Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WordCamp Warsaw 2014 - Data Privacy and why you really should matter

6574ee7c61e5e961ba64928fad6615e5?s=47 Jan Thiel
November 09, 2014

WordCamp Warsaw 2014 - Data Privacy and why you really should matter

Giving away your customers data was never easier. Many "free" tools you can include are acutally not that free as you pay them with personal information of your users. Google Analytics, Facebook and other Online Marketing solutions have to be treated very carefully. Learn what acutally happens behind the curten and why WordPress site owners need to be aware of this.

6574ee7c61e5e961ba64928fad6615e5?s=128

Jan Thiel

November 09, 2014
Tweet

More Decks by Jan Thiel

Other Decks in Technology

Transcript

  1. WordPress and Data Privacy … a troubled marriage WordCamp Poland

    2014 Jan Thiel - jan@WeLoveWP.eu
  2. „Data Privacy“ – What‘s that? • It‘s old – UN

    (Human Rights Charta): 1948 – EU (EU Human Rights Convention): 1950 • Your Data = Part of your private life • No one should store, process or do anything with your data without your agreement Jan Thiel - jan@WeLoveWP.eu
  3. „Data Privacy“ – What‘s that? • Should be mostly unified

    in EU but still quite different through local law • EU wide novel planed for 2015 (hopefully not moving behind todays standards) • Right now it‘s an „ideal“ we should fight for and not take it as granted Jan Thiel - jan@WeLoveWP.eu
  4. What to protect? • Everything that is related to a

    single individual Jan Thiel - jan@WeLoveWP.eu Name Address Date of Birth Sexual orientation Family state IP Address (?)* Mail Address … what‘s of value for your? * Will be clarified by the EU Court of Justice
  5. Protect from who? • Criminals • Companies • Gouvernments •

    Intelligence Agencies (NSA, GCHQ, KGB,…) Jan Thiel - jan@WeLoveWP.eu
  6. The Atlantic Privacy „Gap“ Understanding of Data Privacy: Jan Thiel

    - jan@WeLoveWP.eu Focus: • National Security • Company Demands • Not handled by law Focus: • Protecting Rights of Individuals • Regulations
  7. Entering the „Safe Harbor“? • EU Data Protection Directive FORBIDS

    to transfer personal data of EU citizens to states with weaker data privacy laws • Exception: Company in such Country „honestly“ says they will follow EU data privacy regulations (not that anybody checks…)  „Safe Harbor“ Jan Thiel - jan@WeLoveWP.eu
  8. Jan Thiel - jan@WeLoveWP.eu

  9. Why should we care? • No Safe Harbor (anymore) =

    you can get prosecuted • It‘s your data! If no one cares, (US) companies will force their will with TTIP or the EU data privacy novel • If you don‘t store data, no one can force you to give it away Jan Thiel - jan@WeLoveWP.eu
  10. Why should we care? • You might send information of

    your visitors to Google, Facebook, etc. • There are countries that still chase minorities (e.g LGBT, political, believes) • If you don‘t care for your personal information - ok - but give others a choice! Jan Thiel - jan@WeLoveWP.eu
  11. TECHNICAL ASPECTS YOU SHOULD KNOW ABOUT Getting to the interesting

    parts… Jan Thiel - jan@WeLoveWP.eu
  12. Having a choice matters! • Talking about the majority of

    people who does not know about „NoScript“, „Tor“ or such • They have no chance to hide before: – Google Fonts – Google Analytics / Piwik / Tracking Pixels – Externally included 3rd party libs – CDNs – Advertisment Targeting Cookies – Facebook Like Buttons / Like Box / Tweet Buttons / etc Jan Thiel - jan@WeLoveWP.eu
  13. Having a choice matters! • When a visitor opens your

    Website, Data flows… Jan Thiel - jan@WeLoveWP.eu
  14. Example: TheNews.pl • At page load included external content Jan

    Thiel - jan@WeLoveWP.eu
  15. Having a choice matters! • But offering a choice is

    possible! – Do not include Google Fonts externally – Only use local stored files (Scripts, Styles) – Do not directly include external scripts unless the user actively wants to use the function („on click“) – Do not use Google Analytics but Piwik with clearly promoted „Opt Out Link“ and fair config – Do not use CDNs (you never know where data go) Jan Thiel - jan@WeLoveWP.eu
  16. Having a choice matters! • „2 Click Solution“ by „Heise“

