Over the last years, there has been an ever increasing interest in Internet Privacy to counteract the worryingly demand by Internet companies to track users and their behavior, often for advertising purposes. I joined the movement and, while I do not consider myself as a privacy advocate, I do provide my fair share of recommendations to family and friends. Something that was bugging me for some time was how my website reflected quite some hypocrisy on my side. Using very useful commodities opened up tracking of my few visitors from third parties.
Well, a rainy weekend has come by, and I can now gladly report that my hypocrisy has been amended: I need coffee is tracking free. To the best of my knowledge, all data that visitors receive and transmit whenever they browse my website stays on my server and my content delivery network (CDN), users are never tracked by third parties, and cookies are never placed without prior consent.
The whole process, for a WordPress website at least, is hassle free. The best of it, besides feeling good about me and my visitors? I did not give up any functionality that I was having before going tracking free and I suffered zero performance loss. Also, no need to place any annoying cookie consent banner to be GDPR compliant because my website currently sets technical, non-tracking cookies only.
What follows is a concise list of what I did with links to help to achieve the same.
- My WordPress theme uses Google fonts. While handy, Google can do whatever it wants when a browser requests these fonts to display my posts nicely formatted. I now cache (store) these fonts in my CDN to let user browsers’ safely download them from my server. Thank you OMGF (OPTIMIZE MY GOOGLE FONTS) for enabling this easily in WordPress.
- The default WordPress behavior when commenting on a post is to place a small cookie that stores name and e-mail, so that users do not have to input name and e-mail when commenting again on a post. I now ask for consent prior to placing such cookie. Refusing to place the cookie still allows commenting.
- Another WordPress default behavior when commenting or when browsing comments is to use Gravatars, which are small pictures that users upload and are associated with a hash of their e-mail address. Whenever they use their e-mail address, systems such as WordPress retrieve their picture from Gravatar server and display it around. While pretty neat as a concept, it carries potential privacy issues and might track users cross-domain. The strategy here is twofold. When commenting, users are asked for consent in retrieving their picture from Gravatar. If consent is given, the user picture is retrieved from Gravatar by my server (not by the user’s browser), cached on my CDN, and then served to the user through my CDN. Gravatar is thus not able to track people cross-domain. If consent to use Gravatar is not given, a colored icon is procedurally generated using the user e-mail. Example:
The generated icon is then cached on my CDN, and used whenever the user comments by leaving the same e-mail address. No cookies are ever stored for this operation. In a long comment chain, authors can in this way be followed by looking at patterns and colors. Thank you Avatar Privacy for allowing all of this very easily in WordPress.
- Speaking of CDN, I used to use Cloudflare to cache and distribute some parts of my website through their network. Here is the thing: Cloudflare works great. There is not a single one of its functionalities (including their cdnjs.com service) that I do not enjoy. Its implementation is however potentially dangerous not only for privacy, but for security as well. They also can (and very likely do) gather a lot of analytics and track users through their network, which is very extended. I am also not a huge fan of the recent trend of centralizing Internet services and Cloudflare is quite moving into that direction. I switched to X4B.net after a good offer on a Web hosting forum, because it accomplishes the same needs I have for using Cloudflare. It provides edge caching, a Web Application Firewall (WAF), intrusion detection, and DDOS protection. The difference is that, besides being a smaller company than Cloudflare, X4B handles its reverse proxying features through a GRE tunnel, so at the network layer already. So far, it’s been working very well. Furthermore, I got a very good deal for a lifetime account at WP Compress, which uses BunnyCDN and Google Cloud as backend, to provide optimized images con a content delivery network.
- Related to the previous point, my DNS used to be handled by Cloudflare. X4B provides complimentary (and paid add-on) Rage4 accounts, which is one of the best performing DNS service.
Please note that some individual posts might still have external tracking which might be enabled by embedding third party media such as a Tweet or a Youtube video.