I wanted to explore the extent to which some significant UK websites include SRI of JavaScript assets.
Put together on a Sunday, needs work, curious about how best to check for CSP and whether I've missed other risks beyond just JavaScript not protected by SRI.
IANAL:
If you were allowed to use GDPR under an exemption, perhaps abuse protection, is that the only purpose the data will be used for by yourself and GA?
If you or a data processor you use, uses the data for secondary purposes not covered by any exemption to opt-in consent, I believe you would have to get opt-in consent for those secondary purposes beforehand.
Note: the cookie law is the ePrivacy directive (and national interpretations like PECR) and it goes beyond GDPR in some ways, as the ICO states "Although cookies that process personal data give rise to greater privacy and security risks than those that process anonymous data, PECR apply to all cookies." ( https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a... )
Because they are less revenue-oriented and more interested in an open Internet than Mozilla? (They probably are not.) Maybe there are other reasons for your switch, but the citations you replied to don't explain or even justify that step at all.
Firefox still invades the privacy of most users.
1. Install Firefox
2. Type privacy in the search bar
3. Google is now tracking you
It embraces dark patterns that invade privacy, whilst criticising other companies for their devices that invade privacy.
Mozilla need to understand how they are part of the problem before I'd start paying for them. As a privacy campaigner, should I pay for a product that invades it by default? It's hard to... I use them because they're the lesser evil.
I agree most of these don't appear necessary, have you thought to contact the DPO, wait 28 days and if no suitable response, contact the ICO?
Also, do you have a link to the EU court guidance?
From what I've read before, some functionally necessary and expected cookies don't need consent, but the user may have a right to be informed.
For instance, a login cookie might be fine, but arguably only if you have logged in - if it remains after you've logged out then that's a bit worrying.
This isn't just an issue of marketing wanting a Facebook Pixel.
In some cases, councils turned their websites into revenue streams and thus were being paid to include adverts on their site that tracked users, browsing council content.
All of this tracking by ad companies is overblown in some circles but most of the public don't really care, especially if it helps keeping their taxes down.
You can have targeted ads and be anonymous to the ad companies.
Ads can be targeted to context, not user - web developer ads on JavaScript blogs.
Ad profiling and targeting can be done client side.
Users' could opt in to what they are targeted for to ensure it is the relevance they want. You will often find ad tracking technology on some very privacy invasive websites. I've seen it on HIV support, rape support, prayer, single parent dating, cancer advice, alcoholism, political party membership pages and many more; even tracking military intelligence recruitment. Are the relevant ads and infosec risks for these topics good for the user?
Tackling anonymised delivery and fraud prevention is a problem, but it's something that can be overcome with accepting it already happens and then minimising it through privacy respective methods like using auditors and testing, copying anonymisation protocols (maybe Tor), payment style validation (Brave?, zerocoin) and server side metrics.
> Users' could opt in to what they are targeted for to ensure it is the relevance they want
So much this. I would turn my adblock off, if I had a directory with checkboxes/weights against interesting product topics. I would even browse the topics themselves regularly, as I did in google directory before it was gone. I (and the economy) want me to discover, not to hide from pushiest pushers around.
Modern marketing is just a slowpoke idiot who stalks me for two weeks after I already bought a <productname> via search.
For what it’s worth: it’s the same here and I only allow ads from Google and Facebook.
Google’s system isn’t perfect but I can x-out individual ads. I’m hoping that Google will move away from a purely embedding-based targeting system into something more deliberate.
Facebook has [1] which is the closest to what you are asking for, although not used nearly enough to justify more investment in improving it.
For those who think the EU has strong data privacy laws, you might want to read what exemptions each country has.
I'm pretty confident the Brexit Party are still failing to meet privacy law, but to see this, following the Brexit mess with Cambridge Analytica, I'm left wondering ... did anything change?
Profiling – The Brexit Party aim to create and maintain a profile for each registered voter in the UK. We will do this by merging the Electoral Register(s) with other data that maybe lawfully available to us. For more detailed information about this type of processing, you may wish to read the ICO Draft framework code of practice for the use of personal data in political campaigning. If you wish, you can ask us not to maintain a profile in your name using the contact details above and we will take steps to remove you from our systems.
I don't have a problem with DNS-over-TLS, I don't know enough about it... but I'm afraid I want DNS from Firefox's perspective to be plaintext, transparent and easy for me to check and even change. Like the filesystem is.
Not just for me, easy for Privacy International to audit when verifying apps tracking, easy for OpSec on my work laptop and easy for my firewall tooling to intercept and manage.
I want the OS's network stack to transparently proxy that plaintext request to an encrypted one: which may well be DoH or DNS over TLS, just like filesystem drivers proxy plaintext file requests over encrypted hard disks.
Whether this is by a plain text request over loopback, using the existing plain text DNS protocol or a more efficient OS api I'll happily leave evolution to resolve: but for now the plaintext protocol might be the fastest thing to proxy.
I wanted to explore the extent to which some significant UK websites include SRI of JavaScript assets.
Put together on a Sunday, needs work, curious about how best to check for CSP and whether I've missed other risks beyond just JavaScript not protected by SRI.