Hosts: What to do about Plausible and Fathom

(I am writing all this assuming I know enough about Plausible & Fathom to have an informed opinion, I could be wrong)

My gut feeling: DON'T block. I guess I agree, technically this isn't ethical tracking for the stated reason. BUT, these two services are really doing tracking in the best possible way. What I'm doing on a website isn't sold on the open market, it's not traded, and it's not added to my footprints of where I go all day on the web. It's one site that is trying to figure out what I'm doing on that site. I feel like what I (as a site owner) can get from these is just a bit more than I could get from just plain old Apache logs. And what I (as a site user) give up is not something that concerns me at all. It's not part of any larger system, it's just what I did at that site. These are two thing I'd like to see succeed. I use neither, and have no vested interest in either, I just want better analytics things like these to be used more. Hopefully more people start to use them and move away from GA.

Thanks Blake @Blake-. That's fair. Thanks for the input.

@StevenBlack re Fathom, perhaps of interest:
https://usefathom.com/support/custom-domains

If a tracking service site (or a site using it) breaks because of its analytics being blocked I would see it as worse than a site using GA. I'm going to block it and live without whatever goes down the drain with it.

IMO the only ethical tracking is tracking that a visitor have to opt in to and not in a pop-up but in their user profile. The rest needs to go away. Both services also track a LOT so definitely not ethical.

Edit: I see both are already blocked in my Pi-hole lists. 👍

Re DNT, user options, etc.:
https://usefathom.com/support/tracking-advanced

Thanks Bryce @brycewray. We're going to block Fathom.

Well, @StevenBlack, I guess my point was more about the part after what you highlighted (i.e., that what Fathom data doesn't link to any individual, and thus doesn't constitute the tracking about which your concerned); but, of course, it's totally your choice to block whatever you see fit.

@StevenBlack here's some more fathom domains:

0.0.0.0 collect.usefathom.com
0.0.0.0 img3.usefathom.com
0.0.0.0 akr.usesfathom.com
0.0.0.0 archsmarter.usesfathom.com
0.0.0.0 butshesagirl.usesfathom.com
0.0.0.0 gateguardian.usesfathom.com
0.0.0.0 jsfiddle.usesfathom.com
0.0.0.0 justin.usesfathom.com
0.0.0.0 paleoleap.usesfathom.com
0.0.0.0 perroverde.usesfathom.com
0.0.0.0 stats.usesfathom.com
0.0.0.0 d3lvir7538n0oi.cloudfront.net

Thank you LE @llacb47. That's a good list already. I'd like to block just what we need to block, if we can. I'm always mindful of being heavy-handed.

This is interesting: we already block tracking.fathomseo.com via mvps.org. Can you check fathomseo.com?

Hi Steven,

can you expand on why you want to block Fathom? Going by your logic, sentry should be blocked, as they do not support DNT. Maybe that should be revisited?

https://github.com/getsentry/sentry/issues/8918
https://github.com/StevenBlack/hosts/issues/568

Well LE @llacb47 Plausible and Fathom are squarely in the Google Analytics category, minus the ad business offshoot.

Sentry is developer error reporting.

Steve @StevenBlack :
0.0.0.0 calltracking.fathomseo.com CNAME: adtrack.voicestar.com
0.0.0.0 tracking.fathomseo.com CNAME: wildcard.directtrack.com.wipext.digitalriverws.com
👍

Thank you Dan @dnmTX, that's commit de3a3d9.

Le @llacb47 I've added yours in commit aea2e921 though I feel this may be overcooked. Let's see what happens.

Thank you Steve @StevenBlack . Here to help 😉

@llacb47 the last domain you listed: 0.0.0.0 d3lvir7538n0oi.cloudfront.net by me guessing here it's a CNAME and very likely covers many other unrelated domains which might become issue for the Pi-Hole users and such. Probably not a good idea to be listed here but that's just me.

Firstly, thanks @Blake- for the defence, that was really kind of you. Honestly, this topic can be discussed all day but the biggest win we saw from not being blocked by ad-blockers was that people left Google Analytics for us which, objectively, is a win for the internet given Google's history of privacy concerns. But opinions differ.

