Not any of your logos per se (rather, I haven't done a deep dive yet :P), but when I usually see a SaaS say that they partnered with so and so BigCorp, I just assume it's one developer trying out the product, as compared to a team using it for an extended duration (granted, everyone's doing that). So I just skip that testimonials section now.
Netlify lost my trust a year ago when they tried to increase our company's pricing more than 10x. (We were paying ~$200/mo, then they tried to force us into a $2,500+ plan because we were 1 seat over their self-serve threshold.)
From my perspective, they were adding features just to find ways to grow revenue. (I get it, you don't have a huge moat by simply hosting static sites.) But their features seemed very out of touch with our needs, and I can't imagine we were the only ones.
As a Gatsby user on a large-scale website, I'm disappointed to see this acquisition because I'll now constantly be worried they'll try to pull a similar stunt with Gatsby.
Since then, I've been using Next.js + Vercel on side projects, and now with this acquisition, I don't see that changing going forward.
Trust and loyalty is everything in the developer community. It's hard to gain and easy to break. Hopefully other developer-focused alternatives will keep this first and foremost in their head so we don't end up in this situation with other platforms down the road.
Vercel has betrayed my trust and expectations perhaps more than any other provider. They advertised open standards and then did a bait-and-switch to proprietary systems. They also broke our automated deployment pipeline out of the blue and called it a feature, not a bug. They don’t seem to care much about security, either. [1]
If you want “old reliable” that works how you expect it to, with the ease of use of a modern platform, and one that won’t break the bank, my pick would be Cloudflare or Render.
> They advertised open standards and then did a bait-and-switch to proprietary systems
I'd love more detail on this. We have made major investments in open source and ensuring Vercel is an open platform.
◆ The Vercel Build Output API exposes all the underlying primitives of the platform for every framework to take advantage of (https://vercel.com/blog/build-output-api)
◆ We've diligently invested in standard-compliant API signatures. Serverless Functions adopted the Node.js request / response standard (as opposed to e.g.: AWS Lambda inventing a new one) and Edge Functions adopt the Web standard. We've joined WinterCG to foster this standardization effort (https://wintercg.org/)
◆ We've always invested in API compatibility between local development, self hosting and Vercel infrastructure (e.g.: `vc dev` is open source https://github.com/vercel/vercel).
◆ We're continuing to invest here. Next.js and Vercel build outputs are always getting more detailed, we're exploring support for running build outputs locally (`vc start`) as an open source offering, etc.
> they don’t seem to care much about security
We added support for your feature request, and security remains the top priority of the company. Some recent ships:
Thank you Guillermo. One thing I am still curious about is, is there still a difference between serverside rendering and static site generation for things such as next/image, next/font, etc? Last time I tried SSG, next/image was not supported, but I could use a third party tool to optimize my images correctly, so I didn't understand why next/image couldn't do the same optimization at build time without relying on a CDN as in the case of SSR.
One fascinating thing (especially in view of this topic) about `next/image` is that the primary reason we decided not to optimize upon `next build` or `next export` is that we'd have all these customers migrating from Gatsby telling us their build performance was holding them back, and a big chunk of that was `sharp` optimization and overly eager static generation. Image optimization fits a "dynamic" model much better.
… it shows how Vercel lazily optimizes _specifically_ (1) for the images in viewport and (2) for the devices requesting those images. And new pages and images can be added without redeploying.
I think we could still put image optimization behind a flag with a durable cache at build time (think: `next export --optimize-images`), but it's always been hard to prioritize it as the world moves further away from pure-static solutions
As a userspace alternative, I don't think it'd be too hard to do a post-build script that runs `sharp` on a `source-images` folder, outputs it to `public/static-images` with content-addressable checksums, and sets `cache-control` in `next.config.js` `headers` to `public, max-age=31536000, immutable`. Oh, and you could first check if there work has already been done in `.next/images-cache` or something that the CI provider would cache across builds, to make it a bit faster.
