[HN Gopher] Show HN: Measure downloads and commercial adoption o... ___________________________________________________________________ Show HN: Measure downloads and commercial adoption of any file you distribute Author : aviaviavi Score : 23 points Date : 2021-09-09 16:00 UTC (1 days ago) (HTM) web link (about.scarf.sh) (TXT) w3m dump (about.scarf.sh) | jdorfman wrote: | Saw this on Twitter yesterday, and it looks interesting. With | that said, the one concern my team has is around privacy. The | blog post says: | | "All without ever having access to personally identifiable | information or invading the privacy of your users." | | Can you elaborate on how you go about that? | aviaviavi wrote: | In short, using Scarf does not provide personally identifiable | information about who is downloading your artifacts because we | don't have that data ourselves. | | The main way this is achieved is by purging any personally | identifiable information from our system, mainly the IP address | of a download request. Scarf uses the IP to look up metadata | like company affiliation, cloud provider, course grained | location, etc, to surface that to you. Once that metadata is | looked up, the original IP address is discarded. All | information stored long term is fully anonymized. | putnambr wrote: | This is impressive, but seems like a dark pattern to me a la | tracking pixels in emails. An annoying use case I could see | this used for is targeted spam. Say a company selling a | software tool publishes a PDF of industry insights and then | reaches out to everyone who's downloaded it. Or they publish | an OCI image, and then try to sell everyone who uses it a | support package. | aviaviavi wrote: | Well, Scarf offers free pixel tracking too so you | definitely have the correct model for what we do, though | sorry to hear you dislike the approach. | | Our goal is to help enable OSS developers to financially | support their work. Do you think it's still wrong when it's | OSS developers trying to sell their services or premium | offerings to the companies that already rely on their work? | If so - companies are tracking people all the time at a | very granular, personally identifiable level. Why should we | hold OSS developers to an even higher standard than what we | tolerate from large companies? | _query wrote: | Highly recommend to try this out if you run an open source | project and want to get some insights about usage. | | Avi gave me a demo last week as we've been looking on how to get | better analytics for our open source framework IHP | https://ihp.digitallyinduced.com/ it's quick to set up and they | also provides tools for doing analytics for eg the documentation. | aviaviavi wrote: | Hi HN, a comment to give a little more backstory here: | | At Scarf, we aim to give open source developers more visibility | into how their software is being used. As people with experience | distributing binaries and artifacts hosted on platforms like | GitHub Releases and S3, a repeated struggle was not having any | visibility into downloads. Which versions of the software were | being downloaded the most? On which platforms? Where in the | world? Which companies were downloading? | | This year we built Scarf Gateway, which acts as a | redirect/analytics layer for any container registry. Supporting | other kinds of artifacts was a natural extension, and arbitrary | file downloads is perhaps the most general extension we could | build! | | Curious to hear what people think. | smarx007 wrote: | I think this is great as long as you respect GDPR. Tracking is | not inherently bad. And I had some pain tracking downloads of | our OSS project files, thankfully Eclipse Foundation has some | tools for gathering anonymous statistics (I think the term | "anonymous statistics" will fare better with the HN crowd than | "tracking" or "measure"). Added your service to bookmarks for | the next time I need such functionality. | | However, you seem to have an incomplete understanding of GDPR | judging from your homepage. For example, you don't provide a | way for people to opt out on your homepage. This may indicate | that you are thinking about GDPR in American "PII" terms | instead of thinking about "processing purposes" and "personal | data" (not necessarily identifiable, such as a 5-star rating | for a taxi driver) as intended by GDPR. You can store my home | address without my consent if you need it to deliver a book to | me. You may not pass my non-anonymized IP address to anyone | except your secops (legitimate business need has been explained | by EU courts to mean a need to fulfill user's need, not company | need, e.g. to show ads). | | Further down the thread you also discuss the opt-out | mechanisms. Again, this is only legal under GDPR for opting out | of the kinds of processing you have a legitimate business need | for. Things that require a consent may not be worked around | with an opt-out. | | Not a lawyer but a person in EU who sent GDPR requests and | complaints to company DPOs and regulators. Hope your service | grows well! | aviaviavi wrote: | Glad to hear and thanks for the kind words! | | Fully complying with GDPR is a requirement as we build this | out. Our data policies and practices have been thoroughly | reviewed by our legal team. If we are doing anything | incorrectly with respect to GDPR, it will be promptly | addressed. | | It turns out that the data we are actually storing about end- | user traffic do not meet the criteria that trigger | requirements for explicit consent. Scarf also operates a data | processor with respect to GDPR, rather than a controller. | smarx007 wrote: | Ah, shrewd move! For others reading this: your project | using Scarf will bear responsibility for GDPR compliance | regarding processing purposes as the controller and Scarf | is just a processor like AWS (not that I buy it completely | but I am sure smart folks at noyb.eu will look at this when | time comes). | inetknght wrote: | > _Curious to hear what people think._ | | How would someone opt-out of being tracked that something's | been downloaded? | aviaviavi wrote: | This still needs to be added to our docs. A `dnt=1` query | param in a download URL is interpreted as an end-user opt- | out. We plan to add more forms of opting out based on user | feedback. We want to ensure it's low-friction to opt out of | tracking. | nixwatch510 wrote: | I wonder why GitHub shows number of visits / clones, but not | release artifact downloads. ___________________________________________________________________ (page generated 2021-09-10 23:01 UTC)