GDPR conformity

[gabriele-h]

In the current implementation of the Plugin it looks like the Information from twitter is always shown as an iframe without any option for the end user to not transfer information to twitter. I don't think this is okay in regards to the GDPR. I found a (German) online source on this issue: https://www.internetdienste.verwaltung.uni-muenchen.de/service/dsgvo_ueberblick/social-media-dsgvo/index.html

The information twitter has on privacy and its widget are not going into detail about the GDPR: https://developer.twitter.com/en/docs/twitter-for-websites/privacy data-dnt seems to be set for the widget at least. But simply embedding the twitter-widget as an iframe without giving the user any kind of possibility to refuse is absolutely not okay in regards to the GDPR.

I found a brilliant GitHub issue for a different product, this is exactly what I am talking about: https://github.com/trewknowledge/GDPR/issues/33

[RBoelter]

It is known that using this plugin could be a risk in countries with strong privacy restrictions like GDPR. This plugin is not intended only for countries with such strong privacy restrictions. OJS administrators in the EU should be aware of these risks and not install the plugin if they are unsure. It is currently not possible to use Twitter feeds without iFrame, because Twitter itself does not provide a suitable API. Perhaps I will create a more GDPR compliant version of this plugin in the future.

[gabriele-h]

Excuse me, but it would not just be a "risk", it is illegal. Anything illegal is of course a "risk", but I was honestly hoping for a more proper answer.

Since we - luckily - do not live in a world where web sites are a local phenomenon, you can't just say "I am hosting this website with this non-GDPR-compliant-plugin in a country where the GDPR does not apply". I know of at least one German OJS-instance that is using your plugin as-is. Obviously without realizing that what they are doing is actually illegal.

[RBoelter]

In the plugin settings is a warning: "This plugin uses a cookie from Twitter! ... ", so obviously they ignore this warning.

[marcbria]

Hi @gabriele-h,

I'm also very concerned about GDPR too, but I'm unsure if this could be easily addressed.

Why don't you block the cookies in your site? I mean, ojs have some other plugins using cookies and you have plenty of cookie-consent libraries that let you block all, or just some of them...

Or if you know how to fix it, you can contribute with a PR that I'm quite sure @RBoelter will happily merge.

Cheers, m.

[gabriele-h]

@marcbria this is not only about cookies. The way the twitter-widget is implemented the GDPR would also require to not show any third-party-content iframes unless there is explicit consent from the user. Please take a look at https://github.com/trewknowledge/GDPR/issues/33, which I already referred to above. It explains the issue for iframes in a comprehinsible way, I think. The only thing it might be lacking is the fact that this is not just about cookies, but also about how including external sources in an iframe leads to twitter being able to track users by their IP-adresses.

[RBoelter]

As mentioned before, I will make it more GDPR compliant in the next version, but that will take some time. Or as Marc wrote, feel free to fork this repo, improve it and trigger a pull request, if it's urgent.

[gabriele-h]

Looking forward to the new version then!

I have close to no knowledge of PHP, otherwise I might have considered the PR-approach. Thanks for offering, though! It is not urgent for us, but in my personal opinion it is an important issue.