 Okay, I'm going to get started now. It's three after my name is squeaky Rubio. I'm a web developer at Calamuna and I'm about to present on. I'm just going to share some tips on how to build websites that protect user privacy. There was a session earlier today that went into a lot of detail about building Drupal websites that are very secure and has a lot more Drupal specific information. My presentation is more is like applicable to any websites and and I'm going to focus like on third party scripts, but let's see. So a little about me I'm I've been a developer for over 15 years I've been working with Drupal for 15 years and I've been. First I was like a web designer slash web developer and then was a front end developer for a little while and then I'm in currently have been a full stack developer for the past eight years. I'm in the Bay Area was born and raised in Northern California. And yeah, I also worked for the Electronic Frontier Foundation for a number of years so privacy is something that I care a lot about and also have a lot of learned a lot about. So let me let me get started. So I'm kind of a, the title of this session is kind of broad, but this is going to be a really, and then my also missing session proposal was very broad but this is a very short presentation so I'm going to focus on third party trackers. So some most, excuse me, most websites leak visitor traffic to third parties so it's not always clear whether you know I think there's a little bit of discussion about whether this, whether all third parties are like tracking or not, or like it assets loaded third party domain domains are trackers. So, I think it's important to consider the information that's being shared with when you're when you are loading assets from third party domain so like for example image file or a JavaScript file. It might not be, you know, behaving or doing any kind of thing that is would be considered tracking, but it still does share information with information through the response header or the request header. So, typically, I think of third party trackers as anything is, is, or like a lot of like the most common ways, excuse me, the most common ways that people share include third party trackers on your websites. Historically and, and, and continue to do is through like like buttons Twitter rigid share plugins analytics, like share plugins, yeah Google analytics embedded videos. So I think it's important to consider what is in an HTTP request so it shares like your browser your OS architecture language, the refer and other identifying information in the headers. It could be, yeah, so. Yeah, so I'm definitely learning a lot about this topic right now so. So I think these slide this cup last couple of slides definitely could be updated but yeah so definitely at least like any asset loaded over a third party domain at least like has the IP address and time stamp and whatever is included. In the, in the request header. So, I'm probably sort of lost some folks so. Yeah, even one pixel images can share. Thanks Matt can share information. So yeah, there could be hidden information on a web page that's sharing that's being loaded over a third party domain so so also. One thing that their party trackers can do is a browser finger printing and there's a tool that the EFF provides called pin up to click and it allows you to to test to review your own browser and how uniquely track identify your identifiable your browser is or how unique it is and so and so right now it's. Browser finger printing is supposedly illegal according to the GT GDP are the general data protection regulation that a couple years ago was. And went into. We went into a fact a couple years ago so supposedly they're not supposed browser fingerprinting is not supposed to be happening. So but anyway, a great resource for. For like reviewing like third party trackers on a website is privacy badger. So you can install it and it will. Like has a this little drop down interface that shows you like all the different third party trackers that it has blocked so this is great if you have it installed if you don't have it installed. You know, you're all these trackers will will gather your information and and quite a bit of information about you. Since they're like these are scripts that it's detecting on the that's being loaded on the page. However, I noticed that some script files are not considered third party trackers and this is kind of realize this that this week as I was preparing this presentation so for example, I have my personal website I have. I have my site and you know remove the this link to this this font awesome domain. And so, yeah, privacy badger doesn't consider this third party script even though it's a third party tracker, but it is a third party script so JavaScript is you definitely want to use a lot of caution when loading scripts on your page from third party domains. You really need to really like there has to be a lot of trust with that domain to to be to not change kind of the behavior of that script maybe at some point later on. I might not currently be as doing any kind of tracking behavior but it's I mean it's still loading the, you know, the request header information still has access to that and then it's, you know, this script for example might not be you know tracking but it's a script file so could they could change that script file later and then start tracking me at another point so it's just important to be aware of that and scripts JavaScript files can introduce security vulnerabilities so you definitely really want to be careful loading scripts from third parties. Let's see. Yeah, so I just said that third party scripts can introduce security vulnerabilities, instead of loading Google fonts remotely. So I'm going to next I'm going to start to kind of sharing number of tips on how to avoid loading third party scripts but I'm also going to share some tips on how to avoid loading any kind of assets over through from a third party domain because, you know, you're, because I think that if you if you even if you're just sharing like IP address and like with with the that the domain