Responsible Site Analytics

Photo by Maxim Hopman / Unsplash

Note: this post contains a referral link for Fathom Analytics

Perhaps you've heard of Google Analytics - in fact, I bet you have. Maybe you don't know it or see it, but you have been tracked by good ole Google at least once, and I am willing to bet daily, in most cases. Google Analytics is used by a ton of companies around the world because it's both easy and informative - it comes with great visualization tools and you can target down to specific areas or types of customers.

But how it can target specific customers is a bit of an ordeal and is very problematic. In fact, there are a number of tracking tools beyond Google Analytics that watch you move through the internet and make profiles of you and help target things such as ads. Although it's convenient to see adds for, say, Icelandic vacations or new curry mixes, it's still giving information about yourself to someone that may or may not have good intentions.

This carried on for a long while until General Data Protection Regulation, or GDPR

If you can recall a few years back, you visited any number of sites and perused along nicely, not really having to deal with pop-ups (unless we wind the clock even further back). You clicked onto your favorite news site and just started reading.

Then May 15, 2018 rolled around and it seemed that every website in the known universe was asking you to allow cookies and sending you privacy notice updates. Wanted to go to your favorite online retailer? Please accept cookies. Recipes from famous chefs? Accept cookies. Your bank or doctor? Better believe you need to accept cookies. What's a cookie? Doesn't matter, accept it or you can't read the local weather.

Donuts halo’ed with fruits and flowers. Whatever could be better?
Photo by Brooke Lark / Unsplash

The real reason that the world seemed to explode with those notices is that GDPR kicked in on that day and sites that operated in the European Union were required to get explicit permission to use tracking cookies. Among the 88 pages that GDPR is, it's a single paragraph that made cookies such an important deal.

However, on this site, I track to see where the clicks come from, what parts of the world visitors are checking my blog out from, and what pages seem to be the most clicked on. This helps me get an idea of what people enjoy and don't enjoy in my blog. Yet, you didn't have to click a single cookie button, and there is a darn good reason.

Fathom Analytics

Screenshot of traffic from Fathom Analytics

Fathom Analytics is a platform that specifically designed a cookie-less experience to ensure privacy and autonomy of visitors. They actually make a significant deal about it in their compliance documentation, but the single biggest thing they do is dump the end-users hash key within 48 hours, meaning it is nearly impossible to crack. As Fathom puts it

The hash salts we use are SHA256 hashes, and brute-forcing this kind of hash would require 10^44 x Gross World Product (GWP). And GWP in 2019 was US$88.08 trillion. So although the data started as pseudo-anonymous, there’s no real path to brute force these hashes once the hash salts have gone, as there are just too many possible combinations to try.

So, quite simply, the data they collect is made compliant from the outset as the focus is on privacy instead of profit. The information from the analytics is still usable while having completely anonymity from the person visiting my site (although hello to Belgium and France!). There is no invasive cookie following you around, recording that you searched for the "history of concrete" to settle a disagreement and that you added a copy of "The Last King of America" to a cart from your favorite local bookstore's website. There is no profile being built of you that I can see, merely what you clicked on, how you got there, and basic browser information.

This is all invoked with a single line of Javascript that is injected in the head of my various sites (including and my Five Scholars homepage) that grabs this information and sends it to Fathom to process. You can self host, but I have found them to be responsible with the information and very durable.

What does the code look like? For this site it's

<script src="" data-site="UMYQBDCB" defer></script>

And that's it.


As you build and design sites, blogs, shopping carts, or whatever it may be, consider that the end user might use things like Privacy Badger or other anti-tracking tools to prevent you from doing invasive tracking and consider what you can do with a lighter touch, such as with Fathom. Does your site need invasive profiles? Would it work to know what they click through and exit on?

In the scope of Data Ethics, there's a lot to consider here. Cathy O'Neil, PhD - occasionally known as mathbabe from her blog -is one of the foremost in the field of discussing how treating data with ethics is not only good but quickly becoming paramount. She is most famous for her book Weapons of Math Destruction in which she explains her position with real life examples of people getting arrested or losing mortgages to unethical use of data - whether intentional or not. She also has a truly excellent Ted Talk on the matter as well. Relying on invasive algorithms can hurt your end users more than you think!

Fathom itself is not a magic bullet, but on the path of making data fair and keeping private information private, and it's an important consideration for being responsible with your site's information.

Marty Henderson

Marty Henderson

Marty is an Independent Consultant and an AWS Community Builder. Outside of work, he fixes the various 3D printers in his house, drinks copious amounts of iced tea, and tries to learn new things.
Madison, WI