Cloudflare’s privacy crusade continues with a challenge to one of Google’s big data sources
The cybersecurity and content-distribution company Cloudflare has become a major part of the Internet’s infrastructure, so here’s a move that might cause concern at Alphabet HQ: Cloudflare is launching a privacy-friendly rival to Google Analytics.
Google Analytics is a free toolkit that’s used by website administrators across the globe to help them track the behavior of the people visiting those sites—how they find them, what they do there, the devices they’re using, and so on.
However, the service—the most popular of its kind—also helps Google track websites’ visitors, so it can better profile them for advertising purposes. This privacy-invasive aspect makes many people squeamish.
And that’s where Cloudflare would now like to step in.
Around its birthday every year, the decade-old company—which went public last year—announces a move intended to “give back” to the wider Internet community. These moves are often related to privacy.
In 2014, Cloudflare offered free website encryption, thus quickly doubling the number of “https” sites out there. In 2017, it started offering unmetered protection for customers facing huge “denial of service” attacks that would otherwise knock them offline, so small businesses wouldn’t be left vulnerable. And in 2018 (albeit in April rather than late September) Cloudflare launched a privacy-friendly Domain Name System service that now has 100 million users.
On Tuesday, it unveiled Cloudflare Web Analytics, a free-to-use toolkit that largely replicates what Google Analytics offers—minus the invasive tracking, and thus the ability to assess the performance of targeted ads carried on websites.
Cloudflare Web Analytics is immediately available to the company’s paid customers, but any website owner will be able to use it from some point in the coming months.
“We look out to see what are the hard challenges, and then announce products that are typically free or very low-cost,” CEO Matthew Prince told Fortune on Monday, ahead of the launch. “This year…it is palpable how much privacy and concerns about data are becoming one of the real touchstones that are differentiating various tech companies.
“You have companies like Google and Facebook which have made all their money off of having ad-supported business models. There are things that are good about ad-supported business models—it’s a fair way to make content available to everyone—but there’s also no doubt that there has been a level of abuse on the security front, on a performance-of-the-Internet front, but mostly on a creepy, ‘I don’t want Google and Facebook to know everything there is about me’ front. We thought, are there ways we can help in overcoming that challenge?”
Cloudflare’s scale is crucial here, Prince said, because it takes substantial resources to run a free analytics platform, and Cloudflare already has a giant network that can support the load.
“If you were starting from scratch, it would be hard,” he said. “We’re still a business, so our hope in providing this is people will use this, see what’s going on on their infrastructure, and then they’ll choose to pay us for the other services we provide, like making their site run faster, and protecting them from cyberattacks.”
Mitigating the “Splinternet”
The move could prove particularly attractive for organizations running online services in Europe, where privacy laws say people should be tracked online only after they have given their active consent.
“We’ve been hearing from a number of publishers in Europe that they want to make sure they’re tracking as little as possible, while still trying to understand how their content is being received,” Prince said.
But when it comes to addressing regulatory concerns in Europe—and elsewhere—Cloudflare Web Analytics isn’t the company’s only big announcement this week.
On Monday, Cloudflare launched a beta testing program for a cloud technology called Durable Objects. You can read the technical explanation here, but in essence this is a tool that allows developers of online services to make those services comply with the increasing number of data-localization and data-protection laws that limit where users’ data is supposed to go.
Coincidentally, this is an issue that is also currently on the radar of website publishers operating in Europe.
After the EU’s top court signaled in July that it would become difficult if not impossible for organizations to legally send Europeans’ personal data to the U.S., due to the privacy and espionage laws there, the bloc’s privacy regulators formed a task force to examine a barrage of complaints about Google Analytics and Facebook Connect, a log-in service that is also embedded across millions of websites. The privacy activists that made the complaints say Google and Facebook are breaking the law by sending Europeans’ personal data to the U.S., where it might be scrutinized by the likes of the National Security Agency.
With Durable Objects, Cloudflare says, it is possible to specify where particular data will reside on Cloudflare’s network, so—for example—a German user’s data does not have to leave Germany. Or, with an eye to other current news, a service such as TikTok could ensure that U.S. users’ data never leaves the U.S., without having to create a separate version of its service for that country.
“There’s going to be a substantial opportunity for companies to create the tools to allow different types of computing paradigms to exist to support all the different regulatory regimes that are out there,” Prince said.
Could such a tool be useful for Facebook, which could soon be forbidden from exporting Europeans’ personal data to its U.S. data centers, and which has suggested it might as a result need to stop serving people in Europe altogether?
Prince stressed he had no inside knowledge of how Facebook’s systems were architected, “but the dominant model for building applications in the past has assumed that data resides in one location, and that it’s centralized.”
“We think a new class of applications [is coming] that are designed to meet these increasingly complicated regulatory environments, and we want to provide the picks and shovels to facilitate that,” he said. “If you can have a social network and have the data stay local to countries around the world, that could be a really positive development for keeping the Splinternet from happening at an application level while still meeting the very reasonable and legitimate concerns about data localization and privacy around the world.”