Practical privacy tips for your business

栏目: IT技术 · 发布时间: 4年前

内容简介:As the founder ofSimple Analytics, I’m running into privacy issues while building our product. Based on those learnings I would like to show you some practical tips to improve the privacy of your visitors. Some of the tips seem very logical but can be hard

As the founder ofSimple Analytics, I’m running into privacy issues while building our product. Based on those learnings I would like to show you some practical tips to improve the privacy of your visitors. Some of the tips seem very logical but can be hard to implement. That’s why I have provided examples with every tip so you or your team can apply them without doing all the research.

Join the discussion on Hacker News and make sure to vote if you love it

Some tips might become a bit technical and if you don’t have any technical background, feel free to skip those and forward them to your technical team.

Third-party services

Most businesses use plenty of other third-party services. They help you with providing a better service to your customers, which is great. But it’s hard to know how privacy-friendly these services are. While you might know them all (it’s required by the GDPR), you don’t know if you can trust them. It’s healthy to always think of third-party services as untrustable and use them in your product like that. There are a few ways you can limit their effect on your visitors.

Load third-party scripts only when needed

Sometimes you need to use external scripts. For example, you could be using a chat service or a payment provider. Solution: Only load those scripts on pages where you use them.

For a chat, it may be load every page but for a payment provider, it certainly wouldn’t be the same. Don’t include those script on every page.

When using a chat that you use on every page you could get a bit creative. For example, you could have a little button that only loads the external script when you click it.

Show code example
var button = document.querySelector(".chat-button");
button.addEventlistner("click", function() {
  var script = document.createElement("script");
  script.onload = function () {
    // Do something with the chat script if needed
  }
  script.src = "https://chat.example.com/script.js";
  document.head.appendChild(script);
}

To check if your site uses third-party scripts you can use the Request Map Generator built by Simon Hearne (thanks to Jan Klimo ). ForSimple Analytics it looks like this:

Practical privacy tips for your business

In the diagram above you only see requests going to servers ofSimple Analytics: simpleanalytics.com , simpleanalyticscdn.com , and simpleanalytics.io . The fat pink circle isour home page video which consumes the most bytes. We also use an external payment provider, but we only load the script when the client clicks on the signup, hence in this image you don’t see any external scripts.

Compare that to another SaaS like Intercom:

Practical privacy tips for your business

There are many external scripts loaded from all kinds of different domains. I’m not saying this is good or bad, but it’s a good practice to double-check if all those external parties are needed. Run the Request Map Generator and see what services you don’t need.

Remember that all external parties can access the data being displayed on the page. If your visitors are logged in and see critical data, these external parties can see that as well.

Do not give too much power to your CDN provider

If you use a CDN you are giving them data about your visitors and the power to load a different script then your visitors’ request.

To prevent your CDN provider tempering with the source of your scripts you can use Subresource Integrity (SRI; the integrity attribute on your scripts). You need to create a hash of the source of the script and include this in the script tag via the integrity attribute. To generate the integrity hash you can use srihash.org .

<script src="https://cdn.example.com/script.js" integrity="sha384-..."></script>

The crossorigin content attribute on media elements is a CORS settings attribute. This is needed to load scripts from other domains (a CDN domain for example). The anonymous keyword means that there will be no exchange of user credentials via cookies and some other data between your website and other domains.

You specify it like this
<script
  src="https://cdn.example.com/script.js"
  integrity="sha384-..."
  crossorigin="anonymous"
></script>

To prevent giving the page your visitors are viewing, you can add the referrerpolicy attribute with a no-referrer value to your script tags.

Show code example
<script
  src="https://cdn.example.com/script.js"
  integrity="sha384-..."
  referrerpolicy="no-referrer"
></script>

Although you are not sending the referrer here, the browser does send the origin header with CORS requests. This means that your CDN provider still gets the domain where your visitors land on. If they record IPs they can track the browsing behavior of your visitors. This can only be solved by choosing a CDN provider that anonymizes the IP addresses. The only CDN provider that currently offers IP anonymization is BunnyCDN (we are not affiliated with BunnyCDN) .

