I use Matomo for years now and it works quite reliably. (A few updates failed the automatic update, but nothing serious)
Only thing that bothered me is that most Ad Blockers are blocking Matomo as well. I did build a little Script to circumvent that, you might find it handy as well:
https://gumroad.com/l/matomo_circumvent_adblock
I use it on my website. Check if your ad blocker is capable of blocking it: https://simon-frey.com
It's your call really, but a website owner tracking you with their own software on their own Matomo instance is not the problem. This is essentially the same as monitoring website logs... that's not disgusting at all.
I think grouping server-side tracking with JavaScript based tracking is an oversimplification. JavaScript tracking is much more invasive and can access significantly more data. From something as straightforward as fingerprinting to potentially even more invasive data such as geo-location, battery status, webcam, microphone - you name it. Server access logs aren't going to track my eyes.
I think we can all agree there are different levels of acceptable tracking and use of that data- but the degrees of acceptance are going to be different depending on the user and service. I don't consider bypassing my restrictions to run unauthorized code to be an acceptable tracking method and raises serious concerns about how the data will then be used.
Anyone can do all sorts of things. I can punch anyone I see on the street in the face. Doesn't mean they're actually doing it.
Now, I have a vested interest in this as I work on one of those tracking tools, but it actually collects less data than those Apache access_logs that people have been keeping for 25 years. Plus, the JS is unminified and easily examinable if you want (as is the HTTP request), so you also have more insight in what is being collected exactly.
"It's using JavaScript" and "it can do [..]" are massive red herrings; browsers are actually fairly sandboxed and there are millions upon millions of lines of code on your computer that can do much more than JavaScript inside a webpage.
> I can punch anyone I see on the street in the face.
Yes, and then you would be charged with assault. It is great that you work on a tool that respects peoples privacy. I suppose I failed to put an emphasis on trust. With server side logs, less trust is required because there is less that can be done. Paired with VPN, I can have reasonable belief that server side logging is not logging anything unreasonable and it does not require trust that they are not fingerprinting me. As you say, just because someone can do something doesn't mean they will - but trust is required, especially if there are no repercussions if that trust is violated.
OTOH JavaScript tracking is an easy way to filter out a lot of the bots. I use a little bit of JS-based tracking for exactly this reason, but I'm not extracting anything that wouldn't show up in server logs (eventually I also want to get some "time spent on page" metric so I have some idea how useful my blog posts are (are people clicking and leaving right away or are they sticking around to read). You pretty need JS for this. In whatever case, web analytics like these aren't "tracking"; you're looking at user behavior on your own site; not trying to follow them around the Internet or otherwise identify them.
Matomo doesn't track all that much.
Screen size, which is wrong for Firefox vs Chrome.
Visit time and unique user and visit ID. Also some ecommerce parameters if you set them.
As well as if your browser supports whatever tech like flash, silverlight etc.
It's a slightly better server log.
When the GDPR was entering into force, I remember some speculating that monitoring Apache logs could violate it, since the user has not consented to having their personal details (i.e. the IP address) processed. What was the final consensus reached on this?
Ad blocking != block tracking. If you don’t want to get tracked, turn on Do Not Track in your browser. Matomo and most other privacy focused analytics scripts respect that setting.
While I agree that is the proper solution, most analytics do not respect the Do Not Track header. Beyond it being mostly ignored, Safari (which currently has 20% global browser share) removed support for Do Not Track in 12.1. So even though Matomo might respect the header request, there is no way for me to send that header on many of my devices. Blocking is the only solution left to me to 'opt out' of tracking regardless of the good intentions of Matomo.
Sure, so I have tracking protection too both through uBlock Origin, and Firefox' tracking protection feature. Yet, here you are, bypassing my tracking protections.
If you're using Firefox tracking protection (which I'm guessing using DNT as well), then Matomo by default does not track you though. So no, your tracking protections aren't being bypassed.
Why not block access to the content then? You can't watch Netflix streams without paying for them, that's trivial to implement.
Ah, right, creators want their content to show up for my search keywords, Google won't let them have pages only visible to Google bots (though even that is changing with the rise of paywalled sites), and they want the money from that same Google showing ads from their ad network.
Google initially promised to deliver a search for the open web unencumbered. It has become a sort of paywall itself (accept our ads or our search results will be useless pointing you to pages that only work if you have ads enabled).
Sure, it would be fair if they haven't pushed out the competition acting entirely differently ("we have no ads", "our ads are clearly marked" to current "see if you can tell a difference between an ad and your search results").
Unfortunately your script still calls a third party domain, which is trivial to block using a generic AdBlock/uBlock rule. Instead, you should host the matomo script (under a different filename of course) on your own domain. That way it won't be as easily blocked.
I go as far as to send all the tracking parameters through a custom server script before they are proxied to GA and Matomo. That way, I can change the script and parameter names at will, making them much more difficult to block. For example, Matomo-related blocking rules are as follows:
Sure if someone explicitely blocks you and you alone, that's fine. The problem is you getting blocked generically, because you're using the same scripts or patterns as everyone else, such that there exists a very wide and generic block rule in uBlock Origin or some other filter that happens to apply to your own domain. That's unacceptable and worth fighting against.
Unless I am missing something, that's trivial to block.
Any tracker can be made to work around ad blockers by making callbacks to the site itself and having a small shim there that forwards these pingbacks to the actual tracking service. But even then they still can be blocked based on the request contents.
Only thing that bothered me is that most Ad Blockers are blocking Matomo as well. I did build a little Script to circumvent that, you might find it handy as well: https://gumroad.com/l/matomo_circumvent_adblock
I use it on my website. Check if your ad blocker is capable of blocking it: https://simon-frey.com