another decentralizedish community solution in nyc is https://nycmesh.net/ which I used for years and volunteered on an install. biggest issue with nyc and why I can't use it anymore is you need line of sight to a hub node.
Another thing to do with store loyalty cards is to always look up by phone number - many people in my extended family live nearby and use the same phone number, so the card has so many purchases on it it becomes useless to target.
In addition, I feel like python tends to have a more consistent, but somewhat more verbose API in libraries and for frameworks such as web development frameworks. A strength and a problem that ruby has over python is that the syntax and language are more flexible, which both makes it harder to debug but also faster to develop and prototype in as compared to python.
How about some simple cookie tracking an iframe that loads a random number of seconds after the page loads (like 10 - 60)? That might spam the logs randomly enough so that it couldn't be tracked. However, I think measures such as including the Securedrop page as a part of the root domain only under ssl would be the simplest solution in this case.
