Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: privacy

  • Cookie Consent on Hugo

    Cookie Consent on Hugo

    Hugo is my favourite static site generator. I use it on a site I originally created in 1996 (yes, FLF is about to be 30!). Over the last 6 months, I’ve been totally overhauling the site from top to bottom, and one of the long-term goals I had was to add in Cookie Consent.

    Hugo Has Privacy Mode

    One of the nice things about Hugo is they have a built in handler for Privacy Mode.

    I have everything set to respect Do Not Track and use PrivacyMode whenever possible. It lightens my load a lot.

    Built Into Hinode: CookieYes

    The site makes use of Hinode, which has built in support for cookie consent… Kind of. They use the CookieYes service, which I get but I hate. I don’t want to offload things to a service. In fact, part of the reason I moved of WordPress and onto Hugo for the site was GDPR.

    I care deeply about privacy. People have a right to privacy, and to opt in to tracking. A huge part of that is to minimize the amount of data from your own websites that are sent around to other people and saved on your own server/services!

    Obviously I need to know some things. I need to know how many mobile users there are so I can make it better. I need to know what pages have high traffic so I can expand them. If everyone is going to a recap page only to try and find a gallery, then I need to make those more prominent.

    In other words, I need Analytics.

    And the best analytics? Still Google.

    Sigh.

    Alternatively: CookieConsent

    I did my research. I checked a lot of services (free and pay), I looked into solutions people have implemented for Hugo, and then I thought there has to be a simple tool for this.

    There is.

    CookieConsent.

    CookieConsent is a free, open-source (MIT) mini-library, which allows you to manage scripts — and consequently cookies — in full GDPR fashion. It is written in vanilla js and can be integrated in any web platform/framework.

    And yes, you can integrate with Hugo.

    How to Add CookieConsent to Hugo

    First, download it. I have node set up to handle a lot of things, so I went with the easy route:

    npm i vanilla-cookieconsent@3.1.0

    Next, I have to add the dist files to my site. I added in a command to my package.json:

    "build:cookie": "cp node_modules/vanilla-cookieconsent/dist/cookieconsent.css static/css/cookieconsent.css && cp node_modules/vanilla-cookieconsent/dist/cookieconsent.umd.js static/js/cookieconsent.umd.js",
    

    If you’re familiar with Hinode, may notice I’m not using the suggested way to integrate JS. If I was doing this in pure Hinode, I’d be copying the files to assets/js/critical/functional/ instead of my static folder.

    I tried. It errors out:

    Error: error building site: EXECUTE-AS-TEMPLATE: failed to transform "/js/critical.bundle-functional.js" (text/javascript): failed to parse Resource "/js/critical.bundle-functional.js" as Template:: template: /js/critical.bundle-functional.js:210: function "revisionMessage" not defined
    

    I didn’t feel like debugging the whole mess.

    Anyway, once you get those files in, you need to make another special js file. This file is your configuration or initialization file. And if you look at the configuration directions, it’s a little lacking.

    Instead of that, go look at their Google Example! This gives you everything you need to comply with Google Tag Manager Consent Mode, which matters to me. I copied that into /static/js/cookieconsent-init.js and customized it. Like, I don’t have ads so I left that out.

    Add Your JS and CSS

    I already have a customized header (/layouts/partials/head/head.html) for unrelated reasons, but if you don’t, copy the one from Hinode core over and add in this above the call for the SEO file:

    <link rel="stylesheet" href="/css/cookieconsent.css">

    Then you’ll want to edit /layouts/partials/templates/script.html and add in this at the bottom:

    <script type="module" src="/js/cookieconsent-init.js"></script>

    Since your init file contains the call to the main consent code, you’re good to go!

    The Output

    When you visit the site, you’ll see this:

    Screenshot of a cookie consent page.
    Screenshot

    Now there’s a typo in this one, it should say “That means if you click “Reject” right now, you won’t get any Google Analytics cookies.” I fixed it before I pushed anything to production. But I made sure to specify that so people know right away.

    If you click on manage preferences, you’ll get the expanded version:

    Screenshot of expanded cookie preferences.
    Screenshot

    The language is dry as the desert because it’s to meet Google’s specifics.

    As for ‘strictly necessary cookies’?

    At this time we have NO necessary cookies. This option is here as a placeholder in case we have to add any later. We’ll notify you if that happens.

    And how will I notify them? By using Revision Management.

