San Sebastián de los Reyes, Madrid, Spain. May 30, 2010.
Analytics and Privacy: Piwik
Spacewalk at Roswell Space Center, Roswell, NM, United States. March 29, 2016.

Analytics and Privacy: Piwik

The EU has all but given up on its cookie-war. Google, Facebook, and others are rejoicing in the renewed explosion of use of third party cookies, but what about Piwik, the free alternative that cookiewalls helped propel?

I was looking at adding analytics to this webpage, because I like looking at pretty graphs. Still, I refuse to compromise by adding to the mess that is third-party cookies, shady remote-loaded JavaScript, and so on.

That means Google Analytics is clearly out. As I recall, back in the day, we had Nedstat which got acquired by comScore which got acquired by Adobe. Hard no as well. Google Plus buttons, Facebook Analytics, New Relic collectors, etc.? All the same problems with different names.

Then there’s Piwik. The knight in shining armor that seems to be taking over ever since the EU imposed the burden of the fugly cookiewall. Until today I didn’t know much about Piwik other than that it is self-hosted and provides analytics. Many websites use it to “enhance privacy.” Sounds pretty good to me!

I checked out their website, which certainly has all the right marketing:

Piwik ensures the privacy of your users and analytics data. When using Piwik, YOU keep control of your data. Your data is stored in your own MySQL database, and logs or report data will never be sent to other servers by Piwik. Web Analytics Privacy in Piwik, piwik.org/privacy

Of course privacy is meaningless without security, so that was my next stop:

Security is a top priority at Piwik. As potential issues are discovered, we validate, patch and release fixes as quickly as we can. We have a security bug bounty program in place that rewards researchers for finding security issues and disclosing them to us. We also document here how you can make your own Piwik data safer and secure your server. Security, piwik.org/security

I’m with you so far, Piwik dot org. Let me express my feelings with an emoji: :+1: All right, time to download this thing and take it for a spin. Oddly, there didn’t seem to be any .debs in Ubuntu other than this one:

ruby-rack-piwik - piwik Analytics racking in your Ruby-Rack based project

This site doesn’t have anything fancy like that, so that’s not very helpful. Thirty seconds later I had some .zip file downloaded (zip? Really? Yes, really) without any signatures or checksums. There are no references to OS repositories that do have such features either. Okay, that’s a little … odd.

Unpacking the .zip yielded the typical stuff like README.md and LEGALNOTICE, but also a file called index.php and one called piwik.php. Oh dear. This is PHP and there was a reference to MySQL earlier. This does not bode well. Let’s have a look at the installation instructions anyway.

Opening that page made my heart drop. “The 5-minute Piwik Installation”. Fuck. This is going to be a typical PHP+MySQL installation, fuck security, fuck privacy, just get ‘er to chooch and she’ll be apples. Let’s read it anyway before jumping to conclusions, but my spidey-senses are tingling.

Open your FTP client and upload the Piwik files in ‘binary mode’ to the desired location on your web server. All files can be uploaded to a “analytics” sub-directory in your public www folder, for example Piwik Installation instructions

These instructions have been included with any L*MP application since at least PHP3. It fully ignores file-ownership, server configuration, using administrative protocols like FTP over TLS, or anything even remotely similar. Shit. Keep going.

Time to get started with the point-and-click installation! […] If there is a problem, Piwik will identify it and tell you how to solve it, as in this example: Piwik installation error Piwik Installation instructions

Right. That’s an unironic chmod 777 in a product whose sole right to exist is based on the security and privacy weaknesses in other products. If that doesn’t raise any red flags, I don’t know what would. Let’s keep going anyway.

You should already have set up your MySQL database. If you do not have the database information, you may need to ask your web host or technical staff. Piwik Installation instructions

This is then followed by an image of a form where you can enter your MySQL credentials. Of course, there is no discussion of locking down user rights beyond “for added security, we recommend that you install Piwik in its own MySQL database and specify a username and password for a user that only has access to that database.” And there is no mention of how bad an idea it is to enter your MySQL master-credentials over a connection without TLS.

