My new blog post might of interest to anyone running websites / developing apps for people in the UK:
-
You might be interested, in particular, in the ICO's examples relating to:
* third-party hosted fonts; and
* CSS (and other technologies) which adjust a site based on a user's preferences
which, the ICO asserts, require notice and the chance to object / opt-out.
@neil Note the CSS thing explicitly says 'Detecting preferences on the subscriber's or user's operating system' - not about your choice within your webpage; so it's saying you can't detect that the preferences for the system are dark mode/huge font/big monitor and transmit that data to you as a provider without permission.
-
@neil Note the CSS thing explicitly says 'Detecting preferences on the subscriber's or user's operating system' - not about your choice within your webpage; so it's saying you can't detect that the preferences for the system are dark mode/huge font/big monitor and transmit that data to you as a provider without permission.
@penguin42 That is one possible interpretation, but not the only one.
-
You might be interested, in particular, in the ICO's examples relating to:
* third-party hosted fonts; and
* CSS (and other technologies) which adjust a site based on a user's preferences
which, the ICO asserts, require notice and the chance to object / opt-out.
@neil Is it possible they were intending to target third party fonts loaded via JS and accidentally went too broad?
-
@penguin42 That is one possible interpretation, but not the only one.
@penguin42 I say this because "detecting" does not appear in the legislation, but the legislation covers both storage and access to information stored.
Put another way, the ICO could be a lot clear in its example
-
> Another wrinkle, CSS and especially fonts, can come from other third parties.
The blogpost expressly addresses third party fonts!
-
> Another wrinkle, CSS and especially fonts, can come from other third parties.
The blogpost expressly addresses third party fonts!
That's why I deleted.
-
@neil over here (Germany specifically) third-party hosted fonts have been a regular topic, a few years back a court awarded someone damages for a site using Google Fonts without informing them.
The "adjust based on user preferences" part I would have thought the intent would be something like "you can store the preference (e.g. if the user uses an option on your site to increase font size), and if doing so leads to more stuff being loaded tell them" but it isn't really clear
i'd guess CSS can be used to deduct uniquely fine-grained identifying aspects of one's computing environment, serving as some sort of super-cookie
-
-
-
My new blog post might of interest to anyone running websites / developing apps for people in the UK:
# An overview of the UK's updated laws on storing information in someone's terminal equipment, and accessing information stored in someone's terminal equipment
Catchy. But useful (I hope).
I must admit that - as you'll see towards the end - some of this baffles me.
An overview of the UK's updated laws on storing information in someone's terminal equipment, and accessing information stored in someone's terminal equipment
The UK’s law on storing information on someone’s terminal equipment, and accessing information stored in someone’s terminal equipment, has changed.
(decoded.legal)
@neil Just on the bit where you say "CSS based on the user’s settings... zero degree of privacy intrusion: it works solely based on a user’s choice of settings, and it happens entirely locally, on the user’s device" I'd say that's true if both the dark and light CSS has gone to the user and you're doing an @ query. But if you did, say:
<link rel="stylesheet" media="(prefers-color-scheme: dark)" href="dark.css"> then I think there's a dependent remote request. Which is different. -
@neil Just on the bit where you say "CSS based on the user’s settings... zero degree of privacy intrusion: it works solely based on a user’s choice of settings, and it happens entirely locally, on the user’s device" I'd say that's true if both the dark and light CSS has gone to the user and you're doing an @ query. But if you did, say:
<link rel="stylesheet" media="(prefers-color-scheme: dark)" href="dark.css"> then I think there's a dependent remote request. Which is different.@slowe Interesting - I have not seen it done that way before.
I agree that there is a difference there, technically.
I am still sceptical that that is really sufficient to warrant imposing a regulatory obligation and a banner, since it is just giving effect to a user's preference for dark mode?
-
@slowe Interesting - I have not seen it done that way before.
I agree that there is a difference there, technically.
I am still sceptical that that is really sufficient to warrant imposing a regulatory obligation and a banner, since it is just giving effect to a user's preference for dark mode?
@neil Yep. In fact, despite my zealousness about privacy, I think "dark mode" is something the user has choosen to "present" to the world at a system/browser level, in advance, so they've already made that decision before visiting a website. So, although I'm saying different resources get asked for, I think this is based on a choice that already happened.
-
@neil Yep. In fact, despite my zealousness about privacy, I think "dark mode" is something the user has choosen to "present" to the world at a system/browser level, in advance, so they've already made that decision before visiting a website. So, although I'm saying different resources get asked for, I think this is based on a choice that already happened.
@slowe Yes, I think that that is where I come down on this one too.
-
R relay@relay.infosec.exchange shared this topic