If you combine all the above features, the HTML will look similar to this
<script
  src="https://cdn.example.com/script.js"
  integrity="sha384-..."
  crossorigin="anonymous"
  referrerpolicy="no-referrer"
></script>

If you add scripts dynamically you can specify the above features as properties. The properties are case sensitive.

Both crossOrigin and referrerPolicy have one capital letter in them
var script = document.createElement("script");
script.src = "https://cdn.example.com/script.js";
script.integrity = "sha384-...";
script.crossOrigin = "anonymous";
script.referrerPolicy = "no-referrer";

Remove social widgets

Social media companies do not have a very good reputation for collecting data from your visitors. There are many plugins and ways to track users. Your visitors don’t choose to be tracked by those companies, you do.

If you are a visitor it’s recommended to use an ad blocker likeuBlock Origin. It’s a well develop browser extension that removes all trackers and ads from your visits. There is a giant on/off button to disable it for the site you are on. It makes your browsing experience safer.

Your visitors can do something about it themselves, but there will always be people that don’t know about this tracking or don’t know how to prevent it from happening. That’s why the EU came with the GDPR , California with the CCPA , Brazil with LGDP , and the UK with PECR .

Practical privacy tips for your business

Photo by Daria Nepriakhina on Unsplash

On 29 July 2019, the Court of Justice of the European Union (the “CJEU”) ruled that a company embedding on its website a social plugin, such as a Facebook “Like” button, can be considered a data controller […] – fieldfisher.com

Although you are not in control of what those platforms behind your widgets do with the data from your customers, you are still responsible for what happens with this data.

Replace Facebooks share button

When you add a Facebook widget like a share button, Facebook recommends you use their third-party scripts. This is great for them because they can collect more data about your visitors. Luckily they provide another way without the use of any scripts.

Here is an example with custom buttons and a simple share link. I highly recommend using link implementation instead of any script implementation.

Practical privacy tips for your business

Link implementation explained

The link implementation is a simple link that opens the Facebook share page for your visitors. You can put the link behind a button or text link on your website. For example:

https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fexample.com%2F%3Futm_source%3Dfacebook&src=sdkpreparse

You see a lot of weird characters in that URL (link). That’s because the link is URL encoded. Use urlencoder.io to easily URL encode your website:

Practical privacy tips for your business

Prefix the output of urlencoder.io with https://www.facebook.com/sharer/sharer.php?u= and append &src=sdkpreparse behind it and you have your Facebook share link. Without the tracking and privacy-invasive data collection.

Twitter embedded tweets

On the internet you see the Twitter widget being used a lot. But is it needed to send the data from your visitors to Twitter when they just want to see a tweet? A screenshot works just fine:

Practical privacy tips for your business

Don’t trick your visitors

Tricking your visitors into doing something they don’t want to do. Sometimes it’s great to open your website and follow your flow like a new customer. Be aware of things that are not clear and all the popups you see.

Cookie banners

When browsing the internet you will find many examples of websites trying to trick you in an opt-in for allowing to track you.

For example the home page of the New York Times. When you see a cross (X) you normally would close a dialog box without agreeing to what’s being asked. The New York Times just sees it the same as “I agree”:

Practical privacy tips for your business

Please don’t do this.

Emails

It’s related to don’t trick your visitors, but I want to spend a separate section about emails alone.

Marketing emails

If you have a business, there is a great value by using the email address of your customers. Use it wisely to inform them about new features, help them get around your tool, etc. It’s a perk for your business. But if you’re sending marketing emails to your customers, be sure they want to be subscribed. You can ask during signup if it’s okay for you to send them emails about your tool/service, or you ask if they are okay with you sending some setup guides or tips. Be aware that if you specify how you are going to use their email, and make sure you only use their email for that purpose.