@StevenBlack Thanks for the consideration and public discussion, I really respect that. I'm not going to challenge your conclusion, but I do want to offer some further information to allow you to make the best possible decision.That way I've done my bit and shared what I need to. I appreciate that not everyone reads my nerdy Fathom posts detailing how we are a privacy-by-design service.

Long story short, we keep one-way hashes for a 24h period. The only way you can break these hashes if you brute force some insane amount of data. Our service is the leading privacy-focused solution available and our business is built in a way that cannot succeed without protecting user privacy. It's incredibly important to us.

In terms of the way we store data, we NEVER store user histories, journeys etc. We only keep aggregated data. For example, here are some rows from the site stats table. You can see it's all just aggregated data.

site_stats

site_id|pageviews|visits|sessions|bounce_rate|avg_duration|timestamp|
---------|------|--------|-----------|---------------|------------|-------------------|
184 |414 |284 |284 |0.85 |90.00 |2018-05-08 01:00:00|
184 |916 |432 |432 |0.78 |90.00 |2018-05-09 01:00:00|
184 |762 |422 |422 |0.80 |90.00 |2018-05-10 01:00:00|
184 |711 |325 |325 |0.74 |99.83 |2018-05-11 01:00:00|
184 |422 |234 |234 |0.78 |90.83 |2018-05-12 01:00:00|
184 |537 |270 |270 |0.72 |100.09 |2018-05-13 01:00:00|
184 |757 |336 |336 |0.68 |103.03 |2018-05-14 01:00:00|
184 |693 |336 |336 |0.73 |144.07 |2018-05-15 01:00:00|
184 |664 |312 |312 |0.72 |117.91 |2018-05-16 01:00:00|
184 |720 |311 |311 |0.69 |94.68 |2018-05-17 01:00:00|
184 |861 |298 |298 |0.68 |96.24 |2018-05-18 01:00:00|
184 |401 |179 |179 |0.71 |125.78 |2018-05-19 01:00:00|

And for the hashes we keep for <= 24 hours, here's an example of what we have:

pageview_hashes

|hash |expires_at|
|-----|----------|
|0001f694ff2b585a2f2f06fba500e32ae78b5c3d135d978acbf12b698eb7842d|2020-07-14 00:00:00|
|00040adb3a9e2e64195b04f8a838fe92d4312219a074eb4dd935a76022a96cfa|2020-07-14 00:00:00|
|00059489e47dbdd73638c59e6077955cc8d4b2907814c20e104aca603f914392|2020-07-14 00:00:00|
|0006136c8195501551ce2396748ab17d28687c11228ee460fef85116ea3468ba|2020-07-14 00:00:00|

As you can see, these are SHA256 hashes. We cannot decrypt these. They're one way hashes. But we use them for comparison. That is it. We cannot do anything else with them and they delete at midnight UTC every single day.

Again, I really appreciate your openness to discussion here, and the fact you listened to other opinions. I just had to drop some information in to make sure you have all the information needed to make your decision. If you visited a site with Fathom on, and you had DNT enabled, we'd track the request as a +1, but we'd not track "an individual" around the site. We only keep aggregated data.

Thanks Jack @JackEllis I appreciate your input. Sleeping on it.

So Jack @JackEllis what I can't seem to get past is, by default, Fathom ignores the user's Do-Not-Track setting.

You say Fathom behaves as a trusted third party. You say Fathom tracks non-identifiable information. You say Fathom does not retain information. And maybe so.

But that's just not good enough. To me, those are utilitarian justifications in a moral issue.

Utilitarian thinking has no place in moral thought. That's my take.

@StevenBlack DNT was introduced to stop things like browser customization specific to the user. It was introduced because people were creeped out over the fact that they’d return to a website and see “Hey Jack”... which is creepy. The concept of “track” is important here too. Our processing is a +1 to aggregation and has nothing to do with tracking individuals. DNT has been abandoned, but luckily regulation is doing a lot of the work it intended to do. If you take a read of the ePrivacy direction (PECR in the UK), things are heating up.

