> And why is it OK to analyse server logs, but not OK to use javascript, to do this?
The data in your server logs is data that people sent to you on purpose (by visiting a page on your site, or filling out a form on your site). If you collect data about people by sending them code to execute and send data back to you, they're not meaning to send you that data; you're doing it behind their back.
I'm glad you try to use data you collect responsibly, but if people aren't meaning to send you data, you're not entitled to it.
Users are free to block the execution of client-side scripts though we all know what that means: much poorer to non-functional UX in many cases. Plus, to an extent browsers can control what can be collected on the client side, e.g. location, microphone input etc. (I wish there were similar restrictions on the keyboard and mouse, maybe some day we'll see that too)
But I'd agree that letting the users use a public resource on a condition that they should allow arbitrary scripts to be executed on their side can be considered unethical.
We have a Privacy Policy linked right from the landing page that states we will collect user behaviour information to improve our product.
If you walk into a shop, you have an expectation to be observed (both to check you're not shoplifting, and also to see how customers behave). They don't tell you that you'll be observed, it's just one of those things you expect when you walk into someone's shop.
We effectively have a notice on the front door that says we will be observing their behaviour while they're in our shop. They have every opportunity to walk away. I really don't see how this is unethical.
> If you walk into a shop, you have an expectation to be observed (both to check you're not shoplifting, and also to see how customers behave). They don't tell you that you'll be observed, it's just one of those things you expect when you walk into someone's shop.
The problem is that this is a poor analogy to computer networking. I send you an HTTP request; you send me an HTTP response. I'm not visiting your shop; we're sending each other messages.
My expectation is that you won't follow me around, observing how long I look at certain parts of your message, gauging my reaction to different parts of your message. That this is the norm on the web is an unfortunate reality, but it doesn't make it okay.
Sorry, but we'll have to agree to disagree on this. Visiting amazon.com is exactly like walking into a shop, and nothing like "sending messages to a server".
I totally understand that that's what's happening behind the scenes, but that's like saying "I vibrated the air in specific harmonics" rather than "I said yes".
Taking your walking into a store analogy, what you are actually doing is taking an xray of every potential customer, going through their pockets, recording every receipt from their wallet and then uniquely tagging them with a barcode all in the very moment that they touch the door handle to enter. And that's assuming you are not trying to be evil.
Could you please disclose the name of your company so I can be sure to avoid it like the plague?
The extent to which visiting amazon.com is like walking into a shop is the extent to which Amazon puts up a facade to make it feel like that. That we're exchanging messages is not just what's happening behind the scenes, it's the essential truth of how communication happens on the net.
If I were visiting your shop, it's totally reasonable for you to check to make sure I'm not stealing anything. But I can't steal anything of yours by sending you messages! (Setting aside the possibility of me hacking your server, but that's not what you're sending me javascript to check on.) Hopefully this expresses more clearly why I don't think the shop analogy holds water.
If "sending messages" is too primitive of an abstraction, we can imagine exchanging letters in the mail, or buying a newspaper, or something like that.
(BTW, I'm sorry for the unconstructive sister comment here - I definitely don't condone it.)
Like a complicated privacy policy people won't read. (not your fault) The average person also doesn't understand the depths of what going into a shop now means. Walking into a shop they might expect they are on CCTV sure, but not that they are being tracked via wifi, customer counters, and whatever else retail establishments have come up now to datamine their customers without consent.
Maybe its time for shops to have EULA's covering the entire door before I open it.
The data in your server logs is data that people sent to you on purpose (by visiting a page on your site, or filling out a form on your site). If you collect data about people by sending them code to execute and send data back to you, they're not meaning to send you that data; you're doing it behind their back.
I'm glad you try to use data you collect responsibly, but if people aren't meaning to send you data, you're not entitled to it.