Allow analytics.js to run without cookies

Question

Allow analytics.js to run without cookies

gareth opened this issue 4 years ago · comments

Background

The EU ePrivacy regulation (ePR) gives users a lot more rights when it comes to the data that websites can store on their machines, in cookies, localStorage and the like. One focus is to let users opt-out of third-party companies being able to track them across the web, when that company has scripts embedded on multiple sites - like Segment. So far, hopefully nothing controversial.

analytics.js uses cookies or localStorage to persist user identifiers - anonymous, group and user IDs - between page loads. A site can identify a user on one page and Segment will know it's the same person the next time they load a page. Or, Segment will know that an anonymous user is the same person who loaded a page earlier.

Everything above is objective, but there are a couple of subjective points that apply to our situation, and any other people who have come to the same conclusions as us:

Our reading of the ePR leads us to believe that users should even be able to opt-out of first-party cookies that aren't strictly necessary for their use case, and this even includes site metrics. I realise this may not be a universal interpretation but it's ours - this Github issue probably isn't the right place to have a legal discussion.
Segment's analytics.js first party cookies (ajs_*) by themselves don't technically enable cross-site tracking, but can be blocked by users as a consequence of the point above.

Issue

Because of the way analytics.js-core automatically sets cookies based on whether the browser has cookies enabled or not, we can't load analytics.js at all if a user has told us they don't want our "Functional" cookies. This leaves us missing out on Segment functionality, which is sad.

However, my understanding (to be confirmed) is that cookies aren't strictly necessary for Segment to do its thing. Given some additional restrictions, it should be possible for the existing analytics library to work without setting cookies:

If we're happy that we don't need to track events from anonymous users
If we're happy to call identify on each individual page load before any events are tracked.

This is all based on the fact that Entity.js has a fallback for a memory store which Segment can use if cookies and localStorage are unavailable.

The only thing that is missing to make this happen is a way to override the browser-based checks and force Segment to use the memory store.

I guess I have two questions:

Is my understanding of this correct - that the two restrictions above mean Segment could – in theory – work without cookies?
If it's possible, would a community-provided PR be enough to get this considered for inclusion in Segment?

At the moment, our only option to track client-side events is to write our own probably-clumsy javascript wrapper around your HTTP API, and miss out on most of the simplicity of analytics.js.

Pooya Jaferian · Answer 1 · Thu Jun 04 2020 00:20:19 GMT+0800 (China Standard Time)

@gareth You are right, in theory Segment should be able to use either localstorage or memory and still operate, but currently there is no way to control that behaviour by user. Outside the logic in Entity.js, Segment's own integration also needs to be adapted to work without cookies:
https://github.com/segmentio/analytics.js-integrations/blob/master/integrations/segmentio/lib/index.js

I will bring this issue for internal discussion to see if we can make the use of cookies optional, and get back to you.

Ian Ker-Seymer · Answer 2 · Fri Jun 05 2020 10:38:42 GMT+0800 (China Standard Time)

would #129 be related to this at all?

Pooya Jaferian · Answer 3 · Sat Jun 06 2020 00:18:43 GMT+0800 (China Standard Time)

@ianks not related. #129 should be done soon. Waiting for one final internal review.

stale · Answer 4 · Wed Aug 05 2020 10:38:45 GMT+0800 (China Standard Time)

This issue has been automatically marked stale because it has not had any activity in the last 60 days. If no further activity occurs within 7 days, it will be closed. Closed does not mean "never", just that it has no momentum to get accomplished any time soon. See CONTRIBUTING.md for more info.

stale · Answer 5 · Thu Aug 13 2020 17:34:20 GMT+0800 (China Standard Time)

Closing due to staleness. Closed does not mean "never", just that it has no momentum to get accomplished any time soon. See CONTRIBUTING.md for more info.

Jorge Alberto Chiapello · Answer 6 · Mon Aug 17 2020 22:38:12 GMT+0800 (China Standard Time)

Is there any updates for this?

Stephan Bönnemann-Walenta · Answer 7 · Fri Feb 19 2021 08:29:43 GMT+0800 (China Standard Time)

This issue represents the sad state of tracking in 2021.

If you expect users from the EU (aka everyone) using this library as advertised will be incompliant with privacy regulation by default.
There is not a single note in the documentation about how to do things the right way™. And that wouldn't just be interesting because of compliance, but because it's the right thing to do.

After hours of skimming through the documentation and reading the entire source code of this thing I'm landing here … and there is … even more nothingness …

All I want is some pseudonymized product analytics, but that's apparently just too hard to do.
I have to set 7million cookies and localstorage things, without a way around it.

I also don't want to collect ips. Cool, you say, we have engineered this gigantic data kraken, but it's too hard for us to have one simple option to disable it. No, no, no, you say, please go ahead and pass {context: {ip: '0.0.0.0'}} to every single call. Are you serious? Writing the documentation that tells me to pass this to every call probably took longer than putting an option in here to just disable this stuff outright.

There is a very good reason people don't trust anyone in this industry anymore. Unbelievably sad … and dangerous.

Edit: In case you are coming here from google or wherever. You will have to build your own client library that talks to the API directly ¯\_(ツ)_/¯

Gareth Adams · Answer 8 · Tue Feb 01 2022 19:15:31 GMT+0800 (China Standard Time)

@pooyaj Can you update this issue with the result of the internal discussion you said you were going to have?

Pooya Jaferian · Answer 9 · Fri Feb 04 2022 02:28:58 GMT+0800 (China Standard Time)

@gareth we will be working on cookieless option for AJS this quarter. We will be adding support to https://github.com/segmentio/analytics-next instead of this library tho.

Phil Efstathiou · Answer 10 · Tue May 31 2022 23:40:30 GMT+0800 (China Standard Time)

@pooyaj that's great to hear. has that been added?

Gareth Adams · Answer 11 · Tue May 31 2022 23:53:27 GMT+0800 (China Standard Time)

@pooyaj that's great to hear. has that been added?

It looks like segmentio/analytics-next#388 added the disableClientPersistance option, which was released on May 6th in v1.36.0 and documented on Segment's client-side persistence help page.

Pooya Jaferian · Answer 12 · Wed Jun 01 2022 02:43:56 GMT+0800 (China Standard Time)

Yes! this is done in Analytics.js 2.0 🎉

Gareth Adams · Answer 13 · Mon Jun 06 2022 19:04:04 GMT+0800 (China Standard Time)

@pooyaj feel free to update the Status: awaiting internal review label on this issue if you're happy to draw a line under this. The Status: resolved label is lonely 😆