The way to think about our edge runtime is (which is something you're seeing across the board in the industry) is that there's a pure subset of WinterCG APIs, plus Next.js enabling a compatibility layer on top to play nicely with the _vast_ npm ecosystem.
Everything about the feature you're referring to is open source. We're expanding our documentation to better present this compatibility layer.
There's no compatibility layer for AsyncLocalStorage though, and it's not something that can be polyfilled without runtime support. Requiring it in Next.js has forced all the other edge runtimes to implement it in its un-standardised form if they want to support Next.js. Putting it on globalThis is particularly egregious in a runtime that's meant to be standards-compliant and championing the AsyncContext standard. And what about Headers.prototype.getAll()? That's a non-standard method on a standard object that is only implemented by Cloudflare, yet Next.js started using it in a patch release. I get it: you have no incentive to make life easier for other runtimes as used by competitors and AsyncLocalStorage is a really useful API, but people should be under no illusion that you're being a good citizen with the standards here.
They did this to us as well. And not only this, but they blocked our ability to push new releases until we opted into the new plan. And this literally happened on the day of a major release for our biggest client. It felt like we were being held at gunpoint.
We called them and begged them to give us an extension so we could perform the release, and their sales rep treated us like we were the irresponsible ones for not reading the emails they had sent us carefully enough.
We've since moved to Vercel and will never use Netlify again because of the way they managed this.
IIRC they had recently added a user cap on self-serve customers which was new and led to this. The new pricing deck they sent was "It will be $3,500/mo, but until the end of the month, you can get it for only $2,500!" (Pricing approx.)
But it's not to host a static site, it's one click CD, multiple environments, global CDN, and a few more things. I'm not going to say how mu h it is worth, but if you just want a static site with a domain you can do it for free/sub $10 on many many providers.
Sounds like the OP didn't ask for or want those things. I think it's reasonable to be annoyed that a cheap tier that provides exactly what you want and nothing more has been taken away.
SSO is probably the only thing. Other than that, no idea. Netlify pulled the same stunt with us and we left. They must have burned many bridges by now.
That's not a fair comparison. Looki at Netlify[0] and Vercel's [1] pricing sites, the per-user pricing for the "pro" tiers is the same and Vercel gates the features that are in the Netlify "business" tier behind an enterprise contact-us paywall.
I suspect that if you're using these "as expected", your bill on both sites would be the same.
Digital Ocean's App Platform looks to still do basic static sites at a reasonable rate (free for up to 3 sites). I've been a very happy App Platform customer, although not using static sites.
With more people than ever working remotely, many are interested in ending their lease and exploring America – even moreso now that Starlink is widely available.
At this point, it's a directory site, but I aim for this to be the Wikipedia of RVs.
But if you don't know RVs, it can be daunting to figure out what you need. That's why I also created a Bubble app (as a prototype) that offers a wizard to help you find exactly what you want. It asks a series of questions in a TurboTax-style wizard:
I was on the receiving end of one of these recently. I was looking for US-based contractor, found someone whose profile looked legit, and reached out. In the phrasing I got back via email, I knew this wasn't the native English speaker I was expecting.
You gave me my start in 2009 when you let me build Posterous themes. That experience introduced me into the world of startups, pushed me to become better at code, helped me get my start in design, and ultimately changed my life forever.
I can't thank you enough for giving a nobody like me a shot, and I can't wait to passively watch as you continue to do this for countless others!
"which created confusion about which companies Brex would still serve."
Created confusion?? Brex literally sent out an email telling me my account was being closed. But yeah okay, let's call it "confusion". This is a non-admission of guilt.
Don't put it on your customers failure to understand what you mean when this is literally what you sent:
last week: "we've decided to close your account, you have one month to f off"
this week: "We didn’t clearly communicate who qualifies as a Brex customer moving forward, the truth is you're dead weight so f off (you have three weeks)"
edit: lol whoops deadline was aug 16, but i read it as july 16, which made the numbers sound a lot punchier.. still brutal tho
Yeah the fired customers had clarity. The confusion was among all the existing and future customers that Brex wants retain, but who now question whether their business is still supported and for how long.