  • Conceptualizing Privacy

    Conceptualizing Privacy

    I know a wonderful human named Heather Burns who cares about privacy and GDPR and has made me quite passionate about understanding what the heck I’m talking about. She’s infectious, smart, and well worded. When she talks I listen.

    Earlier this year, she posted her slides from a speaking event, PHP Yorkshire. One of them resonated with me to the point that I keep thinking about it:

    US vs UK/Europe concept of Privacy
    Source: Heather Burns’ PHP Yorkshire Slides

    I sat and read it a few times, and I realized that I absolutely 100% agree with all of the UK/Europe concepts and only one of the US’s. I won’t touch on all of them, but here are the ones I spend a lot of time pondering.

    Ownership vs Freedom

    In the US, there’s a massive misconception that you have a right to say what you want about what you want without consequences. This is absolutely not true. Freedom of speech, in the United states, does not exculpate me from what happens to me after I say a thing. But we have a big bugaboo here about how our freedoms are fundamental rights. So even though the first few Amendments to the Constitution are quite clearly about their direct applications to ‘against the government’ and ‘in a militia,’ people take them, twist them, and make them apply to everything else.

    This runs into an issue with GDPR and people in the UK and Europe, where the law is that you own your own data. You have a right to it, and to what’s said about you. Yeah hang on there. Folks in the US have a right to say what we want. Folks in the UK/Europe have a right to make us shut up.

    That’s working out about as well as you’d think, mostly because we disagree about this other thing…

    Data Ownership

    Really, it should be pretty simple for the freedom of speech to coexist with the right to be private. If I post lies about you, you are legally within your rights in the US to demand I take them down. If I post information about you that wasn’t public, like I know you like burn Beanie Babies (those are stuffed animals, folks), then in the US you’re kind of out of luck unless you can prove it caused you ‘harm.’ Across the pond? I have to delete it.

    And right there, I agree with the Europeans. If I take privileged information and make it public, I’m a horrible human first of all. I’ve betrayed your trust, and I’ve probably done it for financial gain. On the other hand, if I take public information (like a photo of you from the Associated Press of you burning a Beanie Baby in Central Park) and share it, I’m still a pretty horrible human, but not in the same way.

    As a human, I think I should have the right to own my own data. But this comes with a measure of responsibility. In other words, I’m responsible for what I put out there. If I make it public that I’m a lesbian (which I did), am I legally allowed to demand you remove all references to me being one on your site? In other words, do I get take-backs if I make things public?

    Maybe, but over yonder, I should at least ask first!

    Cooperation Before Court

    There’s a concept called “Assume good faith” and it’s one of Wikipedia’s fundamental principles. It’s related to the concept that we should never attribute to malice that which can be ascribed to ignorance. Generally this comes up when I talk to people about copyright or trademark violations. I never assume people meant to violate those things, just that they were unaware of things.

    The idea that someone has to ask me to remove a thing before suing me would be a lovely thing. The closest I can think of in the US is the way DMCA requests are handled. That is, I can issue a counter notice and either state “Hey, removed it!” argue back that it’s fair use. But that isn’t the same as the idea that we should talk before we go to lawyers. And that’s, you know, respectful.

    I spend a lot of time thinking about this based on two other sites I run, where there is personal information of other people. It’s all public-personal information, but in general if someone asks me to remove data, I’ve complied. There was one instance where I didn’t, and I explained why not and the other person agreed it was a fair representation of the situation.

    What Happens Now?

    Well. A lot of confusion and arguments about who has the right to what and where and when.

    There’s going to be a lot of change in your future.

  • Data Deletion May Not Be What You Think

    Data Deletion May Not Be What You Think

    So you’re handling GDPR and you have a privacy doc and policy and a plan for people requesting data and, yes, deleting it.

    Eventually someone is going to ask you to delete their content from your site. This is the scary part for most people. Remember, you get 30 days to reply, so don’t panic. Next, figure out what they’re asking for, and if you can say no.

    This is the fun part. You can say no. Sometimes.

    When You Can Say No

    In general, yes, you should delete people’s information if they ask. But if your website stores complicated information this is not actually as black and white as all that. The right to erasure does not apply if retaining is necessary for one of the following reasons:

    • exercising your right of freedom of expression and information
    • meeting any legal obligations
    • performing a task for and in the public interest or in your legal authority
    • archiving information of public interest or for research where deletion would impair the work significantly
    • related to and legal claims you have (or may have)

    This helps you balance out the problem of being told to delete things you need to keep for tax reasons. It also keeps sites that may collect public data for the general public (like wikipedia or a website that tracks queer characters on TV) from losing everything. It won’t protect you from other lawsuits, of course.

