[Website] remove trackers and embeds and make the site legal in the EU

[D3V1LC0D3R]

Bug and expected behavior When opening your webpage following trackers are loaded:

• pubmine.com
• stats.wp.com
• google-analytics.com
• graph.facebook.com
• youtube.com

expected behaviour: ask before you load thirdparty resources or disable them completely

Reproduce Steps to reproduce the behavior:

1. open your webpage

Additional context i hope this was not intentional as you're literally breaking european law (GDPR)

Checklist

• [x] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.

[kmk3]

@D3V1LC0D3R commented 12 hours ago:

Bug and expected behavior

When opening your webpage following trackers are loaded:

• pubmine.com
• stats.wp.com
• google-analytics.com
• graph.facebook.com
• youtube.com

expected behaviour: ask before you load thirdparty resources or disable them completely

Reproduce

Steps to reproduce the behavior:

1. open your webpage

Additional context

i hope this was not intentional as you're literally breaking european law (GDPR)

Checklist

• [x] This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.

+1 to completely removing the following:

• pubmine.com
• stats.wp.com
• google-analytics.com
• graph.facebook.com

In the case of third-party embeds that require JavaScript (such as YouTube's), I would go with one of the following:

1. Make it a thumbnail which loads the embed only after clicking it (a bit more work)
2. Make it a thumbnail with a link to the content (easier to implement)

One working example of the former that comes to mind is how GamingOnLinux does it. For example, see this recent article:

https://www.gamingonlinux.com/2021/08/impressive-free-and-open-source-rts-0-ad-alpha-25-is-out-now

It contains the following at the very end:

(video thumbnail)

YouTube videos require cookies, you must accept their cookies to view. View cookie preferences.

(Accept Cookies & Show) (Direct Link)

Other than having an event on the "Accept Cookies & Show" button, it's all plain HTML.

I don't know much about WordPress and I don't know how straightforward this would be to implement in it, but at least in pure HTML it does not appear to be too complicated.

[SkewedZeppelin]

@rusty-snake 's website rewrite solves this afaik.

[kmk3]

@SkewedZeppelin commented 38 minutes ago:

@rusty-snake 's website rewrite solves this afaik.

Yes, the rewrite does not appear to be affected by this, but it's still WIP AFAIK. Here's a link for future reference:

https://rusty-snake.github.io/firejail/

So while the wordpress site is considered the official/canonical one (which I assume will be the case for a while), I think that at least removing the aforementioned trackers would be a big improvement and also potentially easy to do.

[kmk3]

https://rusty-snake.github.io/firejail/

Links to issues related to the rewrite for cross-reference:

• https://github.com/netblue30/firejail/issues/2713
• https://github.com/netblue30/firejail/issues/2729

[rusty-snake]

@rusty-snake 's website rewrite solves this afaik.

:+1: The only third-partys are fonts.googleapis.com which can be removed and youtube.com which can be made click2play+youtube-nocookie.com or changed to first-party or peertube if we want.

[topimiettinen]

ask before you load thirdparty resources or disable them completely

I don't think GDPR works like this at all, your interpretation would probably make most Wordpress pages or those which embed youtube videos sites illegal. For example, German Wordpress (https://wordpress.com/de/) links also to stats.wp.com and uses Google APIs and I think German interpretation of GDPR is stricter than some other EU countries. Can you point to legal analysis where third party resources in frame of GDPR are discussed?

Having said that, removing trackers and/or switching away from Wordpress makes sense.

[rusty-snake]

Even the website of the "Bundesbeauftragter für den Datenschutz und die Informationsfreiheit" (en: Federal Commissioner for Data Protection and Freedom of Information; https://www.bfdi.bund.de) includes piwik.itzbund.de. Maybe because of a legitimate interests or because it does not collect personally identifiable information (PII). IDK but that are the two relevant terms in the GDPR AFAIK. (IANAL)

ask before you load thirdparty resources or disable them completely

I don't think GDPR works like this at all,

Not sure if @D3V1LC0D3R mean that referring to the GDPR or as a privacy best practice. Anyway the only third-parties that are "necessary" are

• wp.com (the "wordpress CDN")
• gravatar.com
• youtube.com (maybe change this to youtube-nocookie.com)

those which embed youtube videos sites illegal

(site rant) Had anyone said copyright? You did what? You linked to a yt video which includes a illegal copied meme for 2s at a halfscreen?!

