Notes and references from our talk "Data protection in web development made easy" at DrupalCamp 2015 in Tallinn, Estonia, on August 28. Plus related things that could be of interest.

Download slides

Why data protection?

Data protection is a method of protecting the human right to privacy. We have this human right in order to be in charge of not only who we are, presently, but also to be in charge of who we become and why we become that person. It's about having the right to form one's own identity without undue interference.

Data protection legislation is methodical, and can be a bit dry - mostly it consists of exceptions to four quite simple principles: 1) every person should have the right to know who affects them ("right to know"), 2) they should have the right to determine if they want to be affected or not ("right to consent"), 3) one should not collect more data about other people than is absolutely necessary ("data minimization"), and 4) one should always have the individual and their rights at the centre of one's design plans ("user-centric"). Whoever keeps these four principles in mind is unlikely to come in conflict with data protection laws, and studying the law more closely is only necessary if one wants to deviate from any of the principles.

Data protection and data security are similar, but not the same. Data security is when something works as foreseen: it is possible to be perfectly privacy invasive in a secure way. Data protection is when the "security parameter" is set to "protect individuals" rather than "protect some other interest". Data minimization is good for both security and privacy, but there is not a 100% overlap. 

One important question for every web developer to ask themselves when they put up a platform - even on behalf of a customer or client - is whether tracking the users is actually unavoidable. Many times, statistical data and information about visitors is gathered because it's simple to do so, and it's seen as helpful to improve the platform. Here, one should stop to ask if it's the duty of a website visitor to help out.

Recent reports

2014-06-30: The right to privacy in the digital age [pdf]
Report of the Office of the United Nations High Commissioner for Human Rights
On the importance of privacy and human rights in digital environments.
See also: Background

2014-10-23: Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism
English, Arabic, Chinese, French, Russian, Spanish [pdf]
Privacy is important for freedom of speech, and needs to be established also in digital environment.
See also: Press release

2014-12-08: The Rule of Law on the Internet and in the wider digital world [pdf]
Council of Europe Commissioner for Human Rights
Summaries: French, German, Russian, Serbian, Turkish [pdf]
/States should not force companies to “self-regulate” as a means of circumventing human rights legislation. Privacy is important. Human rights and due process are important./

2015-05-28: Report on encryption, anonymity, and the human rights framework [doc]
UN Special Rapporteur on Freedom of Speech and Freedom of Opinion
Encryption and anonymity are a condition for freedom of speech and the freedom to form an opinion.
See also: Additional documents

Technical

HTTPS

Standard SSL certificates now cost a single-digit amount of dollars/euros.

In September, Let's Encrypt will make them free for all.

If you do use HTTPS, consider turning on HSTS (but really make sure everything is working 100% well first!).

Note that HTTPS doesn't offer perfect privacy - it might still be possible to determine what page you're looking at through traffic analysis. But it's a whole lot better than using HTTP.

Use Qualys' SSL Server Test to check your setup.

Referrers

Use rel="noreferrer" for external links. HTML5 spec, 4.8.4.8:

It indicates that no referrer information is to be leaked when following the link.

If a user agent follows a link defined by an a or area element that
has the noreferrer keyword, the user agent must not include a
Referer (sic) HTTP header (or equivalent for other protocols) in the
request.

Supported by Firefox since version 33 and by WebKit (Chrome, Safari) since November 2009.

<a href="http://www.foo.bar/" rel="noreferrer">Works with Firefox, Chrome, Safari. Not IE.</a>

A newer development is Referrer Policy. This makes it possible apply a certain policy to all links, rather than having to set rel on each of them. It can be set in the HTTP header:

Content-Security-Policy: referrer no-referrer;

...or via a meta tag:

<meta name="referrer" content="no-referrer">

It also offers alternatives like “Origin Only”, “Origin When Cross-Origin”, etc.  Applies to CSS/JS (link, script) requests too! Referrer Policy is still just a draft, but is supported by latest Firefox, Chrome and Safari, as well as Microsoft Edge in Windows 10.

Google Analytics alternative: Piwik

Piwik is a free (GPLv3) analytics platform. PHP + MySQL.

Make sure you anonymize visitor IP addresses and disable cookies. See Configure Privacy Settings in Piwik and How do I disable all cookies for a visitor?.

If you insist on using Google Analytics...

Anonymize the last octet of the user’s IP (what this means):

ga('set', 'anonymizeIp', true);

Use forceSSL to make all requests, even ones from insecure pages, use SSL:

ga('set', 'forceSSL', true);

Implied cookie consent is not cool. Don’t send data until user has given consent (read more):

window['ga-disable-UA-XXXXXX-Y'] = true;

And then, on opt-in: set to false, set a cookie for future reference, and finally track the page view with ga('send', 'pageview');.  See this Stack Overflow answer for more.

You could also load tracking code conditionally depending on the user's DNT setting (although this might be problematic for cached pages):

if ( isset( $_SERVER['HTTP_DNT'] ) && $_SERVER['HTTP_DNT'] == 1 ) { ... }

Fonts

Self-host Google Fonts - use one of the following to get fonts in all formats with proper CSS:

Social media buttons

Official like/share buttons let others track your visitors. Use locally hosted images/fonts, like Font Awesome.

If you need to show number of shares, use a two-click solution (user needs to click to activate) - such as Social Share Privacy - or let your server fetch the data periodically. Same with e.g. embedded Tweets.

Disqus alternatives

Self-hosted with Disqus-style embedded JavaScript:

Forum software that can be used with Drupal:

  • Discourse (Ruby, GPLv2) + Discourse module ("provides a way to embed an instance of the Discourse forum software within a Drupal site")
  • Vanilla Forums (PHP, GPLv2) + Orchid module ("allows Drupal integration with a Vanilla forum instance")

Some Drupal-specific ideas

To completely avoid cookies in a vanilla Drupal 7 install, edit misc/drupal.js and comment out the following line:

document.cookie = 'has_js=1; path=/';

This appears to be no longer necessary in Drupal 8.

At Dataskydd.net we use Drupal's built-in comment system together with honeypot to avoid spam. This works very well. However, Drupal does set a cookie to save the commenter's name/email address/homepage. To avoid this (in Drupal 7) we comment out the following line in modules/comment/comment.module:

user_cookie_save(array_intersect_key($form_state['values'], array_flip(array('name', 'mail', 'homepage'))));

Of course modifying core files is not a good idea, but we haven't gotten around to doing it in a cleaner way - yet! (Contributions are much welcome.)

Set rel="noreferrer" on external links - use the plugin noreferrer. This can also set the meta referrer element if you use the metatag module.

Avoid Google Analytics. Switch to Piwik. Module for integration with Drupal.