Hugo: GDPR: Should Hugo offer Simple Mode Shortcodes or not?
Related issues: #4616 #4748 #4749 #4764 #4765 #4766 #4755
Ok. @bep 's reservations about Simple Mode Hugo shortcodes got me googling again about the GDPR (as if I haven't done it enough during the past few months).
And I just discovered a couple of new things:
Some consider that even the loading of images from external servers is a GDPR privacy violation, because the server where the image is stored receives the IP of the visitor in order to serve it and that's Personally Identifiable information under the GDPR. Link here
While others think that cross-linking of things and sharing information is the basis of the internet and that is something that will be very hard to prevent GDPR or not. Link here
The main idea behind the Simple Mode Shortcodes was to disable the user tracking of 3rd party services through iframe embeds. It can be done but it is very time consuming, adds overhead to the maintenance of the Hugo project and the end result does not match the functionality of the 3rd party embeds that come with user tracking.
So what do we do?
Scrap the Simple Mode Shortcodes and go for a consent mechanism as described here
Or continue with the Simple Mode shortcodes?
That is the million dollar question.
PS I'll post about this and ask user feedback in the Forum also.
onedrawingperday
All 8 comments
So,
There the whole GPDR "is this compliant" thing is a little bit unclear, but that is fine. Hugo need to document what privacy tools it provides.
And this is a work in progress, it's not something we can perfect in 2 days.
Take the Instagram simple variant.
Maybe the request to Instagram creates a HTTP request that may be "identifiable".
The solution to that is to host that image yourself. Which is in my plans, but that is well inside the resource func issue and I'm not rushing into an implementation just because of this (not unless someone puts up the money to pay me).
So, for people who use the Instagram shortcode they have 3 options:
- Not using it, which would be guaranteed GDPR compliant. We have a privacy policy toggle in place for this.
- Use the simple version, that currently do a HTTP request against Instagram servers. We may improve this, but not now.
- Use the full version.
There has to be a level of "good faith" and "we are really trying and we are going to do better" here.
bep
on 24 May 2018
Thinking about it, hosting the images yourself is probably not an option unless you own the images.
bep
on 24 May 2018
I agree with everything you wrote. But I just want to note that this also affects the YouTube and Vimeo thumbnails that are fetched in the Simple variants.
But to be honest I think that I had a GDPR overdose today (lol).
I'll send the PR for the YouTube/Vimeo SVG icon tomorrow.
Also I pinned this question in the forum globally until Sunday (if you want to unpin it feel free to do it).
I'm out for tonight.
Thinking about it, hosting the images yourself is probably not an option unless you own the images.
@bep The Instagram API allows to store images in an application as long as they are needed.
onedrawingperday
on 24 May 2018
@onedrawingperday so, what is the conclusion on this?
This current quota of time I have for this is just about dried out, so I suggest we get _something_ out the door.
bep
on 25 May 2018
It's up to you. If you want to get something out as WIP do it.
One question though about GA.
I've seen you have included a Do Not Track configuration but you have not included any privacy options in the script like anonymize_IP ? You must anonymize the IP at the very least before a page view is sent to Google servers.
See the 2 versions of proposed script modifications.
Version 1 and rationale here
Version 2 and rationale here
Async version here
Also my time was limited this week. I'll have more time from now on.
onedrawingperday
on 25 May 2018
but you have not included any privacy options in the script like anonymize_IP
I did not catch that on the GA examples I looked at. But I will add it to the mix...
bep
on 25 May 2018
I did not catch that on the GA examples I looked at. But I will add it to the mix...
@bep The script modifications for GA are my own. You will not find them in this form anywhere else on the web. Also I've tested this script extensively.
Basically I have moved Google Tracking in HTML5 Session Storage so that nothing is set in a user's device and so no consent is needed. The caveat is that there will be no returning visitors in Analytics reports. Also a visitor is recorded per browser for example if you visit a page in Firefox then open it in Chrome from the same device it will show 2 visitors in the reports.
The Async version was written by @jhabdas
onedrawingperday
on 25 May 2018
Closing this. Hugo will have Simple Mode templates after all.
It will be only Instagram for now.
See commit: https://github.com/gohugoio/hugo/commit/1f244b802eaabb119d38dae00a8c2bbbd3263752
onedrawingperday
on 25 May 2018
Related issues
arikroc
路
3Comments
kaushalmodi
路
3Comments
bep
路
3Comments
ianbrandt
路
3Comments
moorereason
路
3Comments
Most helpful comment
I agree with everything you wrote. But I just want to note that this also affects the YouTube and Vimeo thumbnails that are fetched in the Simple variants.
But to be honest I think that I had a GDPR overdose today (lol).
I'll send the PR for the YouTube/Vimeo SVG icon tomorrow.
Also I pinned this question in the forum globally until Sunday (if you want to unpin it feel free to do it).
I'm out for tonight.
@bep The Instagram API allows to store images in an application as long as they are needed.