[D3V1LC0D3R]

ask before you load thirdparty resources or disable them completely

I don't think GDPR works like this at all, your interpretation would probably make most Wordpress pages or those which embed youtube videos sites illegal. For example, German Wordpress (https://wordpress.com/de/) links also to stats.wp.com and uses Google APIs and I think German interpretation of GDPR is stricter than some other EU countries. Can you point to legal analysis where third party resources in frame of GDPR are discussed?

Having said that, removing trackers and/or switching away from Wordpress makes sense.

to my knowledge it is illegal in germany: https://usercentrics.com/knowledge-hub/non-compliant-cookie-banner/

[D3V1LC0D3R]

this is illegal, as the german court considered this as not a legal consent. source: https://www.datenschutzerklaerung.info/cookie-consent-tools-lg-rostock/

EDIT: image source: https://www.finch.com/blog/cookie-consent-tools-and-nudging/

[D3V1LC0D3R]

as a matter of fact github uses illegal data collection practices as well (they have an eventlogger and a browser fingerprinter without any consent)

[rusty-snake]

Well if you have a GH account you accepted GH's privacy statement, but if not ...

[D3V1LC0D3R]

Well if you have a GH account you accepted GH's privacy statement, but if not ...

no accepting a policy does not mean that a company do anything to you. You have to be well informed (or did you know that every github email includes a tracking pixel < img src="https://github.com/notifications/beacon/[ID].gif" height="1" width="1" alt="" / >)

[kmk3]

@rusty-snake commented on Aug 11:

@rusty-snake 's website rewrite solves this afaik.

+1 The only third-partys are fonts.googleapis.com which can be removed

That would be nice and to expand a bit on it: I'm more inclined towards just using "serif", "sans-serif" and "monospace" and letting the browser use the native/configured fonts. If custom fonts would make a significant difference, they could be committed to the repo (preferably fonts under a libre font license).

and youtube.com which can be made click2play+youtube-nocookie.com

Nice; click2play (/click2loadTheEmbed) would be the most important change IMO, as it deals with third-party proprietary JavaScript.

I don't know about the pros/cons of youtube.com vs youtube-nocookie.com; the only site I remember seeing using the latter is Wikia.

or changed to first-party or peertube if we want.

A PeerTube mirror would be great (see #4076).

If by "first-party" you mean comitting videos to a repository, I'm not sure if that would be a good idea, considering non-trivial video sizes and it might be against the ToS. If that's workable, I'd put them on a separate repository (e.g.: firejail-media) to not bloat up the main one.

---

By the way, since there is no issue tracker in the rewrite repo, should we open issues about it in here?

[rusty-snake]

By the way, since there is no issue tracker in the rewrite repo, should we open issues about it in here?

I could enable it, however nobody will see it there.

I don't know about the pros/cons of youtube.com vs youtube-nocookie.com;

https://www.ghacks.net/2018/05/23/why-you-should-always-use-youtubes-privacy-enhanced-mode/

[topimiettinen]

to my knowledge it is illegal in germany: https://usercentrics.com/knowledge-hub/non-compliant-cookie-banner/

I think you are confusing uses of cookies (and related requests) with links to third party sites.

[rusty-snake]

:rocket: Third-parties are removed from https://rusty-snake.github.io/firejail/.

• fonts.googleapis.com is blocked via CSP (ATM)
• youtube videos use youtube-nocookie.com (even if this doesn't make any differences because of the next point)
• youtube videos are click to play/load
• img.youtube.com is still contacted to fetch the thumbnail. This can be fixed together with all the other images.
• only the about page is updated so far.

[SkewedZeppelin]

I'm more inclined towards just using "serif", "sans-serif" and "monospace"

I use this:

font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Roboto", "Oxygen", "Ubuntu", "Cantarell", "Droid Sans", "Helvetica Neue", Helvetica, sans-serif;

You can find various variations of it online.

[D3V1LC0D3R]

i guess this is mostly solved, thanx