The same disclaimer applies to the super-user, which is created by way of a separate, but similar, form. The super-user’s e-mail address then seems to be forwarded to Piwik, giving you only an option to opt out of their mails: “By default the super user will be signed up for upgrade and security alerts, as well as for community updates. Uncheck these boxes if you do not want to receive these emails.” I’m not sure this is actually the case as there is no discusion of it in the PRIVACY.md file.

Then there is some discussion of adding the JavaScript to your site, but nothing further of note. There is no real discussion on how to secure your (or rather, your visitors’) data properly in the installation instructions. A quick Google search does, however, reveal a page called How to configure Piwik for security. I’m sure it’s linked from the main site somewhere too. All right, let’s check that out.

The first few steps are really security 101. Use a restricted MySQL user (but still not really restricted– just restricted to the database), don’t re-use your password, use TLS, have working backups, have security updates installed, buy an audit plugin, enable a security plugin… wait, what?

Apparently yes, I did read that correctly. There is a paid audit plugin to keep track of who is doing what to your data. From an entirely naive point of view I can see how this makes sense. Larger companies with multiple admins will require the oversight and won’t even think about dropping $50. Makes sense. In the real world? “Fuck it, we can do without.”

Then, apparently, there is also some security plugin called SecurityInfo that is disabled by default. Why? I don’t know, but it’s probably to do with the lowest common denominator who is busy running chmod 777 somewhere. It looks like this:

Piwik SecurityInfo plugin.

Which is the most sensible thing I’ve seen from Piwik so far. It really is shameful that this is not part of the standard installation procedures, or in one of the 30MiB worth of modules in the distrubution, and instead is a disabled-by-default third party module.

The “How to secure Piwik” site then continues on its Security 101 briefing, with advice like “use strong passwords,” “use SSH/SFTP instead of FTP,” “update your PC,” and “Change Piwik settings to respect your Users Privacy.” Because apparently that last one is not the default.

Then the last tip is a little mind-blowing:

A final (optional) security tip: use Firefox for all your web browsing. The best free software browser! How to configure Piwik for security, piwik.org/security

… okay. Why, exactly? I mean, libnss is cool and all, but baked-in SSL certificates and lack of FIDO U2F support don’t necessarily always make it the best choice. Maybe the Piwik developers have analyticsed my use of the web to such an extent that they know what’s good for me better than I do. ¯\_(ツ)_/¯

Most notably lacking is any discussion of how to run this product in a larger environment, with added security measures. There is no functional reason for the part that produces graphs to have write privileges and to live on the Internet. Storage of raw data, admin users, etc. should also not be happening on the front-end. And of course the part that does the tracking does not need read access to your raw data. If Piwik supports separating these aspsects it doesn’t seem to be documented, much less recommended.

Also, a large part of Piwik’s claim toward being secure is that they have a bug bounty program. Presumably, as usual, these are awarded for confirmed directly exploitable attacks. It won’t fix problems in architecture and attitude.

Now, none of the above is very shocking in itself. Look to any small to medium-sized PHP-project and you will certainly not see any better. Even larger projects like OpenCart, and WordPress suffer from similar issues and attitudes to security. This product, however, tries to woo its users with better security and better privacy than can be offered by Google and Facebook.

Having looked into the alternative, I can now honestly say I’m okay with Google Analytics and Facebook tracking. Both companies have business-models built around user data. That means they have a strong reason to not expose that data. Unlike the EU-sites that have switched to Piwik to avoid showing a cookiewall.

Thanks for helping protect our privacy, Europe!

And the obligatory disclaimer: For the reasons described above I never installed Piwik. I’m not saying it can’t be secured, or that it necessarily kills your privacy, but I will be adjusting my own attitude from Oh Piwik, that’s fine to Welp, better add another block-rule. I encourage you to be critical and to do whatever the fuck you want.