Naked Security Naked Security

EDRi’s guidelines call for more ethical websites

Recommendations cover areas including security and privacy while listing alternatives to free online services that slurp your users' data.

Most of us want to be good online citizens. That includes developing websites that have their visitors’ best interests at heart. Yet there are so many ways to get that wrong. Even a slight misstep could put visitors’ privacy or security at risk, or exclude people that might be less able than others. How can you know if you’re doing it right?
Enter European Digital Rights (EDRi), a collection of human rights groups across Europe, which has published a set of guidelines for ethical website development. It explains:

The goal of the project, which started more than a year ago, was to provide guidance to developers on how to move away from third-party infected, data-leaking, unethical and unsafe practices.

The document lists recommendations covering areas including security and privacy while listing alternatives to free online services that slurp up users’ data.
One recommendation is to host your own resources as much as possible. That means avoiding call-outs for things like third-party cookies, and avoiding frames with third-party content. It also means avoiding call-outs for CSS files, images, font files, and JavaScript libraries.
The document adds:

If downloading a resource, such as a JavaScript or font file, is not allowed by the terms of its provider, then they may not be privacy-friendly and should therefore be avoided.

It calls out large tech firms as companies offering services that ethical web developers should avoid, and provides a list of alternatives in areas including analytics, video players, and online maps. It points readers to Prism Break, a list of alternative online services that don’t track their users.
When it comes to security, a site can use DNSSEC to authenticate DNS queries, says the doc, also recommending HTTPS. It also asks website owners to provide a Tor-compatible version of their site using the Tor publishing tool Onionshare.

EDRi also includes website accessibility as a key ethical principle. It points to accessibility guidelines for developers, and also advises against the use of CAPTCHAs, arguing that they often make it more difficult for people with disabilities to access a site. Some CAPTCHAs also collect personally identifiable information about visitors, the organisation warns. If you’re going to use them, then at least use a simple version that doesn’t load external JavaScript, it says.
In general, the document seems to take a dim view of JavaScript. It stops short of advising against its use entirely but warns developers to think carefully about accessibility. Ideally, you’d build a specific non-JavaScript version of a site and then add JavaScript-based features on top of it. This enables you to respect <noscript> tags, it adds.
Following a lot of these guidelines would make it challenging to support some advertising business models on a site. But then, the document doesn’t want its readers to support tracker-based models, which some say are out of control. Instead of condemning advertising altogether, it points to alternatives, specifically ReadTheDocs’ ethical advertising model (which is a low-tech approach that eschews trackers).
There are some other aspects of this ethical web development guideline that developers might find difficult to follow to the letter. If your website accesses a JQuery library online to always ensure you’re using the latest version, that would seem to be a fail under these rules. One way around it could be to use Subresource Integrity (SRI), says the document. This uses a cryptographic hash that the downloader specifies to ensure the integrity of a file.
One notable omission from EDRi is the matter of dark patterns, which are user interface and language constructs that force users down a certain path. Lawmakers have called for tech firms to ban these tricks, which in the wrong hands can persuade website visitors to give up privacy rights, make purchases, or avoid cancelling subscriptions. While they make an appearance on websites, they’re especially common on mobile apps, which is a category that could also benefit from a set of ethical guidelines like this one.
This set of guidelines does its best to provide alternatives to services that contravene its ethical rules. For example, it points people to different services than Google Fonts, which EDRi explains requires web developers to buy into Google’s privacy policy. It will take some work for many developers to reconfigure their sites to fit these guidelines, but EDRi has laid out the steps and explained why it’s important. It’s a project that developers may choose to implement over a longer period.

Leave a Reply

Your email address will not be published. Required fields are marked *