User Privacy plugin, consolidate privacy protection features

[mattab]

Proposal for a consolidated User Privacy plugin

• Move AnonimizeIP functionnality to this new plugin
• Allow changing count IP bytes to remove in the UI. A Radio button allows to remove 1, 2 or 3 bytes of the IP.
  • for backward compatibility, if the config setting is found and the UI wasn't used yet (ie. no setting found in the _option table), then we can use the config file setting. This is similar behavior to "General Settings" options.
  • Currently the IP is cleared just before recording the data in the log table. AnonymizeIp: introduce new hook for masking the IP at tracker runtime #2095 proposes that the IP should be cleaned as early as possible in the process, to ensure no other plugin etc. could use the full IP.
• UI allows to enable "Do not record Referer information". While I personnaly don't like this recommendation, we could offer it as it was recommended by German privacy group. When enabled, and setting stored in _option table (and cached in the tmp/cache/tracker/general.php file), then the parameters urlref and _ref in the piwik.php GET request will be cleared at the start of the Tracker process, to ensure no plugin or process can use / record the referers.
  • When clicked to enable, the Referers plugin would also be disabled.
• The Opt out plugin feature would be moved to this plugin as well.
• These settings/ features would all be available under the new Admin menu called "User privacy"

[peterbo]

The consolidation of the privacy plugins within the User Privacy plugin is a good solution for consistency in the UI.

Should the cookie lifetime also be editable here or will that remain a tracker method from 1.2 upwards?

I also don't like the referer being not tracked. Webanalytics is somehow losing its intended purpose here. I think it will be enough to work on it with low priority.

[robocoder]

We can set the third party cookie expiry in the UI. The tracking code generator could use this value.

[mattab]

I think we don't have to implement the Referer hiding even, nobody will use it.

The cookie lifetime is a task for the ticket #1845

See also Privacy & Web Analytics

[mattab]

See also: customize some specific CSS of opt out frame: #1929

[robocoder]

The ip anonymization could also be by netmask or cidr notation. May offer separate masks for ipv6 vs ipv4.

[anonymous-matomo-user]

I mentioned this on Twitter so I thought I should elaborate a bit more. In IPv6, IP anonymization is not achieved by stripping the last byte of the IP address; anything in the second 64 bits of the address can be device-specific (i.e. used to identify a specific MAC address, see http://www.ietf.org/rfc/rfc3041.txt for problem statement and current solution.

In fact there is currently no definitive way of obtaining this privacy because most ISPs and DSL providers have not announced their rollout plans yet.

It might be sufficient to strip the last 4 tupels of the IP address (i.e. only retain 64 of the 128 bits that an IPv6 address has), but it might even happen that this is not enough. OTOH, stripping all but the first 48 bits is maybe better.

This insecurity is why a configurable netmask/CIDR is probably the best idea for the AnonymizeIP plugin in v6.

[peterbo]

(In [4856]) PrivacyManager / Delete old statistics from database; Refs #2233, #53, #5

[mattab]

(In [4861]) Fixes #2233, Refs #5425

• enable new plugin on upgrade
• Display message "your changes have been saved"
• fix link redirect without idSite by using smarty function {url ...}

[peterbo]

(In [4868]) Refs #2233, #53, #5

• tweaking / optimizing / commenting

[anonymous-matomo-user]

For clarification, does this plugin replace the functionality of the DoNotTrack plugin from ticket #2048?

#2048

Reading through the ticket info is unclear.

Uncertainty about Piwik compliance with recent DoNotTrack legislation is stopping us from using it on our new Aeolus Project website. Having this clearly understandable for people, ie which plugin-to use, and is it sufficient, would be really useful. :) (maybe an item in the FAQ?)

[robocoder]

Justin: in Piwik 1.5, the Privacy plugin does not replace the DoNotTrack plugin because DoNotTrack is not part of the core distribution; it runs independently, so if you want that functionality, just install the DoNotTrack plugin.

[peterbo]

(In [5772]) Refs #2233, #2095, #2902 - set ip_address_mask_length and ip_address_pre_mask_length on anonymizeIP-plugin activation. Synchronize both variables on PrivacyManager call.