Why ea.js?

Google Analytics used to be the default. Then it became a liability. Here's why ea.js exists.

The Short Version

Your analytics live in a single SQLite file you own and control
The source code is open and auditable — AGPL-3.0
No cookies by default — no consent banners needed
WASM proof-of-work bot defense that actually works
One script tag, one database, one process — no SDK bloat
No data shared with ad networks, ever

Your Data, Your File

With Google Analytics, your data lives in Google's cloud. You can export some of it — eventually, through a clunky interface, in formats designed for BigQuery. Switching away means losing your history or paying for expensive data pipelines.

With Echelon, everything lives in a single SQLite file. Copy it to your laptop with cp. Query it with DuckDB, Datasette, or any SQLite-compatible tool. Back it up with rsync. There's no vendor lock-in because there's no vendor — the database file is the product.

Raw visitor data is kept for 90 days alongside daily rollups for 2 years. You can re-analyze with different bot score thresholds at any time. Try doing that with GA4.

Learn more about Portable Data →

Transparency

Google Analytics is a proprietary black box. You don't know exactly what it collects, how it processes data, or what happens to it behind the scenes. The tracking script is minified and obfuscated. The scoring algorithms are undocumented. When something changes, you find out from a blog post — if you're lucky.

Echelon's entire codebase is AGPL-3.0 licensed and published on GitHub. Every line of the tracking script, every bot scoring heuristic, every database query — you can read it, audit it, and verify it does exactly what the documentation says. The bot scoring algorithm in lib/bot-score.ts is ~200 lines of readable TypeScript with inline comments explaining every factor.

When you deploy Echelon, you know precisely what runs on your server. No surprises.

Open Source Fixes Things

Found a bug in GA4? File a support ticket. Wait weeks. Maybe it gets fixed in a future release. Maybe it doesn't. You have no visibility into the process and no ability to fix it yourself.

Found a bug in Echelon? Open an issue on GitHub — or just fix it yourself. Fork the repo, make your change, submit a pull request. The turnaround is as fast as you want it to be. Community contributions are welcome and reviewed promptly.

Open source means you're never stuck waiting for someone else to prioritize your problem. If something breaks, you can patch it the same day.

No Cookie Banners

Google Analytics uses cookies for cross-session tracking. In the EU, that means you need a cookie consent banner — and if users decline, you lose that data entirely. Cookie banners are annoying, they hurt UX, and they introduce legal compliance overhead.

Echelon is cookieless by default. Visitors are identified by a daily-rotating HMAC-SHA256 hash of IP + User-Agent + site ID + date. The hash resets every day, can't be reversed, and requires zero consent. No cross-day tracking, no consent popups, no GDPR headaches.

If you want returning visitor tracking, add data-cookie to the script tag — but it's opt-in, not the default.

Bot Defense That Works

Google Analytics has "bot filtering" — a checkbox in the admin panel. It catches some obvious bots, but referral spam and sophisticated crawlers still pollute your data. GA4's bot detection is a black box, and when it fails, you have no tools to investigate or fix it.

Echelon takes bot defense seriously. Every tracker script embeds a runtime-generated WebAssembly module that browsers must solve before pageviews are accepted. The WASM blob regenerates from a random seed every 6 hours — each cycle produces unique bytecode that bot toolkits can't pre-compute. On top of that, a heuristic scoring system (0–100) evaluates every request using PoW results, interaction timing, geo data, headers, burst detection, and Cloudflare integration.

Scores ≥ 50 are excluded from rollups. You can inspect every scored request in the admin UI and adjust thresholds. Full transparency, full control.

Learn more about Bot Defense →

Lightweight

Google Analytics requires a tag manager, SDK imports, consent management platforms, and a team to configure it all. The tracking snippet loads additional scripts, sets multiple cookies, and makes dozens of network requests. The total payload can exceed 100KB.

Echelon is one script tag:

<script async src="https://your-host/ea.js" data-site="my-site"></script>

That's it. One script, one SQLite database, one Deno process. No tag managers, no SDK dependencies, no third-party libraries. The entire application is a single repository that builds and runs with deno task start.

Privacy Without Compromise

Google Analytics shares data with Google's advertising platform. Visitor behavior feeds into ad targeting, audience building, and cross-site profiling. When you add GA to your site, you're not just tracking visitors — you're contributing to a surveillance infrastructure.

Echelon shares data with nobody. Your analytics database sits on your server. There are no third-party requests, no data pipelines to ad networks, no user profiling, no cross-site tracking. Visitors get clean page loads. You get clean data. That's the entire deal.

🛡️ "You wouldn't let a stranger read your diary.
Why let one read your analytics?" -🦭

Installation Features API Reference Bot Defense Configuration Architecture Portable Data MCP Server Telemetry