Email tracking

It’s harder to disable email tracking than enabling it. That’s why most marketing emails contain trackers. Open rate is considered inaccurate because of client disabling images:

[…] an email is only counted as ‘opened’ if the recipient also receives the images embedded in that message, and a large percentage of your email users likely have image-blocking enabled on their email client. […] – blog.hubspot.com

Email images

When an image-heavy email doesn’t fully download and is viewed by the user, it could end up rendering like this for the subscriber:

Practical privacy tips for your business

Tweet found on a blog by Litmus

When adding images to your emails and not embedding those images in the emails they can look very ugly. More and more email services will stop displaying email trackers and thus images as well. The new HEY.com service blocks the so-called tracking pixels. I guess that more will follow.

WithSimple Analytics we love to share weekly and monthlyemail reports. When customers have enabled it we send them an email with all images embedded. No trackers or any remote images. No need to connect with anything outside their email client. Give them their privacy back that they deserve.

Practical privacy tips for your business

Email reports feature ofSimple Analytics

How to keep a good reputation

Another thing with marketing emails is the unsubscribe header. Make sure you have the header setup as it improves your email reputation. The headers could look like this:

List-Unsubscribe: <https://example.com/unsub/?uuid=14b2-b2a1>, <mailto:unsubscribe@example.com>

In a lot of email clients, the unsubscribe link is placed close to the spam button. You want people to unsubscribe instead of hitting the spam button to prevent damaging your reputation.

Where do you store your data

It’s important to store your data in a country that protects the privacy of its people and the people outside of the country. WithSimple Analytics we moved our servers to Iceland when we figured that was the best country privacy-wise. According to Freedom House Internet Freedom Scores Iceland is still the best option:

Practical privacy tips for your business

We later realized Iceland was not the best option provider-wise.

Here is why
  1. The Icelandic Modern Media Initiative was adopted by parliament but didn’t make it into law (so it’s not the internet freedom haven we thought it was).
  2. Our provider claimed to be the largest in Iceland but it was not as mature as bigger providers in Europe, which risked the security of our servers and infrastructure.
  3. They had downtime twice this year.
  4. The internet cables to Iceland are rather slow. Although it’s geographically ideal — located between North America and Europe — in practice, The Netherlands is a faster location for both.
  5. We don’t want to move to Switzerland because it would be a marketing move only. The EU provides better privacy laws than Switzerland.
  6. We need to move anyway because our current provider does not offer the powerful servers we need.
  7. The second-biggest provider in Iceland is legally headquartered in Hong Kong, which is not a preferred location we want to store our data.

Copied from our docs page on locations .

We asked our customers if they would be okay with the move from Iceland to The Netherlands and everybody who voted agreed with our decision.

Be aware of where you put the data from your visitors. Do some research into the hosting provider you are using and the country where it’s hosted. Don’t pick the cheapest option without knowing why it’s cheap.

Do not log or ask PII data when not needed

It still happens you need to enter personal details for a website or app that does not need it.

Don’t ask full names

Unless you really need it. Let people decide for themselves to add their full name. Just ask for a first name if you want to address people in your marketing emails, but don’t ask for a full name.

For people reading that are tired of coming up with fake names: there are plenty of services out there to help create a fake name.

IP anonymization

This part is rather technical so bear with me. If you are a manager please forward this to your developers. IP anonymization is the most logical thing to do on your servers when talking about privacy. Yet, there are not that many examples of how to do it. A lot of processes on your servers log data. For example, NGINX logs data about every request (it’s customizable) that comes in. This is great for debugging but it’s less good for the privacy of your users. With NGNIX you can’t format the error logs so it will always error in the same format. This is very privacy-unfriendly because it contains the full IP address of the user and usually the User-Agent (which can contain unclear identifiers when using the Facebook app).