Most of the people using GA wouldn't be able to set it up correctly. I switched my personal site from GA to Microanalytics, since I wanted to avoid spending time trying to figure out how to configure GA to be conformant.
Google should be the one doing the compliance work. If Italy bans some usage pattern in GA, it's Google that should make it impossible to configure it in non-conformant way.
I agree 100% with your second paragraph. I also hope they introduce massive "percent of revenue" fines when Google "forgets" to ban illegal activity on their (near-monopoly) advertising platform. Massive fines has genuinely changed the behaviour of sales & trading at global investment banks. We can do the same for FAANG and friends.
The most difficult aspect is dealing with URLs. But a company that is large enough to be customizing URLs per user, is large enough to make a few JS changes to ensure they aren't sending those details to GA.
Some time ago Google gave EU admins the option to select a local regional (EU) server. This means the data is not send to the US. But! It’s still nog fully legal as the Google HQ (and thus the US government( can still access all the data.
This will never be repealed. It was introduced to effectively enshrine a right US authorities have had since the PATRIOT Act was introduced 17 years prior, since that act had become politically contentious and was left to expire.
If anybody seriously thinks US authorities will quietly lose a key power after enjoying it for 21 years, I have a few bridges ready to be sold.
No one said "quietly" -- but there has to be some threshold of backlash that would knock it back. My guess is that European privacy law could combine with it to do enough impact to large American businesses that they'd use their political weight to do something, whether or not it were to improve matters from the perspective of privacy/sovereignty.
something I'm not getting here. If you buy a EU engineered IoT home appliance that has PII including, whether a user is presently inside their home, then every company I know operating in this market uses US based clouds (what other options are there LOL) to do things like digital twin or device shadows but by using a local availability zone.
So this is very different than GA, but depending on the threat-model can be worse. Also very similar metrics can be gathered from the data as from a GA cookie (are they eating, cooking, showering, watching TV).
CloudAct would (or should) in this case also apply here or what am I missing?
You're not missing anything. A lot of companies just have no idea of the legal landscape, or simply ignore it in the name of convenience. That's because consumers are even more ignorant of their rights around technology and don't sue them. It will take a lot of civil litigation for this to change.
I am only aware of Hetzner. (German) The other day I was checking out there offerings and I was amazed at how easy it is to order a vm. And then it is live the next second. It is amazing.
Obviously they don’t have full range of services the big three have. But maybe just enough anyway.
The watchdogs are extremely slow and have a huge backlog. You’re right that storing that data in the US or without transferring ownership to an EU subsidiary would not be legal.
Presumably the Five Eyes alliance could also mean that servers in Australia, Canada, New Zealand, and the UK may also be unusable since they share intelligence information with the US.
> (God willing they repeal it, even if only for the international commerce implications...)
It's hard to express how impossible this is. It is very very strongly in the state's interest to keep powers like this. We're more likely to get communism...
This then comes down to whether you think the US govt. these past few decades is better at self-perpetuating power or toadying up to the demands of capital. Cynicism vs. cynicism!
If Google US can access the data, that means the US government by extension can also. This is exactly what GDPR doesn’t want happening. More details in this open letter by Max Schrems “ the Court has clearly held that US surveillance laws and practices violate Article 7, 8 and 47 of the Charter of Fundamental Rights” https://noyb.eu/en/open-letter-future-eu-us-data-transfers
The Italian market doesn’t have to apply to Google USA either.
Companies can always choose to ignore a specific nation’s laws[1], they don’t still get access to that nations markets. At the borders the nation state is the one with the guns and firewalls
[1] unless you piss off a nation that can project global power, lol if you piss off China or America
Chinese and American police forces both operate abroad and like to flex their power. The NYPD was in a similar situation post 9/11 when they started trying to police nearby states and when they sent operatives to other countries even against their own federal government [1].