like that user might have visited another website that does have tracking and they probably can have ways of correlating that little piece of data that was gathered from the site that you were the tracking wasn't done and correlated with the with the data they collected on a site where the visitor on another site where where there is tracking being done so hopefully I just made sense. So it's so yeah it started loading Google fonts remotely these can be uploaded to your own server so this takes takes a bit of savvy, a little bit of savviness to, you know, update your CSS to load the fonts from the new location, you might have to do that. And yeah, you can Google fonts does let you download them so that's no problem adding to your adding them to your server as long as you are comfortable or have somebody to help you add the, you know, kind of set things get everything kind of set up correctly. And yeah, and if you're using other fonts that are not open source, you will it's important to pay attention to the licensing licensing agreements. And so it's definitely easier to do this with open source fonts and you and you will want to like coordinate with designers around planning, planning out the font, the font that you use on your site. And if this is, if like privacy is like super important. So, next, you also should let users opt in to third party scripts for like video embeds and other types of embeds. So for example, you could have like a screenshot of a video and then below that video it can have a message that informs the user that clicking that embed will load third party content. So you can also create your own share link so share links can insist of some HTML a little bit of CSS and about 10 lines of JavaScript so I'm actually planning on releasing like writing like open source share links because I just I just seems it seems like every very rarely does anybody seem to know exactly how to make sure links without using third party scripts or third party. Yeah. So, I, I, yeah, I think that's kind of one of the things that's on my to do list I was hoping to have that ready for today but to share with everybody but I will tweet it out in the near future. So, you also went to, you should also self host JavaScript plugins and libraries instead of loading them from third party domains. So externally has two JavaScript files like I said earlier that increases the risk of security vulnerabilities, such as XSS attacks. You can, you know, use build tools to compile your JavaScript. A lot of sites do that. So also you should use post request for forums never use get request so a get request is where the, the parameters of your, whatever information is entered in your forum gets sent over the URL gets and in third party trackers will collect any data sent over to get request so that's just like a probably very well known thing but it's important to know that you shouldn't do that for and for so if. And so that's like, I just kind of covered stuff that's like mostly specific for third party domains and how to like avoid sharing your website visitor traffic with them. But then there's cases where, you know, maybe the organization's privacy needs are like more, more intense and that that maybe it's necessary not to like log any data from visitors to your website. And, you know, for if you're like, you have like subpoena or like, I don't know court order to like get a visitor log of visitors to your site. This has happened. And, you know, there's ways you can, you can just not logs or store data in that case if that's, you know, there's, there's modules and, and some things for. I think there might be stuff for like Linux servers and maybe some other types of servers where that help with like scrubbing logging data on your server. Also, there are open source analytics tools, so I think that Google Analytics is a is a poor excuse for you using like including third party scripts on your website. So Google Analytics is like the most popular third party script and they, it collects a lot of data on your visitors to your website. So, so excuse me, I need to say unless, but so, excuse me. Yeah, so for, I think there's a lot of a lot of instances where organizations like over, like don't really need as complicated come like sophisticated sophisticated or a complicated tool is Google Analytics it has like a lot of features requires training and sometimes a lot of organization organizations don't need all of those features so some of the open source analytics tools might. Some of them are a couple at least a couple of them or at least one of them is more is more simple. But I think Matt Tomo is which is formally Peewick has like a lot of great features and so if, and I don't think in all cases like organizations like really need analytics tools as much as they think but you know as it really, you know, meeting that organization is a really critical part of that organization's goals. Like, I mean, in some cases like for smaller nonprofits and like how we're just nonprofits in general, like, it doesn't always it doesn't isn't clear to me that like knowing like your page counts on your site is always like going to be tied to funding but but I might be wrong. Yeah, so and also if a tool is really important to you I think it's like a report to a grant organization it might I think it's good to consider maybe paying so many for it and in that case you could, you know, self host it. There's self those are just some thoughts. My thoughts on this is very kind of disorganized but I hope that was like was provocative. Okay, so I'm going to just speak a little bit about triple so triple is good at security and privacy but just make sure you enable HTTPS and another thing that you might consider is enabling HTTPS strict transport security so this makes ensures that any asset that is loaded on your page is loaded over HTTPS connection. So, I also wanted to talk about like same origin policy, but I didn't make a slide for it but that that's some same origin policy there's a way that you can change. So the HTTPS strict transport security let me just add a clarification that that's for that's a setting that