Over the last years, there has been an ever increasing interest in Internet Privacy as a way to counteract the worryingly demand by Internet companies to track users and their behavior, often for advertising purposes. I joined the movement and, while I do not consider myself as a privacy advocate, I do provide my fair share of recommendations to family and friends. Something that was bugging me for some time was how my own website reflected quite some hypocrisy on my side. Using very useful commodities opened up tracking of my few visitors from third parties.
Well, a rainy weekend has come by, and I can now gladly report that my hypocrisy has been amended: I need coffee is tracking free. To the best of my knowledge, all data that visitors receive and transmit whenever they browse my website stays on my server and my content delivery network (CDN), users are never tracked by third parties, and cookies are never placed without prior consent.
The whole process, for a WordPress website at least, is hassle free. The best of it, besides feeling good about myself and my visitors? I did not give up any functionality that I was having before going tracking free and I suffered zero performance loss. Also, no need to place any annoying cookie consent banner to be GDPR compliant, because no cookie is ever set prior obtaining consent.
What follows is a concise list of what I did with links to help achieving the same.
- My WordPress theme uses Google fonts. While handy, Google can do whatever it wants when a browser requests these fonts to display my posts nicely formatted. I now cache (store) these fonts in my CDN to let user browsers’ safely download them from my server. Thank you OMGF (OPTIMIZE MY GOOGLE FONTS) for enabling this easily in WordPress.
- The default WordPress behavior when commenting on a post is to place a small cookie that stores name and e-mail, so that users do not have to input name and e-mail when commenting again on a post. I now ask for consent prior to placing such cookie. Refusing to place the cookie still allows to comment.
- Another WordPress default behavior when commenting or when browsing comments is to use Gravatars, which are small pictures that users upload and are associated with a hash of their e-mail address. Whenever they use their e-mail address, systems such as WordPress retrieve their picture from Gravatar server and display it around. While pretty neat as a concept, it carries potential privacy issues and might track users cross-domain. The strategy here is twofold. When commenting, users are asked for consent in retrieving their picture from Gravatar. If consent is given, the user picture is retrieved from Gravatar by my server (not by the user’s browser), cached on my CDN, and then served to the user through my CDN. Gravatar is thus not able to track people cross-domain. If consent to use Gravatar is not given, a colored icon is procedurally generated using the user e-mail. Example:
The generated icon is then cached on my CDN, and used whenever the user comments by leaving the same e-mail address. No cookies are ever stored for this operation. In a long comment chain, authors can in this way be followed by looking at patterns and colors. Thank you Avatar Privacy for allowing all of this very easily in WordPress.
- Speaking of CDN, I used to use Cloudflare to cache and distribute some parts of my website through their network. Here is the thing: Cloudflare works great. There is not a single one of its functionalities (including their cdnjs.com service) that I do not enjoy. Its implementation is however potentially dangerous not only for privacy, but for security as well. They also can (and very likely do) gather a lot of analytics and track users through their network, which is very extended. I am also not a huge fan of the recent trend of centralizing Internet services and Cloudflare is quite moving into that direction. I switched to BunnyCDN because (a) it has got a very good business model and it gets very cheap for small websites like mine, (b) it keeps innovating and adding features, and (c) it really, really speeds up my website by offloading static files through its worldwide network.
- Related to the previous point, my DNS used to be handled by Cloudflare. I took the occasion of wanting to use domains with dynamic IPs and to combine the DNS management of all my domains to get an account at entryDNS, another cost effective but powerful solution.
Please note that some individual posts might still have external tracking which might be enabled by embedding third party media such as a Tweet or a Youtube video.