Russias also sent operatives overseas in some fairly public assassinations. It’s not really surprising that China does this, it appears to be the default operating procedure of powerful countries
Oh yes they do. GA is part of a company that also sells services in Italy. They should follow the law if they want to keep earning that non-US Adwords money that allows GA to remain free.
Yes, the Italian law that prohibits sending data abroad applies to Google Italia, but Google USA is submitted to the USA law, that says that the USA government can request any data from Google Italia and they are required to get it.
So the existence of Google USA makes Google Italia operation illegal.
The article has the watchdog suggesting exactly that (the specific site has 90 days to use GA in a compliant way, no direct complaint against GA), so it seems from their point of view it's legal.
The title of this post and a lot of the comments are projecting what they want GDPR to be (all non european online entities banned from doing business in the EU) vs how its being enforced.
And to be clear Google Analytics has a setting to "anonymize" the IP address which deletes the last octet of the address and makes geolocation less accurate.
Then there's an argument that the IP address still reaches Google servers before it's deleted. But that's just splitting hairs at this point. If Google doesn't process the data with IP the IP address I see no harm.
IP addresses are not something that you can choose to not send at all. It's kind of required by the TCP/IP stack. If that was the case users in EU could not access any website in the USA.
The GDPR is a product of the Snowden revealed pervasive surveillance done by US TLAs. Keeping the data in EU vs sending it over to US under assurances is a big hair.
> just illegal to use in its default state which transmits PII to the US
As I mentioned in a sibling comment, this is technically true but complying with GDPR takes more than unchecking a few boxes. I've never seen any GA set-up that would remotely approach compliance. At minimum, you need to mask IP's before they reach Google, which means standing up a non-Google server to proxy all the hits. That is more complexity than 99+% of GA installations.
The current issue isn't the lawful basis for the processing, as compliant companies already only use Google Analytics once they have consent. The issue is that without an adequacy decision from the EU to allow data transfers to the US, and with the global reach of US authorities thanks to the CLOUD Act, there's no way to keep personal data safe from US law enforcement.
My current understanding of google analytics and GDPR compliance is that you can use it in a GDPR compliant manner without that much trouble.
On the older UA there is a simple flag that enables IP anonymization and on the new GA4 there is purportedly no need for it as they don't collect or store the IP at all.
For many clients I have set up a cookie compliance tool like Onetrust, which blocks loading of GA and other scripts with one of the consent popups. With this combined configuration (and having verified nothing sneaks through before someone gives consent) most company legal / compliance teams I have worked with have deemed this to be a fully compliant setup. Of course, this might not be actually compliant, but the company legal team has done some research and arrived at this as the most advantageous position currently available.
I think using a compliance based tool like Onetrust also gives a sense of legal security in that if our configuration is properly set up they are advertising that we then get compliance as part of their service, and so responsibility of a violation could potentially be passed to them in a legal setting.
I'm not so sure your take on IP address anonymization. The source states:
The Italian SA found that the website operators using GA collected, via cookies, information on user interactions with the respective websites, visited pages and services on offer. The multifarious set of data collected in this connection included the user device IP address along with information on browser, operating system, screen resolution, selected language, date and time of page viewing. This information was found to be transferred to the USA. In determining that the processing was unlawful, the Italian SA reiterated that an IP address is a personal data and would not be anonymised even if it were truncated – given Google’s capabilities to enrich such data through additional information it holds.
The Google documentation says:
The IP-anonymization feature in Universal Analytics sets the last octet of IPv4 user IP addresses and the last 80 bits of IPv6 addresses to zeros in memory shortly after being sent to Google Analytics.
IANAL but I'm pretty sure the IP anonymization setting is no longer an acceptable way of getting GDPR compliance. It may have been acceptable under Austrian or French ruling before, I don't know about those, but from 90 days from now you'll have to explicitly require consent for _at least_ all Italian users.
