WordCamp Warsaw 2014 - Data Privacy and why you really should matter

Transcript

1. WordPress and Data Privacy … a troubled marriage WordCamp Poland

   2014 Jan Thiel - [email protected]

2. „Data Privacy“ – What‘s that? • It‘s old – UN

   (Human Rights Charta): 1948 – EU (EU Human Rights Convention): 1950 • Your Data = Part of your private life • No one should store, process or do anything with your data without your agreement Jan Thiel - [email protected]

3. „Data Privacy“ – What‘s that? • Should be mostly unified

   in EU but still quite different through local law • EU wide novel planed for 2015 (hopefully not moving behind todays standards) • Right now it‘s an „ideal“ we should fight for and not take it as granted Jan Thiel - [email protected]

4. What to protect? • Everything that is related to a

   single individual Jan Thiel - [email protected] Name Address Date of Birth Sexual orientation Family state IP Address (?)* Mail Address … what‘s of value for your? * Will be clarified by the EU Court of Justice

5. Protect from who? • Criminals • Companies • Gouvernments •

   Intelligence Agencies (NSA, GCHQ, KGB,…) Jan Thiel - [email protected]

6. The Atlantic Privacy „Gap“ Understanding of Data Privacy: Jan Thiel

   - [email protected] Focus: • National Security • Company Demands • Not handled by law Focus: • Protecting Rights of Individuals • Regulations

7. Entering the „Safe Harbor“? • EU Data Protection Directive FORBIDS

   to transfer personal data of EU citizens to states with weaker data privacy laws • Exception: Company in such Country „honestly“ says they will follow EU data privacy regulations (not that anybody checks…)  „Safe Harbor“ Jan Thiel - [email protected]

8. Jan Thiel - [email protected]

9. Why should we care? • No Safe Harbor (anymore) =

   you can get prosecuted • It‘s your data! If no one cares, (US) companies will force their will with TTIP or the EU data privacy novel • If you don‘t store data, no one can force you to give it away Jan Thiel - [email protected]

10. Why should we care? • You might send information of

    your visitors to Google, Facebook, etc. • There are countries that still chase minorities (e.g LGBT, political, believes) • If you don‘t care for your personal information - ok - but give others a choice! Jan Thiel - [email protected]

11. TECHNICAL ASPECTS YOU SHOULD KNOW ABOUT Getting to the interesting

    parts… Jan Thiel - [email protected]

12. Having a choice matters! • Talking about the majority of

    people who does not know about „NoScript“, „Tor“ or such • They have no chance to hide before: – Google Fonts – Google Analytics / Piwik / Tracking Pixels – Externally included 3rd party libs – CDNs – Advertisment Targeting Cookies – Facebook Like Buttons / Like Box / Tweet Buttons / etc Jan Thiel - [email protected]

13. Having a choice matters! • When a visitor opens your

    Website, Data flows… Jan Thiel - [email protected]

14. Example: TheNews.pl • At page load included external content Jan

    Thiel - [email protected]

15. Having a choice matters! • But offering a choice is

    possible! – Do not include Google Fonts externally – Only use local stored files (Scripts, Styles) – Do not directly include external scripts unless the user actively wants to use the function („on click“) – Do not use Google Analytics but Piwik with clearly promoted „Opt Out Link“ and fair config – Do not use CDNs (you never know where data go) Jan Thiel - [email protected]

16. Having a choice matters! • „2 Click Solution“ by „Heise“

    – Initially NO external Scripts load – Click their buttons loads FB (e.g.) – Then the FB resources are loaded – „real“ FB button put into page WP Plugin exists: https://wordpress.org/plugins/2-click-socialmedia-buttons/ Jan Thiel - [email protected]

17. HTTP vs HTTPS and the friendly public WIFI Hotspot called

    “Trust me” • You like public hotspots? – Me too! • But: Jan Thiel - [email protected]

18. HTTP vs HTTPS and the friendly public WIFI Hotspot called

    “Trust me” • You like public hotspots? – Me too! • You know HTTP = everyone can read your Data (and passwords)? • HTTPS adds secure (encrypted) transfer of data between anyone and your WordPress Website • HTTPS Certs do not have to be expensive to secure • External Resources should ALWAYS be included via HTTPS (if possible) Jan Thiel - [email protected]

19. HTTP vs HTTPS and the friendly public WIFI Hotspot called

    “Trust me” • HTTPS support is much better since WP 4.0* but still not complete • Many Themes and Plugins still fail very lousy: Jan Thiel - [email protected] * https://make.wordpress.org/core/2014/06/11/ssl-taskforce/ Code comes from one of the „Top 10 Best Paid WordPress Themes in 2013 by Forbes.com“

20. HTTP vs HTTPS and the friendly public WIFI Hotspot called

    “Trust me” • How to fix in 1sec: • Omit Protocol „http:“ or „https:“ … so easy! • Browser will figure out right protocol!² Jan Thiel - [email protected] ² Thank you RFC3986 from 2005 – See https://tools.ietf.org/html/rfc3986, Section 4.2

21. WordPress and the Unicorns • Many WP Core Commiters are

    from US • Automattic = US based (try to ask them about Data Privacy in WP) • So? … • WE have to address our needs by contributing or requesting Data Privacy! Jan Thiel - [email protected]

22. Vanilla WordPress FTW? Jan Thiel - [email protected]

23. Vanilla WordPress FTW? • Akismet included by default – Not

    legaly usable in EU with Default Settings and without disclaimer (IP sent to US servers) • Google Fonts included by default – Where?  WPAdmin, TinyMCE, TwentyXX Themes – Google knows all your WP Installations! – Fun fact: Can be disabled in language file Jan Thiel - [email protected]

24. WordPress makes it (too) easy to fail… Jan Thiel -

    [email protected]

25. WordPress makes it (too) easy to fail… • Plugins and

    Themes deliver E V E R Y T H I N G • E.g: – Google Fonts – CDN Includes – easy Google Analytics (without the „anonymize IP“ flag) – Easy Facebook Integration – hard coded HTTP includes – 3rd party scripts and functions (Sliders, TimThumb) • Do you know what your WordPress Installation really does? Jan Thiel - [email protected]

26. WordPress makes it (too) easy to fail… • Transfering Personal

    Data to US was never easier • Just install and activate one of these famous plugins: – Akismet – Jetpack – Google Analytics for WP – Leadpages – Mailchimp – … • You know that, right? But does your visitors know? Jan Thiel - [email protected]

27. COUNSELORS GUIDANCE ON GETTING THE MARRIAGE FIXED Still listening? Awesome

    ☺ Jan Thiel - [email protected]

28. Now What? • Personal Information = Highly Valuable • Give

    your visitors a choice • Although WordPress is „global“ – the law is quite „local“. Works in US != Works in EU • Free is not „Free“ if you sell out your customer data • „Free“ can get quite expensive, when being sued Jan Thiel - [email protected]

29. Now What? • Chance of being sued for data privacy

    cases is not quite high • Keep in mind that US intelligence can access EVERYTHING you give to US based companies • Decide for yourself if aiding privacy is worth the effort • Do you care for your data privacy? Jan Thiel - [email protected]

30. Marriage Outlook • If you care for data privacy: Contribute

    knowledge or code! • Keep Awareness for data privacy high (Snowden did a great job in the first place!) • WordPress Core IS getting better (bit by bit) • Plugins and Themes remain the pain point • YOU have to know what you install and what it does! • If you don‘t care  Your choice ☺ Jan Thiel - [email protected]

31. Jan Thiel [email protected] Founder & IT Ninja @ WirLiebenWP –

    Managed WordPress Hosting Jan Thiel - [email protected]