Web Development and the GDPR
Published on August 31, 2018 (↻ October 22, 2024), filed under Development (RSS feed for all categories).
Who shares or presents code has a special responsibility, because for both the uninitiated and the quality-minded such code should be of a considerable standard. We’ve known this responsibility for ages, whether from ad networks with dubious pseudo-HTML to social media companies with invalidating gadget code to frameworks and libraries and polyfills and shims with their sometimes “plug & play don’t care” approach to web development.
With the European General Data Protection Regulation (GDPR), this has become even more important.
Where formerly, one often pointed to some third-party script or style sheet—e.g., https://code.jquery.com/jquery-3.3.1.slim.min.js or https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css—, we’re now confronted with another problem in that such simple hot-linking resources is clearer than ever a privacy issue for: everyone.
Why is that? Because blindly referencing foreign-origin URLs (that is, embedding resources without any referrer policy in place) exposes referrer information to those foreign origins, and with that means a privacy hazard. This is especially true with organizations in countries with lax privacy provisions, and with script or style providers who live off data, like Google or Facebook.
As such, then, what formerly looked user-friendly and innocent carries now even more weight. Not only be the ambition to offer quality code (which includes secure and fast code as well as, per my own taste, also minimal code), but also to be less suggestive, and indeed perhaps quite a little less usable, when it comes to plug-in play privacy cuts.
Figure: How easy it is to embed Kosugi. (Privacy? Alternatives?)
What should be done? Perhaps, as I suggested to Robert and Tim after a Google Developers Experts call, we could start with using local references in code samples, and providing the full URLs (and said privacy context) in footnotes. That might bring awareness and attention to the issue without making the samples unusable. Especially with huge enterprises like Google, any code sample comes off as a recommendation or even a best practice, and so Google and other major tech firms turning more mindful, and looking more closely at the matter of responsible code sharing, could set a great precedent.
Update (October 12, 2020)
A few months ago I outlined what good embed code rests on, and what developers and users of such code could pay attention to.
About Me
I’m Jens (long: Jens Oliver Meiert), and I’m a frontend engineering leader and tech author/publisher. I’ve worked as a technical lead for companies like Google and as an engineering manager for companies like Miro, I’m a contributor to several web standards, and I write and review books for O’Reilly and Frontend Dogma.
I love trying things, not only in web development (and engineering management), but also in other areas like philosophy. Here on meiert.com I share some of my experiences and views. (Be critical, interpret charitably, and give feedback.)
Read More
Maybe of interest to you, too:
- Next: A Short Guide to Minimal Web Development
- Previous: 37 Theses on CSS and Web Development
- More under Development
- More from 2018
- Most popular posts
Looking for a way to comment? Comments have been disabled, unfortunately.
Get a good look at web development? Try WebGlossary.info—and The Web Development Glossary 3K. With explanations and definitions for thousands of terms of web development, web design, and related fields, building on Wikipedia as well as MDN Web Docs. Available at Apple Books, Kobo, Google Play Books, and Leanpub.