Hi all,
On 05/16/2018 05:18 PM, Kevin Gallagher wrote:
Hey Gunner,
I got the reply. Sorry, I thought I responded. This is going to be a great start for me!
Thanks Kevin and Gunner for going through this idea. I have been thinking about this lately and I have decided to share a few points.
On 05/15/2018 07:59 PM, Allen Gunn wrote:
Hi Kevin,
Thanks so much for reviving this thread and thinking.
Don't know if you got my reply from earlier this week, but I repopulated the etherpad from January,
When we started doing the Tor styleguide we thought a lot about how to design things in a way that could be Tor and privacy friendly over all. For example we tried to limit JavaScript and always test the no-JS version in order to guarantee an almost seamless experience between the two. But this is not the only thing that makes a website Privacy friendly, and noticing you have a few open questions in the pad, I will try to add a few more ideas.
Things that are bound to break the design are certainly the following: - Importing styles (CSS) and fonts from third parties (like google fonts and other cdn) - Embedding content from third parties (like media and videos, but also page previews) - Maybe content can be processed server-side first or linked statically. - PDFs (/me thinks) could be generally considered ok if can be opened within the Tor browser reader - Do not ask to share location - Canvas is ok if implemented properly (I have seen your points on the pad), but personally I would avoiding it. My take is that anything that should ask for consent is generally a bad practice.
I have seen you mention that vector images do not render (SVG), so the appropriate media queries and image qualities should be used instead - maybe this is actually something we could implement in our styleguide and could benefit other people directly.
Another thing that could be considered is that we (tor, tails, a few other orgs) do not log IPs nor User Agent infos. There have been a few projects started regarding privacy friendly logs. This could be something worth exploring again. Also some don't even understand the rationale behind this. A related project could be about privacy-friendly web analytics. Some install and use Matomo (https://matomo.org/) but it is worth mentioning that if you log anything you will end up with a lot of user data.
One more interesting point is that, because of the GDPR, some website have been offering a text only version and some people have been doing performance measurements of these lean pages. The results are amazing, some news site have been reduced from approx 5MB to 500KB or less. A follow up to this - a bit of a stretch maybe - could be trying to involve an audience that wouldn't even consider all these points when developing a website, by evaluating common JS libraries and framework to see how they perform.
I think this effort could also be a practical way for people to understand how Tor can protect them on the web. An example is this article about link shims and privacy badger (https://www.eff.org/deeplinks/2018/05/privacy-badger-rolls-out-new-ways-figh...). This is already blocked by Tor browser in high security mode.
Talk soon, -hiro