    – Initially NO external Scripts load – Click their buttons loads FB (e.g.) – Then the FB resources are loaded – „real“ FB button put into page WP Plugin exists: https://wordpress.org/plugins/2-click-socialmedia-buttons/ Jan Thiel - jan@WeLoveWP.eu
  17. HTTP vs HTTPS and the friendly public WIFI Hotspot called

    “Trust me” • You like public hotspots? – Me too! • But: Jan Thiel - jan@WeLoveWP.eu
  18. HTTP vs HTTPS and the friendly public WIFI Hotspot called

    “Trust me” • You like public hotspots? – Me too! • You know HTTP = everyone can read your Data (and passwords)? • HTTPS adds secure (encrypted) transfer of data between anyone and your WordPress Website • HTTPS Certs do not have to be expensive to secure • External Resources should ALWAYS be included via HTTPS (if possible) Jan Thiel - jan@WeLoveWP.eu
  19. HTTP vs HTTPS and the friendly public WIFI Hotspot called

    “Trust me” • HTTPS support is much better since WP 4.0* but still not complete • Many Themes and Plugins still fail very lousy: Jan Thiel - jan@WeLoveWP.eu * https://make.wordpress.org/core/2014/06/11/ssl-taskforce/ Code comes from one of the „Top 10 Best Paid WordPress Themes in 2013 by Forbes.com“
  20. HTTP vs HTTPS and the friendly public WIFI Hotspot called

    “Trust me” • How to fix in 1sec: • Omit Protocol „http:“ or „https:“ … so easy! • Browser will figure out right protocol!² Jan Thiel - jan@WeLoveWP.eu ² Thank you RFC3986 from 2005 – See https://tools.ietf.org/html/rfc3986, Section 4.2
  21. WordPress and the Unicorns • Many WP Core Commiters are

    from US • Automattic = US based (try to ask them about Data Privacy in WP) • So? … • WE have to address our needs by contributing or requesting Data Privacy! Jan Thiel - jan@WeLoveWP.eu
  22. Vanilla WordPress FTW? Jan Thiel - jan@WeLoveWP.eu

  23. Vanilla WordPress FTW? • Akismet included by default – Not

    legaly usable in EU with Default Settings and without disclaimer (IP sent to US servers) • Google Fonts included by default – Where?  WPAdmin, TinyMCE, TwentyXX Themes – Google knows all your WP Installations! – Fun fact: Can be disabled in language file Jan Thiel - jan@WeLoveWP.eu
  24. WordPress makes it (too) easy to fail… Jan Thiel -

    jan@WeLoveWP.eu
  25. WordPress makes it (too) easy to fail… • Plugins and

    Themes deliver E V E R Y T H I N G • E.g: – Google Fonts – CDN Includes – easy Google Analytics (without the „anonymize IP“ flag) – Easy Facebook Integration – hard coded HTTP includes – 3rd party scripts and functions (Sliders, TimThumb) • Do you know what your WordPress Installation really does? Jan Thiel - jan@WeLoveWP.eu
  26. WordPress makes it (too) easy to fail… • Transfering Personal

    Data to US was never easier • Just install and activate one of these famous plugins: – Akismet – Jetpack – Google Analytics for WP – Leadpages – Mailchimp – … • You know that, right? But does your visitors know? Jan Thiel - jan@WeLoveWP.eu
  27. COUNSELORS GUIDANCE ON GETTING THE MARRIAGE FIXED Still listening? Awesome

    ☺ Jan Thiel - jan@WeLoveWP.eu
  28. Now What? • Personal Information = Highly Valuable • Give

    your visitors a choice • Although WordPress is „global“ – the law is quite „local“. Works in US != Works in EU • Free is not „Free“ if you sell out your customer data • „Free“ can get quite expensive, when being sued Jan Thiel - jan@WeLoveWP.eu
  29. Now What? • Chance of being sued for data privacy

    cases is not quite high • Keep in mind that US intelligence can access EVERYTHING you give to US based companies • Decide for yourself if aiding privacy is worth the effort • Do you care for your data privacy? Jan Thiel - jan@WeLoveWP.eu
  30. Marriage Outlook • If you care for data privacy: Contribute

    knowledge or code! • Keep Awareness for data privacy high (Snowden did a great job in the first place!) • WordPress Core IS getting better (bit by bit) • Plugins and Themes remain the pain point • YOU have to know what you install and what it does! • If you don‘t care  Your choice ☺ Jan Thiel - jan@WeLoveWP.eu
  31. Jan Thiel Jan@WeLoveWP.eu Founder & IT Ninja @ WirLiebenWP –

    Managed WordPress Hosting Jan Thiel - jan@WeLoveWP.eu