Honoring of DNT is a virtue signal. DNT was abandoned by W3C back in 2019 and is a hugely outdated thing to look at.

Also, Steven, I truly appreciate the constructive conversation.

@JackEllis if the data you collecting(without even giving the choice for the user to opt-out) is so...."useless/encrypted/not important...being deleted almost right the way and so on...." why you keep advocating for Steven @StevenBlack not to block it?

@dnmTX I’m not sure what you mean. We keep aggregated totals. If has nothing to do with DNT. As I said, honoring DNT is a virtue signal. DNT wasn’t introduced to stop privacy focused analytics platforms from doing a +1 on their aggregations, it was introduced for the above reasons I gave, and I’m sure it was also intended to block invasive analytics.

Jack @JackEllis quite aside from what you say, here's what I see. Let's explore, shall we?

Wikipedia, Do Not Track:

Do Not Track (DNT) was a proposed HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of data derived from that activity outside the context in which it occurred.

In Firefox preferences

In Chrome preferences, when you set DNT you get this, which suggests the effect is implementation-dependent. Fathom ignores all this, by fucking default.

I'm not getting a strong sense that you understand what "Do Not Track" means.

I can tell you this, with 100% certainty: people who use our hosts files don't want to be tracked.

@StevenBlack We're keeping a close eye on things. As I said, it was abandoned. And for good reason too. Regulation is replacing the attempt. The GDPR was a big start, and the ePrivacy directive is going to change the landscape big time. For example, if I visit http://stevenblack.com/, I am tracked without my consent and despite having DNT turned on, and 5 cookies are set on my machine, which is a violation of the ePrivacy directive, as I did not explicitly consent. And data is being sent to Google, who have an awful history with privacy. This is the problem with DNT and why it was abandoned. I have it turned on but websites do not honor it. Privacy regulation has focused on moving us away from abandoned proposals and we now have privacy laws, which is awesome. Once ePrivacy becomes regulation, things will get very interesting.

But I digress. I totally understand why you're blocking us and I appreciate your time.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions.

I'd like to keep this issue active.

Last month I received a request to whitelist Plausible from my list. This was my response:

I take an opt-in approach. This list is to block ads and tracking. I’m not trying to be some morally police to determine which tracking is ‘ok’ and which tracking is ‘bad’. My goal is to block it all and users of the list are encouraged to ‘opt-in’ to whatever they might feel is acceptable. That’s not my decision to make.

Obviously this is your list and you should manage it as you see fit, just sharing my two cents as a fellow blocklist maintainer.

One thing specific about plausible that I find off putting is their custom.plausible.io subdomain which is used for CNAME cloaking (see example domain ms.markosaric.com). Perhaps there is a technical reason to do that besides trying to bypass blockers. But then again the largest tracker in the world- google analytics- doesn't find CNAME cloaking necessary. I don't know... I don't like it.

Oh I forgot to also add, iOS dropped support for DNT, so that is a massive cross section of devices that cannot opt out using that method.

As I said back in July, DNT is irrelevant and deprecated.

The solution isn't to try and block trackers, as you can never accomplish that. The solution is to encourage people to stop using big tech that actually invades users' privacy. People aren't going to give up analytics. So instead, we build alternatives that comply with privacy laws and put the user ahead of profit. We've spent hundreds of hours carefully choosing how we build Fathom Analytics, and that's why we have so many websites using us in an incredibly short period of time.

I do appreciate the discussion here but it's clear we're fighting this from different angles. Your objective is to ensure users have no privacy-friendly stats about who visits their website whilst our goal is to encourage people to stop sending people's data to Google. We can argue over who is right until the cows. And the funny part is that we are both 100% that the way we're doing it is right. That's why these open discussions are so important. And whilst we don't agree, I do appreciate you discussing this openly with me, @StevenBlack & @lightswitch05.

Have a great weekend :)