you can set on your server. And so the same origin policy is also a server setting in that you can, you can restrict which domains that you're loading assets over so that's just another thing I wanted to want to include. So, also, if you want your Drupal site to be secure don't use shared hosting those are just the basics. And here are a number of like Drupal modules that are good for security. And so, I haven't used all these but I just wanted to put them in a slide. And there are others if you if you went to my shop shares presentation earlier he, he would have provided like a great overview of all of Drupal modules and Drupal best practices for security. So, yeah, and so I guess, another thing to consider is static HTML is always more secure than server side code. So just as far as, you know, this was just more of a security thing, more than a privacy suggestion or idea, but, and then I just wanted to add that third party. There are other other types of third parties to to consider whether you trust them or not so caching services cloud hosting cnds content delivery network so so caching services and CDNs have like, like at least you're sharing your header, your request headers and which includes the IP address and a number of other things on the whole cloud hosting might access be have might be able to access or at least it's containing your your data as well for your application so that's just just to you know, you know, and there's there's certain organizations where privacy and security is a lot more important than others and they would be more considered these but this is just I'm just trying to hopefully trying to encourage more people to care about privacy. So, and there are a lot of digital privacy laws and I, they're kind of I understand and confusing and complicated and it's, I've tried to read them and they're there, I think I need would need to read them quite a bit more before I start talking about them but I can just mention mentioned them real quick. I didn't actually create a slide for it but I do have it in my notes. So there's, let's see where is it. And so there's the medical insurance portability and count and accountability act HIPAA, there's a fair credit accounting, fair credit reporting act FCRA. There's the education, the family education rights and privacy act FERPA. And then those are just concerning us different very injured industries that have for a while have had some had like privacy and security laws. And then there's the GDPR the general data protection regulation that was enacted a couple years ago and then the CCPA that was enacted and went into effect like last year. And the CCPA is the California Consumer Privacy Act. So these concern anyone because because the internet doesn't have borders so you know these laws if you to put in order to protect people in California and people in your in the European Union you have to, you basically just need to protect everybody and meet the standards of those laws so I could ramble on a little bit more about digital privacy laws but I don't know that I would be super beneficial to anyone. So I'm just going to move on and I think that might be the end. Oh yeah, so that's perfect we have a little bit of time for questions. Thank you everybody for joining. Let's see how many people are here. I wish I could hear people it says anybody one is there any way that people can like share their screen I can see anyone else because this feels like I'm talking to a wall. Questions. Did somebody try to join. Okay. So the question is what would a what would I suggest for a really small nonprofit that might not be able not wouldn't be interested in hosting their own JavaScript servers so you don't have to have a special server for your JavaScript you can host it in the same place that you host your website. The same like the same system. So I developed it with like compiling and adding this the JavaScript in a way that it makes sense or appropriate for your site. So, how do I strike a balance between privacy and having to develop your own code instead of using third parties. Well I think it depends on how complicated your, your web presences. If you have a very simple site. If your site doesn't require like logging into it, it could be a static site and you know, like, there's, you can even like some, you know, if you host your site as a Google paid GitHub page that can be served for free. My personal website is I've hosting it free for as a Google page free and it's free off of good GitHub.com. So that's that's very helpful but that's it really depends on the project. Any other questions. Okay, yeah, it might. Yeah, I might you might still need a developer or just somebody that has a little bit of like website savvyness. Oh, yeah. Okay, Neglify also Net, Netlify also has free plans and you can run them with Drupal, with the Drupal back end. Oh, that's cool. And you might be able, yeah, you might be able to follow the GitHub instructions, the GitHub pages instructions. And Netlify, I think they have like some pretty easy way, some like one click or like a way to install some of these within a few clicks. Like Netlify might be able to do that. Okay. If there are any other questions, I'm going to move to the next presentation slide. Oh, cool. Yeah, Gatsby is a great tool for building sites. Also, Hugo is kind of, I think it's pretty easy to use, or at least to install a static site, but it does require, but compiling. Okay, that's not super simple. Yeah, I think if you're just starting, you're finding, you can kind of copy examples of websites if you can edit HTML and and edit CSS like, you know, like if you kind of start with the basics and add the add complexity on as you go, that might work if you're just starting out and just like learning how to create websites, that's also something to consider. And if you're just, if you're building your own site, yeah, there's like some places, yeah, that will let you host your site for free. All right, well, thank you everybody for joining. I wish I could have like seen everybody to this first time doing a virtual presentation. I appreciate you all hanging in there.