    It’s that last one I feel is really important to everyone. That’s the one that means if I block you, I may not have to delete your data, even if you ask, because I may need it for the establishment of legal claims. But that has to be a legit claim.

    You can also just say no for any reason you feel is justified. Now again, do not use this flagrantly. You still have to turn around and tell someone that you’re not deleting their data, so you need to be serious about this.

    Self Protection

    And speaking of being serious, you can actually say no to protect yourself. You see, people can only ask for deletion if the data is no longer needed for the reason it was collected. So if they want to delete their account but keep shopping at your store, you can say no since the information is needed to keep shopping!

    So remember why you track the data in the first place. When people leave a comment, for example, you track their username, email, and IP (and web address if they provide it) in order to know who they are and prevent spam, but also abuse.

    Here’s an excerpt from one of my privacy policies:

    Comments: When visitors leave comments on the website, the collected data shown in the comments form, as well as the visitor’s IP address and browser user agent string are saved in order to help spam detection and abuse.

    Since I retain data to prevent abuse, that is serial internet harassers, you can ask me all you want for me to delete any data I save about you, but I can say no to protect myself.

    When You Say No

    If you decide to tell someone no to a deletion request, you must:

    • provide the reason
    • inform them of their rights to make a complaint
    • inform them of their right to a ‘judicial remedy’

    That last one means yes, they can sue you to delete the data. If they’re abusing you (harassing etc) and you’ve saved all that, you’ll probably win. Which is one reason you should actually save and document people’s actions. I hate having a whole folder on my laptop that documents a bunch of people hating on me, but I need it.

    Basically if you’re going to say no, have a damn good reason, document it, and be prepared for a fight.

    Say Yes If You Can

    Most of the time, it’s no skin off your ear to delete a comment or edit a post. But sometimes it’s going to be a huge deal. And in fact, you can turn around and tell people “If I delete all your data, I will retain information required to identify you in order to prevent you from returning to this site. Deletion requests means you will not be welcome back.”

    If that sounded harsh, well, it can be. Because for most small blogs, consider what they’re asking. When someone asks to delete the content of a personal blog, it’s most likely going to be for a pretty petty reason. Unless they’re asking you to remove information that shouldn’t be public (like their phone or email – and yes, someone’s asked me to delete that before), it’s probably going to be someone asking you to remove a comment that makes them look foolish. Or at least it has been in my experience.

    Make Your Life Easier

    Keep this in mind too. Make your life easier. If you don’t need comments on your site, don’t have them. Turn off that contact form too. But there’s no law that says you need to let people talk to you on your blog. 

    This won’t be true for all situations, but do as much as you can and save yourself that GDPR headache.

  • Consent and Awareness

    Consent and Awareness

    GDPR.

    It’s the bane of many headaches for many web developers, web admins, and in general anyone who uses the internet.  If you’re reading this, it’s probably a headache for you too. So let’s have a real, non-lawyer talk about what’s going on and why you need to care.

    Notice: I’m not a lawyer. This post is not legal advice. Please read the EU GDPR Information Portal and research your specific situation.

    Everyone Needs to Care

    If you thought this only has to do with people who use eCommerce products, think again. The centre of the GDPR is data privacy. That is, the right to have your data removed from websites, when you want. The point to all this is if you have a website, and people visit, you need to care because the following reasons:

    • You have ads on your site
    • You allow comments
    • You use custom avatars (Gravatar)
    • You track visitors (Jetpack, Google, etc)
    • You embed content (Twitter, YouTube, etc)

    Does any of that sounds like you? It sounds like pretty much every public website in existence. And congratulations you need to care about GDPR.

    What You Need

    There are a lot of moving parts here, but the pared down version is this:

    • Know what 3rd party services you use
    • Know what your CMS tool tracks
    • Have a privacy policy
    • Have a way for people to request data deletion

    The first two are surprisingly complicated because, in the case of WordPress,  you might be tracking a lot more than you think. Remember all those things I mentioned above? They all are common situations where your CMS might be tracking people. But what if I told you that a lot of plugins you use also add on tracking? Or record more data than WordPress knows about?

    Like. I wrote a plugin that adds in the IP address used to register an account to the user meta. This means WordPress now records more data. Thankfully that gets deleted when you delete a user account, and it’s generally covered under the broad disclosure that you track users IPs (which every website does). But I have to make sure people who use the plugin know that, and communicate to others.

