Building Websites That Protect User Privacy

Squiggy Rubio


This session will provide an overview on how to protect user privacy, including avoiding sharing website visitor traffic outside of your organization.

If you're using Drupal, you have architected a website to store data securely with Drupal’s robust permissions, access checks and security best practices. However, your website loads third party scripts, which can share your visitor traffic with one or more outside organizations. Why build a highly secure website, while also sharing all your visitors’ traffic outside your organization? Unless your organization’s business model relies on ads, it’s entirely possible to build your website in a way that avoids sharing your website visitor traffic with third parties.

Protecting website visitor privacy can be improved by starting with the following set of questions:

Do you really need all those third party scripts on your website? Can you reproduce the functionality of third party script in house?

Do you really need to load fonts from another server? Can you download them and install them on your own server?

If analytics is an important requirement for your organization, would it be possible to invest in hosting your analytics tools in house?

Are there tools for anonymizing server logging for your particular CMS or server?

CDNs are great for improving performance for your website, but do you trust them not to share visitor traffic? Would it be possible to host these files on a server you control instead?

What you’ll learn in this session:

You’ll come away with a renewed sense of urgency for protecting website user privacy, including website visitor traffic

You will learn what third party scripts are, how they share user data outside your organization, how they are a source of security vulnerabilities, and some ways to avoid using them

You will learn about HTTP Strict Transport Security (HSTS)

You will learn what information Drupal logs from users and options to avoid tracking this information

You’ll learn what information servers log about visitors and options to anonymize this information

https://2020.badcamp.org/session/building-websites-protect-user-privacy

Drupal is a registered trademark of Dries Buytaert.