I totally like the QoL oneboxes bring to the Discourse users. However, i stumbled upon the following ‘issue’:
While Youtube for example is embedded via LazyYT and therefore doesn’t load the iframe and attached cookies until the users presses play, this functionally seems to be absent for every other player onebox.
Vimeo for example loads the entire iframe, player and cookies on page load
Therefore my question: Is it planned to replicate the LazyYT functionality on other oneboxes like Vimeo or how would be the best way to go about it on my own. I am aware that i am able to simply blacklist Vimeo and the like which only should be my last resort, though.
I know it is debatable if this is necessary to comply with GDPR, but nonetheless I think better control over embedded 3rd party content would be worthwhile as the LazyYT example shows to some extent.
As I see it every of those iframes transfers IP, and load third-party non-essential cookies for every user (also not registered ones) before they are able to agree with that.
Apart from that especially topics with multiple embeds could run into performance issues when for example 10 players are loading at the same time.
LazyYT does it pretty fine I think, and Preview in post creation. (Option for a 3rd party hint on top of the preview image could be helpful, too)
I’ve noticed a few European websites now let the user decide whether they want to see embedded content. This is especially useful for sites that are known to follow you around the web and build a profile even if you haven’t signed up with them. I’d like to give community members that kind of control over their privacy.
show content from Facebook
Something like this near every embed or in the user preferences might be too much for some, though. A more seamless alternative could be Embetty: https://github.com/heiseonline/embetty
Maybe a first simple step would be to implement a general option in the user settings to enable/disable 3rd party content, activating/deactivating the onebox feature on a per user base?
We are also craving for an option like this, but are not really able to implement it.
I found this topic after concerns have been raised by our users. Discourse loads content from Youtube (the image of the video) without the users consenting… Also we cannot show any information to the user what it means when he/she clicks on the video. So I doubt, this is a valid consent to transmit information to Youtube as Discourse will load more scripts etc. from Youtube.
Is there any solution to make Discourse GDPR compliant other than deactivating OneBoxing?
Strictly speaking, also embedding images from third party URLs is problematic. Can this even be disabled?
With YouTube there is no issues per se with GDPR. Just tell to users that 3rd party is responsible to follow GDPR — what they actually have to do, and Youtube/Google actually do. Same thing what you have to do with Analytics, for example.TikTok is much bigger questionmark.
With images you aren’t leaking personal data AFAIK.
If a website makes the browser request resources from 3rd party, the IP is (for unavoidable reasons) transmitted to this 3rd party. And the operator of this website is made responsible for that data transfer. As the IP can be used to identify individuals, it is protected by GDPR.
Yes, it is that simple. And IP is not protected, because it is useless to identify a person. It is part of technical data that is always allowed to use and store as long as needed.
Not sure in which jurisdiction you live, but in mine courts have ruled already that using Google Fonts without user consent is not compliant with GDPR.
There are some details in the link I posted above about the alternate youtube-nocookie.com domain. It would be possible for Discourse Youtube oneboxes to give an option to embed videos from this domain. The response from the Discourse team in that topic indicates why this hasn’t been implemented yet.
It might be worth noting that even with the youtube-nocookie.com domain, Youtube still sets tracking cookies on the browser, it just doesn’t set cookies related to marketing.
Searching the web for examples of sites that have implemented embedded Youtube videos in a GDPR compliant way, the best I’ve found is this: YouTube and Vimeo without Cookies | CookieTractor. It’s from a company that runs a cookie mamagement service, so possibly that biases the article. What’s interesting about it is the Youtube video demo. To try it out, click the page’s “your cookie settings” link and reload the page. It’s worth trying out the three possible cookie options to see how things are handled.
Something similar could be implemented by Discourse. Trying to integrate Discourse with third party cookie management systems is a pain.
Note that I don’t have any strong opinions about this and don’t live in the EU. I’m responding here because I know it’s something that site owners are concerned about and have struggled to implement by using external services.
show content from Facebook