    That’s a very simple example. Take a plugin that logs user activity for, oh, let’s say security. Now you have to tell everyone about exactly what it tracks (browser information etc) and what you use it for. And you get to figure that out for every single plugin you use.

    This won’t be easy. Unless you read every single plugin you use, you’re going to be at the behest of developers who may not be aware of exactly what they need to disclose.

    Privacy Policies Are a Must

    Every site should have a privacy policy. While for most smaller blogs, the odds are low that anything will happen, you should have one anyway. The problem is that no one can tell you exactly what yours needs to have. I try to cover the four basics:

    • Terms of Use: all the things you agree to by using this site
    • Data Collection: what situations result in my tracking your data, including details on 3rd party services regularly used
    • Data Usage: what I do with data and how long I keep it – also how to request it
    • Policy Changes: a CYA that they’ll likely change

    There are a lot of details in those four sections, especially the Terms, which exculpate me if I get information wrong, allow me time to handle a DMCA, and a whole lot of things. And yes, it’s super daunting, I know. I mean, the privacy policy here isn’t half as robust as some of my other sites.

    The Bottom Line

    You can distill all this into consent and awareness. People need to know what they’re getting into on your site (or at least be able to know – you can’t help people who refuse to read). And you need to understand exactly what your site does. You need to be aware, as a website owner and a user.

    All those terms you ignored when signing up for Google Adsense and Analytics? Now is the time to knuckle down and read, because you need to cover that. All those extensions (plugins and themes) you added? Read up on them too. If they don’t explain what they do with data, ask the developers.

    Developers? Step up. Document exactly what data you save. If you allow for the saving of different kinds of data, based on what the user picks, explain that. But you have to tell people what’s being saved and how to delete it. Most CMS apps now have tools to hook into to aid deletion, so research.

    GDPR kicked in four days ago, but it’s not to late to fix things.

  • Reset the Net Gotchas

    Reset the Net Gotchas

    All my domains will not be HTTPS by the end of 2014.

    Sorry. It’s one of those things that just isn’t (at this time) something I can pull off. If I only had one domain and everything was subs, I could get one wildcard subdomain cert and be done with it. But with the number of domains I have it’s not feasible. Which brings me to what I think one of the major issues with our desire to protect the net is… But let’s step back!

    Yesterday, as you may have noticed, was Reset The Net day. It was a call to action, much like we did when we went dark one day.

    Now on this site, I’m using the Internet Cat Signal, which cleverly updates itself as I need to alert people to crap like this. The tldr is that the NSA is spying on us. I leave that plugin on all the time, it fires up when there’s something people need to know. It doesn’t slow down my site, and I hope it brings awareness to folks who otherwise have no idea about this stuff. About 75% of my traffic on this server can be described as people who don’t know about any of this.

    What have I done for this? The recommendations are to use HTTPS, HSTS, and PFS. Since HeartBleed, I enabled PFS. This is a non-logical sort of thing to do, in that few people seem to explain how to do it. On my box, which uses WHM, it was pretty easy. In my WHM Panel, I went to Apache Configuration -> Global Configuration -> SSL Cipher Suite. Then I picked the PCI Recommended suite, not the default, and rebuilt the configuration. Then I went to Apache Configuration -> Include Editor -> Pre Main Include and, for all builds of Apache, added this:

    # Enabling PFS
    SSLHonorCipherOrder On
    SSLProtocol All -SSLv2
    # CVE-2011-3389
    SetEnvIf User-Agent &quot;.*MSIE.*&quot; nokeepalive ssl-unclean-shutdown
    

    The last bit lets me support any IE 6 users who visit my store. But as I said, I don’t have SSL on for all my domains. So what are my HTTPS issues?

    The cost is insane. Let’s look at wildcard ssl, which is what you want for *.example.com situations. It’s pretty much $100 a year. That’s not too bad until you factor in how many domains I have on this server. Six family members, six of my own sites (including short domains like helf.us). So that’s either $1200 a year, which is obscene, or $145 a year at the cheapest I could find, and that’s for the simple green lock and no wildcards. For the big green bar, it’s back to around $1000 a year. Oh and I forgot one of my domains, so that’s $164 and $1047. Now I could totally afford the $164 a year, it’s doable with my ad revenue (which pretty much breaks me even at the end of a year) but….