You can probably guess a few of the elements of this Facebook User-Agent suffix but it’s not all clear to me: [FBAN/FBIOS;FBAV/221.0.0.0.0;FBBV/154514034;FBDV/iPhone9,4;FBMD/iPhone;FBSN/iOS;FBSV/12.3.0;FBSS/3;FBCR/Siminn;FBID/phone;FBLC/en_GB;FBOP/5;FBRV/155138002] It does not look like they are tracking their users via the User-Agent suffix, but they temper with the User-Agent at least.

Filters in syslog

Simple Analytics uses NGINX which in our case logs to rsyslog , often referred to as syslog . rsyslog is ofter included in Linux distributions ( official website ). Luckily rsyslog comes with a great module that’s called mmanon . This module can be used to filter IP addresses for both v4 and v6 from rsyslog version 7.3.7 .

How to implement anonymization with rsyslog

On your sever you can check which version of rsyslog you have by running rsyslogd -v .

You can enable IP anonymization by adding the following lines to your rsyslog config file. The config file usually lives in /etc/rsyslog.conf or /etc/rsyslog.d/50-default.conf .

module(load="mmanon")
action(type="mmanon" mode="zero" ipv4.bits="32" ipv6.bits="128")

After you have changed this file make sure to restart rsyslog with service rsyslog restart .

Next level syslog

If you want to go indepth you can set up some advanced filters to remove sensitive data within your log files or log services.

You could create a syslog config file in /etc/syslog/... . I created a file called /etc/rsyslog.d/30-anonymize.conf containing:

# Specify a custom format to anonymize your logs
$template anonymize,"%$year%-%$month%-%$day% %timegenerated:12:19:date-rfc3339% %app-name% %$!new%\n"

# This makes the template the default for all logs
$ActionFileDefaultTemplate anonymize

set $!new = $msg;

# Replace user agents
if re_match($msg,'(Mozilla\\/[0-9]\\.[0-9] [^"\']+)')
then {
  set $!ext = re_extract($msg,'(Mozilla\\/[0-9]\\.[0-9] [^"\']+)',0,1,"");
  set $!new = replace($msg, $!ext, "*** (user agent)");
}

You can do way more, in our config we hide IPs, credit cards, and user agents.

Use two-factor authentication

This one is more security-related than privacy, but it’s important either way.

If you want to secure the data of your users and prevent others from accessing their data, use a two-factor authentication system. Don’t use SMS . Use TOTP (Time-based One-time Password) which has lots of apps and integrations. It does not require internet connectivity and can be installed on multiple devices.

Conclusion

While working onSimple Analytics, I’m constantly fighting the status quo by finding privacy-friendly ways of handling visitor data. There are way too few guidelines on how to prevent tracking in your own business.

I hope this post makes the web a bit more privacy-friendly. Please let me know which tips I should add.

Written by Practical privacy tips for your business Adriaan van Rossum ( follow on Twitter )


以上就是本文的全部内容,希望本文的内容对大家的学习或者工作能带来一定的帮助,也希望大家多多支持 码农网

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

疯狂科学家大本营

疯狂科学家大本营

Bei Er Fei Ao Er / 本书翻译组 译、黄晓庆 周宇煜 张为民 审译 / Science Press / 2012-1-5 / 48.00元

美国最棒的创意工场不是贝尔实验室,不是硅谷,也不是麻省理工学院的媒体实验室,而是由五角大楼领导的绝密军事机构DARPA——国防高级研究计划局。DARPA是由美国前总统艾森豪威尔建立的军事部门,创建的目的是为了回应苏联的太空计划。 虽然DARPA属于政府机构,但是没有冷冰 冰的氛围和官僚做派,那里的科学家偏爱牛仔裤和运动鞋。不过他们最爱的还是在各个领域寻找颠覆性创意。从航空航天、IT,到能源领......一起来看看 《疯狂科学家大本营》 这本书的介绍吧!

CSS 压缩/解压工具
CSS 压缩/解压工具

在线压缩/解压 CSS 代码

URL 编码/解码
URL 编码/解码

URL 编码/解码

MD5 加密
MD5 加密

MD5 加密工具