard?

The operator's view is the aggregate data.

All the data summed up across all your pages.

So you'll see your totals.

Like unique users, say 859 and maybe 3,372 unique sessions.

And lists of top pages, things like that.

Yep.

Other URLs across the whole site.

Standard stuff for managing your content.

Okay.

So that's anonymous, high-level data.

Now what if I'm a user and I go into my auditorium, what do I see?

The user's view is totally specific to you.

It only shows data related to your activity since you opted in.

So you might see one unique website tracked, because that's the only one you've

contributed

data to.

And my sessions.

You might see five unique sessions and a very specific list of the top pages that

you visited.

So if I came to your site five times and looked at the about page and the contact

page, I

would log in and see exactly those pages listed as my top pages.

Precisely.

The operator sees hundreds of users in aggregate, but you see your exact footprint.

It just gets rid of that black box feeling of web analytics.

You know exactly what you shared.

That is a profound trust builder.

So for an operator who has sold on this, let's talk about section four, deployment.

How easy is it to actually get started?

They've really tried to make it simple, often is designed to be very lightweight.

Deployment is basically just downloading a single binary file or pulling a Docker

image.

No huge complex installation.

Right.

And what if you don't want to set up a big dedicated database server?

Yeah.

What are the options there?

You can just use Squalite.

Can you explain Squalite simply?

Sure.

It's a file-based database, so instead of a whole separate server, all your data

just

lives in a single file on your web server.

It simplifies the setup a ton, especially for smaller sites.

And it handles security certificates too.

It can, yeah.

It often can automatically install and renew your SSL certificates for you if you

want.

That's great.

What about making it friendly for a global audience?

Localization is pretty robust.

It's available in English, French, German, Portuguese, Spanish, and Vietnamese.

And crucially, the consent banner and the user's auditorium are localized.

Which is key for trust.

And can you make it match your website's design?

You can.

The consent banner is customizable color, shape, basic fonts.

You can make it feel like a part of your site, not some annoying pop-up.

And for anyone listening who wants to just try this out right now, there's a demo

command,

right?

There is.

It's super easy.

You can create a temporary demo environment on your own machine.

Just open your terminal and run this command, curl https.demo.offend.devbash.

And the login for that demo?

The account is demo at offend.dev, and the password is just demo.

That's the perfect way to see that difference between the operator view and the

user view

we were just talking about.

So to sum it all up, often really is a genuine ethical alternative.

It lets operators get the essential stats they need, unique sessions, traffic flow,

without compromising user privacy at all.

That combination of opt-in consent, end-to-end encryption, and limited data

retention really

sets a new standard.

It does.

And it's worth mentioning that the project got support from the NL Net Foundation

as

part of the Next Generation Internet Initiative.

So it's part of a bigger movement for more private web.

It's a fantastic model.

The sources make it clear that often puts the user on totally equal footing with

the

operator.

And that leaves us with a final thought to consider.

If users can use the exact same tools to analyze their own data as the operator

uses for their

aggregate data, does that level of radical transparency change how we value web

services?

Does fairness stop being just a box you have to tick for compliance and become the

main

reason someone wants to engage with your site, something for you to chew on?

That's a great question.

And a quick reminder that this deep dive was supported by SafeServer, which helps

host

software and provides digital transformation support.

You can learn more at www.safeserver.de.

You can learn more at www.safeserver.de.