As a side note, OneTrust has the worst of the worst cookie banners, to the point that I no longer even open websites that have that crap installed. It's also illegal by making it harder to reject tracking than to opt-in, there just haven't been any specific lawsuits about this party yet.
That Google documentation is for the IP anonymization feature of Universal Analytics, which is being sunset in about a year.
Google announced earlier this year that Google Analytics 4, its successor, does not log or store IP address at all.
I don’t know whether UA or GA4 service was the subject of the Italy case, but I would not be surprised if it was UA. Most sites have not switched over to GA4 yet.
> Google announced earlier this year that Google Analytics 4, its successor, does not log or store IP address at all.
So if I go to a website and it has me load code from Google's servers it's still got to send my IP address to them. I'm not sure why we'd take them at their word that they won't keep that data around (I'd like to see that independently verified). but it'll be sent to the server logs if nothing else. What does not storing the IP address even mean? Do they hash it and store that instead? Do they do a quick lookup and just flag your dossier logging the connection and when it happened before dropping the IP info?
If people care about their privacy I think it's probably best not to send information to Google in the first place. There are alternatives to google analytics after all.
In a privacy-conscious implementation of GTM/GA, those scripts can be loaded from a first-party server controlled by the company, and Google will never see the user's IP address.
There is no real alternative to Google Analytics for most companies because of the Google Ads integration. If you advertise with Google, you need to send them conversion data, which means the GCLID. Without Google Ads, switching would be simple. Most enterprises already pay for other analytics tools.
> In a privacy-conscious implementation of GTM/GA, those scripts can be loaded from a first-party server controlled by the company,
Thanks! I didn't know that was an option. I haven't noticed sites doing it yet at least, but I hope it catches on even for sites targeting US visitors! It'd be especially nice for government websites using GA.
> Google Analytics 4, its successor, does not log or store IP address at all.
The fact that it receives the IP address at all renders it illegal in Italy, and probably anywhere GDPR is in force. And IP address truncation doesn't get you anywhere; it's Google that does the truncating, so the whole address is actually sent to Goo, by which time it has departed from GDPR jurisdiction.
> For many clients I have set up a cookie compliance tool like Onetrust
Every time I've seen a cookie popup from Onetrust, it was obviously illegal because "Reject all" was not the easiest option. It's fine if "Accept all" is as easy as "Reject all", but nothing is allowed to be easier than "Reject all". Have they fixed that yet?
This is actually a setting within OneTrust which has a terrible default. We (had to) use OneTrust on eurovision.tv, but configured it ourselves to have three equally styled options.
If you are breaking European law, you can't operate in Europe? What is so hard to understand about this? Amend your code to not send PII of Europeans outside Europe, or pussy out and give a "451 Unavailable For Legal Reasons".
I understand that this is primarily an advertisement for Posthog, but if you're going to keep posting it you might want to keep it up to date. There are only 4 countries on your map and one of them is:
> The Dutch Data Protection Authority warns that the use of Google Analytics 'may soon no longer be allowed', after a ruling by the Austrian privacy regulator. A definitive conclusion is said to come at the beginning of 2022.
At least you removed "the only open source product analytics platform" and the Google fonts since the last time a Posthog employee posted it https://news.ycombinator.com/item?id=29994183
NOYB is the primary source tracking these cases and generally was also responsible for filing the complaints that led to them. All the details are available from NOYB's GDPRhub wiki, https://gdprhub.eu. GDPRhub attempts to provide information on all the European DPAs including how to file complaints. At the least it provides contact info for all the DPAs and English translations of DPA decisions.
As stated in 13 Jan 2022 announcement on noyb.eu, these decisions are generally the result of the "Max Schrems II" decision. After that decision, Schrems filed 101 complaints to DPAs, and now the chickens are coming home to roost.
Note that the "legality" of Google Fonts, under the default configuration, is also in question. Arguably use of Google Fonts is even more widespread than use of Google Analytics.