    It’s slower. Look, I get it how it’s important to be secure, but right now, the nginx proxy setup I’m using doesn’t work on HTTPS. That sets me back some since using it has sped up my site considerably. I know how to (and have) set Google Pagespeed to play nicely with HTTPS, so I’d be back to where I was before. This isn’t bad, it’s just not a great experience. Right now I have a secure login, secure email, a fully secure store, and ssh/sftp only, so the only place your data could get ‘sniped’ is when you’re leaving a public comment on my public site, which makes me less worried than I might be. Even my git repo is secured.

    Twig in a net

    Also it’s hard. And no, that’s not an excuse. PFS (Perfect Forward Secrecy) isn’t easy to add to your servers, and it’s way outside the realm of what most people can do. Hell, it’s outside the realm of what I’m comfortable doing. It took until my server had the specs for OpenSSL that will support PFS for me to do it. The point is, this part has to be done by the webhost for most people, and that is a big issue. It’s not easy or fast to upgrade servers, and it’s far, far more persnickety than updating WordPress. It’s complex, and you have to think about everyone on the server. Again, not an excuse, just a caution that it takes a while to finish up.

    Speaking of WordPress, multisite isn’t great at it. In fact, it’s less great than normal WP. I have two sites with SSL right now, ipstenu.org and store.halfelf.org. Ipstenu is only SSL on the back end, but even with that, there are inconsistencies. First, all the links are HTTPS, so when I click on “My Sites” the link to NON HTTPS sites are using HTTPS, which doesn’t work. Also if I made a new domain, it defaults to HTTP and not HTTPS. So I have to edit that manually. This is annoying, thought not insurmountable, and I know it’s something being worked on.

    In the end, the absolute biggest reason I’m not switching to HTTPS is that the only person who needs secure communication are the people logging in or the people buying things, and I’ve taken care of that. For the rest of you, know that my store is secure, my logins are secure, and if you’re commenting on the site, for god’s sack, don’t post anything you don’t want people to know!

    I’m sure in a few years if not months all this will change, but this is where I am today. The racket with SSL certs costing that much needs an easier solution, and then the rest will fall into place.

  • Privacy and Evil and Money

    Privacy and Evil and Money

    Google likes to say ‘You can make money without doing evil.’ It’s right in their Company Philosophy.

    I’ve never bought into that. I mean, I agree you can do it without being evil, but I think that evil is highly subjective and what I feel is evil may not be what they do. Case in point would be endorsements.

    Maybe you’ve noticed when you Google search, sometimes your friends’ recommendations pop-up in the results. Like I searched for fabric stores and got results from my BFF, Andrea. That was amusing, but also disturbing. See, there’s a big difference between search results, and results in ads.

    Let’s step back. Here’s what Google says about their ‘endorsement‘ system:

    Google makes it easy for you to get great recommendations from your friends. For example, when you visit the Google Play music store, you may see that a friend has +1’d a new album by your favorite artist. When you search for a restaurant, you may see an ad including a 5-star review by another friend.

    That sounds pretty cool, right? My friends, people I follow on G+, contribute to my results. That’s sensible, since one presumes I share some interests with my friends. But then you scroll down the page and see a section about endorsements in ads.

    This setting below allows you to limit the use of your name and photo in shared endorsements in ads. It applies only to actions that Google displays within ads; the “Summertime Spas” example above shows a shared endorsement appearing in an ad on Google Search. Changing this setting does not impact how your name and photo might look in a shared endorsement that is not in an ad — for example, when you share a music recommendation that is displayed in the Play Store. You can limit the visibility of activity outside of ads by deleting the activity or changing its visibility settings.

    google_moneyLet me get this straight. People pay for ads on Google, so Google is making money. People click on the ads, so the advertiser makes money. My ‘endorsements’ are posted, without my permission, to drive traffic to those ads to make people money. I am not paid for this service.

    Thanks, Google. Guess what I just unchecked?

    Look, if you want to use me in search results, that’s one thing. Using me in ads is another. If a company took a comment I made in email and used it on their site to say “The Half-Elf loves our cocoa!” without asking me first, I’d be upset. I don’t ever expect to be compensated for my endorsements, but I do expect to opt-in to them. Here’s a real world example. I went to a spa and they had a ‘fill out this card to tell us what you think’ thing at the end. At the bottom was a box. “Check here if we can use your comments, or excerpts there of, in our advertising.” I thought about it, looked at what I wrote, and checked the box.

    But they let me opt in. They asked me for my permission to use me to make more money than the money I gave them for services rendered. I have no idea if they did use what I said, but I liked that they asked (and I liked the services) so I went back a couple times before moving across the country.

    I wish Google understood that sort of respect.

    Have a read of their updated TOS just for fun.