I wanted to explore the extent to which some significant UK websites include SRI of JavaScript assets.
Put together on a Sunday, needs work, curious about how best to check for CSP and whether I've missed other risks beyond just JavaScript not protected by SRI.
IANAL:
If you were allowed to use GDPR under an exemption, perhaps abuse protection, is that the only purpose the data will be used for by yourself and GA?
If you or a data processor you use, uses the data for secondary purposes not covered by any exemption to opt-in consent, I believe you would have to get opt-in consent for those secondary purposes beforehand.
Note: the cookie law is the ePrivacy directive (and national interpretations like PECR) and it goes beyond GDPR in some ways, as the ICO states "Although cookies that process personal data give rise to greater privacy and security risks than those that process anonymous data, PECR apply to all cookies." ( https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a... )
Firefox still invades the privacy of most users.
1. Install Firefox
2. Type privacy in the search bar
3. Google is now tracking you
It embraces dark patterns that invade privacy, whilst criticising other companies for their devices that invade privacy.
Mozilla need to understand how they are part of the problem before I'd start paying for them. As a privacy campaigner, should I pay for a product that invades it by default? It's hard to... I use them because they're the lesser evil.
I agree most of these don't appear necessary, have you thought to contact the DPO, wait 28 days and if no suitable response, contact the ICO?
Also, do you have a link to the EU court guidance?
From what I've read before, some functionally necessary and expected cookies don't need consent, but the user may have a right to be informed.
For instance, a login cookie might be fine, but arguably only if you have logged in - if it remains after you've logged out then that's a bit worrying.
This isn't just an issue of marketing wanting a Facebook Pixel.
In some cases, councils turned their websites into revenue streams and thus were being paid to include adverts on their site that tracked users, browsing council content.
You can have targeted ads and be anonymous to the ad companies.
Ads can be targeted to context, not user - web developer ads on JavaScript blogs.
Ad profiling and targeting can be done client side.
Users' could opt in to what they are targeted for to ensure it is the relevance they want. You will often find ad tracking technology on some very privacy invasive websites. I've seen it on HIV support, rape support, prayer, single parent dating, cancer advice, alcoholism, political party membership pages and many more; even tracking military intelligence recruitment. Are the relevant ads and infosec risks for these topics good for the user?
Tackling anonymised delivery and fraud prevention is a problem, but it's something that can be overcome with accepting it already happens and then minimising it through privacy respective methods like using auditors and testing, copying anonymisation protocols (maybe Tor), payment style validation (Brave?, zerocoin) and server side metrics.
For those who think the EU has strong data privacy laws, you might want to read what exemptions each country has.
I'm pretty confident the Brexit Party are still failing to meet privacy law, but to see this, following the Brexit mess with Cambridge Analytica, I'm left wondering ... did anything change?
Profiling – The Brexit Party aim to create and maintain a profile for each registered voter in the UK. We will do this by merging the Electoral Register(s) with other data that maybe lawfully available to us. For more detailed information about this type of processing, you may wish to read the ICO Draft framework code of practice for the use of personal data in political campaigning. If you wish, you can ask us not to maintain a profile in your name using the contact details above and we will take steps to remove you from our systems.
I don't have a problem with DNS-over-TLS, I don't know enough about it... but I'm afraid I want DNS from Firefox's perspective to be plaintext, transparent and easy for me to check and even change. Like the filesystem is.
Not just for me, easy for Privacy International to audit when verifying apps tracking, easy for OpSec on my work laptop and easy for my firewall tooling to intercept and manage.
I want the OS's network stack to transparently proxy that plaintext request to an encrypted one: which may well be DoH or DNS over TLS, just like filesystem drivers proxy plaintext file requests over encrypted hard disks.
Whether this is by a plain text request over loopback, using the existing plain text DNS protocol or a more efficient OS api I'll happily leave evolution to resolve: but for now the plaintext protocol might be the fastest thing to proxy.
I'm saddened that Google is the default. I hope Brave asks users in the future, but understand there are probably a few different goals being juggled whilst Brave grows.
The first paragraph suggests the order is for “targeted and personalised information”.
That would suggest that it's unlikely to be anonymised data collection; at best perhaps pseudonymous... and then you get into the questions about how easy it is relate these ids to real identities. Let's hope Facebook stays out of the equation with their fr and c_user cookie fields.
The intentions may be well meaning (let's optimise services for businesses and people prior to significant changes).
However, we've recently had the Windrush scandal and Home Office hostile environment policy: there are over a million people in the UK who may have questions about their residence rights changing and wouldn't like to be tracked whilst they try to find answers.
If you enjoy researching and being creative, then maybe you can experiment with some online koans, watching tutorial videos, an online course or even coding competitions to get more exposure to how developers solve various types of problems differently. You might see some patterns that you understand and help you develop.
I personally learned a lot about problem solving from trying different language paradigms: being forced to tackle things from a different direction - so you could try some ClojureScript or golang (if you want to give the backend a try).
If things still don't click, then there's various different roles in software projects, the bigger the product the more diverse the roles: you can probably search a job board for "software" and see what comes up if you want to stick in the industry and get an idea for what else there is to do.
If Mozilla wanted to respect privacy the "UI that is designed to act as a search field for Google" could be a "UI that is designed to act as a search field for DuckDuckGo", it wasn't that long ago it was a search field for Yahoo. What's notable here is that Google is the default and in doing so is endorsed and recommended by Mozilla for its users.
