hngopher.com

       [HN Gopher] Show HN: Measure downloads and commercial adoption o...
       ___________________________________________________________________
        
       Show HN: Measure downloads and commercial adoption of any file you
       distribute
        
       Author : aviaviavi
       Score  : 23 points
       Date   : 2021-09-09 16:00 UTC (1 days ago)
        
 (HTM) web link (about.scarf.sh)
 (TXT) w3m dump (about.scarf.sh)
        
       | jdorfman wrote:
       | Saw this on Twitter yesterday, and it looks interesting. With
       | that said, the one concern my team has is around privacy. The
       | blog post says:
       | 
       | "All without ever having access to personally identifiable
       | information or invading the privacy of your users."
       | 
       | Can you elaborate on how you go about that?
        
         | aviaviavi wrote:
         | In short, using Scarf does not provide personally identifiable
         | information about who is downloading your artifacts because we
         | don't have that data ourselves.
         | 
         | The main way this is achieved is by purging any personally
         | identifiable information from our system, mainly the IP address
         | of a download request. Scarf uses the IP to look up metadata
         | like company affiliation, cloud provider, course grained
         | location, etc, to surface that to you. Once that metadata is
         | looked up, the original IP address is discarded. All
         | information stored long term is fully anonymized.
        
           | putnambr wrote:
           | This is impressive, but seems like a dark pattern to me a la
           | tracking pixels in emails. An annoying use case I could see
           | this used for is targeted spam. Say a company selling a
           | software tool publishes a PDF of industry insights and then
           | reaches out to everyone who's downloaded it. Or they publish
           | an OCI image, and then try to sell everyone who uses it a
           | support package.
        
             | aviaviavi wrote:
             | Well, Scarf offers free pixel tracking too so you
             | definitely have the correct model for what we do, though
             | sorry to hear you dislike the approach.
             | 
             | Our goal is to help enable OSS developers to financially
             | support their work. Do you think it's still wrong when it's
             | OSS developers trying to sell their services or premium
             | offerings to the companies that already rely on their work?
             | If so - companies are tracking people all the time at a
             | very granular, personally identifiable level. Why should we
             | hold OSS developers to an even higher standard than what we
             | tolerate from large companies?
        
       | _query wrote:
       | Highly recommend to try this out if you run an open source
       | project and want to get some insights about usage.
       | 
       | Avi gave me a demo last week as we've been looking on how to get
       | better analytics for our open source framework IHP
       | https://ihp.digitallyinduced.com/ it's quick to set up and they
       | also provides tools for doing analytics for eg the documentation.
        
       | aviaviavi wrote:
       | Hi HN, a comment to give a little more backstory here:
       | 
       | At Scarf, we aim to give open source developers more visibility
       | into how their software is being used. As people with experience
       | distributing binaries and artifacts hosted on platforms like
       | GitHub Releases and S3, a repeated struggle was not having any
       | visibility into downloads. Which versions of the software were
       | being downloaded the most? On which platforms? Where in the
       | world? Which companies were downloading?
       | 
       | This year we built Scarf Gateway, which acts as a
       | redirect/analytics layer for any container registry. Supporting
       | other kinds of artifacts was a natural extension, and arbitrary
       | file downloads is perhaps the most general extension we could
       | build!
       | 
       | Curious to hear what people think.
        
         | smarx007 wrote:
         | I think this is great as long as you respect GDPR. Tracking is
         | not inherently bad. And I had some pain tracking downloads of
         | our OSS project files, thankfully Eclipse Foundation has some
         | tools for gathering anonymous statistics (I think the term
         | "anonymous statistics" will fare better with the HN crowd than
         | "tracking" or "measure"). Added your service to bookmarks for
         | the next time I need such functionality.
         | 
         | However, you seem to have an incomplete understanding of GDPR
         | judging from your homepage. For example, you don't provide a
         | way for people to opt out on your homepage. This may indicate
         | that you are thinking about GDPR in American "PII" terms
         | instead of thinking about "processing purposes" and "personal
         | data" (not necessarily identifiable, such as a 5-star rating
         | for a taxi driver) as intended by GDPR. You can store my home
         | address without my consent if you need it to deliver a book to
         | me. You may not pass my non-anonymized IP address to anyone
         | except your secops (legitimate business need has been explained
         | by EU courts to mean a need to fulfill user's need, not company
         | need, e.g. to show ads).
         | 
         | Further down the thread you also discuss the opt-out
         | mechanisms. Again, this is only legal under GDPR for opting out
         | of the kinds of processing you have a legitimate business need
         | for. Things that require a consent may not be worked around
         | with an opt-out.
         | 
         | Not a lawyer but a person in EU who sent GDPR requests and
         | complaints to company DPOs and regulators. Hope your service
         | grows well!
        
           | aviaviavi wrote:
           | Glad to hear and thanks for the kind words!
           | 
           | Fully complying with GDPR is a requirement as we build this
           | out. Our data policies and practices have been thoroughly
           | reviewed by our legal team. If we are doing anything
           | incorrectly with respect to GDPR, it will be promptly
           | addressed.
           | 
           | It turns out that the data we are actually storing about end-
           | user traffic do not meet the criteria that trigger
           | requirements for explicit consent. Scarf also operates a data
           | processor with respect to GDPR, rather than a controller.
        
             | smarx007 wrote:
             | Ah, shrewd move! For others reading this: your project
             | using Scarf will bear responsibility for GDPR compliance
             | regarding processing purposes as the controller and Scarf
             | is just a processor like AWS (not that I buy it completely
             | but I am sure smart folks at noyb.eu will look at this when
             | time comes).
        
         | inetknght wrote:
         | > _Curious to hear what people think._
         | 
         | How would someone opt-out of being tracked that something's
         | been downloaded?
        
           | aviaviavi wrote:
           | This still needs to be added to our docs. A `dnt=1` query
           | param in a download URL is interpreted as an end-user opt-
           | out. We plan to add more forms of opting out based on user
           | feedback. We want to ensure it's low-friction to opt out of
           | tracking.
        
       | nixwatch510 wrote:
       | I wonder why GitHub shows number of visits / clones, but not
       | release artifact downloads.
        
       ___________________________________________________________________
       (page generated 2021-09-10 23:01 UTC)