In this guide, we will be covering:
- How to refresh the salt daily
- What is a salt?
- How Independent Analytics uses salts
- Why you may want to refresh the salt daily
- The ramifications of daily salt refreshes
Let’s start by covering how to switch to daily salt refreshing, and then we’ll get into the technical details.
How to refresh the salt daily
The salt is never refreshed after installing Independent Analytics, but you can switch it to daily refreshing.
Start by visiting the Settings menu and locate the Salt refresh rate setting. Then, check the box labeled, “Refresh the visitor salt every day.”
Once this box is checked, click the Save Settings button to complete your changes.
What is a salt?
A “salt” is a string of random data used as an additional input to a one-way hash function.
Salts are used to add a level of uniqueness to data that’s about to be hashed. Salts ensure that if the same value is hashed twice, the hash result won’t be the same for both.
When Independent Analytics is first installed, it creates a salt, which might look something like this:
wR5tlJX9UjDV94wAQWoSRDnLCFLUftAMsKC7uyzaW0k=
This salt is stored in the wp_options table in an option named iawp_salt.
How Independent Analytics uses salts
In order to recognize repeat visitors without the use of cookies, Independent Analytics needs to remember the IP address of each visitor. This way, it can recognize the same IP and understand that this is not a new visitor but the same visitor returning again.
However, IP addresses are considered “Personally Identifiable Information” under the GDPR, so they can’t be stored in plain text. They can be saved in the database as long as they are obfuscated into an unrecognizable state that is sufficiently challenging to crack. This is why the IP addresses are hashed using both the visitor’s IP address and the User Agent string.
In summary, the salt is part of our solution to convert IP addresses into an obfuscated state while retaining the ability to recognize repeat visitors.
Why you may want to refresh the salt daily
While the IP addresses are sufficiently obfuscated, it is theoretically possible to crack them. If cracked, this would provide data on all the page views and activities of specific IP addresses on your site. These IP addresses could then be linked with other data sources to reveal the visitor’s identity.
Since the salt never changes, the activities of each IP address would be viewable since the installation of Independent Analytics, which could be months or years of activity.
On the other hand, if the salt is refreshed daily, then even if it is cracked, the activities of an IP address would only be viewable for one day. Each day would have to be cracked separately, which is essentially unfeasible.
The ramifications of daily salt refreshes
There is one downside to refreshing the salt daily, and that is the reduced accuracy of the Visitors metric.
For example, if someone visits your site every day in a week, Independent Analytics would normally count them as one visitor. If the salt is refreshed daily, this same visitor will be counted as seven different visitors because they can’t be recognized beyond 24 hours. If they visit seven times within one day, they will still be counted as one visitor.
In practice, the change in your analytics likely won’t be dramatic, but you will see an overall higher count of unique visitors.
For this reason and the fact that not all of our users operate in or with visitors from the EU, we opted to make daily salt refreshes optional.
We will refrain from making recommendations and would like to clarify that the above is not legal advice but rather a technical explanation of how salt refreshes work in Independent Analytics. We understand that this is a highly technical subject, and we hope that this guide has helped you in finding the best course of action for your website.