So the fact here is that Mozilla made that choice to be in bed with Google.
Maybe think about it another way. Imagine Greenpeace defaulted to offering to book supporters private planes to get to every protest. It is this nature of extreme distance from organisational values that Mozilla is expressing when it defaults to Google search.
No solution, but I think we'll never find one if debate, about problems with web privacy, suggests Mozilla is the answer - until they put into actions their words, they shouldn't be seen as the way to go.
Whilst I have reservations about Brave, from a privacy standpoint they appear to be more trustworthy and some of the actions they are involved with, like complaints to regulators are far beyond anything we've seen of Mozilla - sure they may have corporate motives, but right now they appear to align far better with consumer privacy.
There are forks of Firefox that are trying to improve on delivery of privacy
I am not wholly comfortable using Brave because of its dependency on Chromium, too much of a dependency on a single web rendering engine reminds me of IE days.
I would suggest to anyone, install them both and more, you might love browsing the web in emacs (someone must) - if you find a website that doesn't work on Firefox and you need Chrome, then why not use Brave instead?
Personally I'm trying both, I also bought a Librem Laptop so I have PureBrowser too and I'm not afraid to throw some of my money and inconvenience at products that are better at protecting my privacy: for techies we can all do this with relative ease. For non-techies, which is where we really need the sea of change (and who are unlikely to read this), then we can advise them towards Apple's products and make them aware of products like Brave so it can be their "backup" browser if not their first choice - not perfect, but I'd prefer my family to browse using Safari, Firefox (with privacy settings I have to sit down and sort out for them) or Brave; than Chrome.
In the EU this would breach the ePrivacy Directive - as there is neither consent or information supplied in advance. Privacy is not just about information captured about you, but about privacy of what you have stored on your electronic devices.
2. If you then type "privacy" into the address bar, it loads https://www.google.com/search?q=privacy&ie=utf-8&oe=utf-8&cl... directing users into the most privacy invasive service on the internet with no advance warning. I now have a wealth of Google cookies from their search domain, but there are also cookies set for DoubleClick and Adservices.
I'm now enrolled into surveillance capitalism and all I did was open Firefox for the first time, type "privacy" and press enter.
Mozilla talk a lot about privacy, but their products and websites don't live up to the privacy standards we need and if anything they're on the wrong side of the fence when it comes to acting on privacy - they still make things worse and not better; although it has to be acknowledged that they have improved a lot with the tracking protection features that have slowly been making their way into Firefox.
When you explain how adtech tracking works, with examples to organisaions that have a moral and regulatory need to protect privacy, in some of the most sensitive situations, it is possible to get them to remove ad tech without too much effort.
This has been a mixed success as a privacy complaint and I hope the regulator (ICO) steps in to make sure similar organisations remove ad tracking where there are vulnerable users.
Childline was copied in many countries, you might want to check your national online service.
You can achieve similar benefits of verification with PGP and similarly rich object level encryption.
Be careful of gotchas in how PGP or similar work, if you choose it (notable what is or isn't plaintext).
Object level encryption typically allows for better separation of concerns as it does not bottleneck to a unique domain:port to seperate encryption contexts. It also eases separation of public facing encryption risks from private internal ones.
If a public server is breached, all HTTPS traffic can be read, but if it proxies a more secure, perhaps simpler application environment (perhaps a microservice for the specific functionality), then that application environment is not affected by vulnerabilities in unrelated public facing features (like a backup microservice might not care about how to render HTML/JavaScript, so wouldn't be vulnerable to common web XSS attacks).
It allows other benefits like:
- it faciliates only user can decrypt data being sent (good for backups)
- intermediate services to load balance and block DOS don't have to be exposed to the plaintext data, only the necessary service that needs it
- many to many encrypted messages over one connection (TLS is many to 1 decrypting endpoints)
- intermediate caching and redelivery of messages can be done with ease
- similarly verification of the data with signatures reduces risk of data corruption being missed that may happen during transport.
- you don't have to depend on the Certificate Authority model (which is questionnably secure given the history of revoked CAs), you can use your own trust store or your own web of trust that could be shared with appropriate third paries or the whole web.
- if others can think of more, please suggest them
The encryption can just be used for verification (signatures) and this is very valuable for trusted content distribution, especially if you want to scale it using third parties.
Because of these properties PGP or similar object encryption technologies often play a part in secure forms of backups, email, instant messaging, software repositories and handling sensitive data in more regulated industries (health, finance, etc).
Arguably, both TLS and object level encryption together are worth doing, as object level encryption may sometimes make it more obvious who the sender and target identities are and this metadata may in itself be of a concern to leak.
I don't appear to have an edit option, I thought comments could be edited.
Thanks for removing MixPanel, I think centralised analytics are by default going to breach privacy as you only need a referer and an IP address to have enough data to put someone's privacy at risk.
Also, third party JavaScript (not protected by code review and SRI) is an access control issue and can violate privacy at anytime as shown by instances of credit card theft and cryptomining this year.
Simply Analytics lies about not being a GDPR concern (which requires consideration for access control and security (loading third party JavaScript) and under GDPR IP address can be considered an identifier.
I wanted to explore the extent to which some significant UK websites include SRI of JavaScript assets.
Put together on a Sunday, needs work, curious about how best to check for CSP and whether I've missed other risks beyond just JavaScript not protected by SRI.