Write and publish a cookies statement

[ed]

write some explano-text about our cookies and add to ​http://www.transitionnetwork.org/site-help

here good example:
​http://recalledproducts.org/cookies

[chris]

I suggest we implement stuff so we can say (in language people can understand!), something like:

• The only cookies that might be set for people who don't login are the Piwik tracking ones (need to check that it does set cookies etc) and these are set and served using HTTPS.
• Cookies are needed when users login, this is only done via HTTPS, all authenticated sessions are encrypted.

Would it help if we put the existing privacy policy on a wiki page so we can work on it there?

[ed]

related to #276 for a list of the cookies

privacy policy onto wiki page = good idea = ed to do

[laura]

Meant to comment re the wiki suggestion yesterday - yes, think it's a good idea. Have been looking into the cookie thing too.
Would also suggest that Privacy & Cookies statement is taken out of 'Site help' as such as that page is more to help people with their abilities to ensure they have a good user experience, and possibly pop in a page and link it in the bottom of the footer section links, next to T&Cs or similar - it's the sort of place where people are most likely to look for the info.

[ed]

​https://wiki.transitionnetwork.org/Privacy

AGREED: take privacy *out* of 'help' and put in own footer link

Chris - you'll be able to not have that google analytics text in there now :)

[chris]

I have done some work on this and drafted a first draft of a possible replacement text, see: ​https://wiki.transitionnetwork.org/Privacy#Draft_New_Privacy_Text it needs to be made less techie and more friendly I expect ;-)

[ed]

dropbox example here:
​http://blog.dropbox.com/?p=846

[laura]

Will be coming back to this next week.

Skilltide have a nice ebook all about the cookie law (a little self promoting in places, and tongue in cheek in others!) but a useful read about the law et al. Also highlights the nice example from ​http://allthingsd.com/ as a way of doing it (although not really what I'd recommend, but that one has some nice easy to understand explanatory texts)

Download the ebook - ​http://www.silktide.com/templatefiles/EU%20Cookie%20Law%20eBook.pdf

[chris]

Not sure we need to worry too much about the law:

The UK... will not take any enforcement action until May 2012 at the earliest

the government clarified that consent may be signified by a user amending or setting controls on their internet browser to accept cookies

​http://ehoganlovells.com/ve/ZZj31jR81rj6182tb72/VT=0/page=32

What we have at the moment is:

1. HTTP anon browsing -- no cookies are set by transitionnetwork.org.uk, however the stats application at stats.transitionnetwork.org, piwik, does set two cookies for tracking users, if the user doesn't have no-track option set in their browser and if the user has javascript and cookies enabled. In addition 3rd party applications, that we have no control over, may set cookies, such as Google Maps.
2. HTTPS authenticated browsing -- cookies are set when a user logs into the web site, this is unavoidable as it's how Drupal authenticates users. However users can opt out of tracking in the same manner as on the HTTP site and in addition then can set a option not to be tracked in their preferences.

The above would need translating into language the users can understand I expect...

[chris]

The Piwik Do Not Track plugin has just been installed and enabled, see ticket:292#comment:1 and as a result the last comment above about what is happening with cookies will now be correct when GA is removed from the site.

[chris]

I just did a little tweaking on the draft cookies policy, ​https://wiki.transitionnetwork.org/Privacy#Draft_New_Privacy_Text

There are some drupal/piwik settings we might want to agree on before the text is finalised, see
​https://www.transitionnetwork.org/admin/settings/piwik

• Do we want to exclude any roles from being tracked? Currently all roles are tracked.
• Currently we exclude /admin/ pages from being tracked, does this cover everything that should be excluded?
• Currently it's set so "Users cannot control whether they are tracked or not." Shouldn't this be changed to "Track users by default, but let individual users to opt out."?
• Is it OK to switch of GA now? See ticket:292

[chris]

Can we sort out the new privacy policy and drop GA for Piwik at the same time that the PSE widget is launched?

See also ticket:382

[laura]

Hi Chris -

I'm happy to drop GA at an appropriate time - we'll need to ensure that we can set up tracking with Piwik to attach to the PSE widget.
Also, I need to add a campaign url for some badges that Transition Training are testing (currently using GA but am going to change them to piwik soon).

Re cookies, I'll be adding a page re cookies later this week, thankfully the cookie law changed a little at last minute - ​http://m.guardian.co.uk/technology/2012/may/26/cookies-law-changed-implied-consent?cat=technology&type=article

I've collated some useful texts from others on what cookies are and how to manage etc within your own browser and tools to add on too. Had wondered if we use a module for the alert for now - such as ​http://drupal.org/project/eu-cookie-compliance to save coding up a custom pop up script to alert users which I can style up in TN colors. Would appreciate your thoughts on the module if you have any.

[chris]

Replying to laura:

I'm happy to drop GA at an appropriate time - we'll need to ensure that we can set up tracking with Piwik to attach to the PSE widget.

The widget does already have Piwik tracking but I haven't yet looked at how to generate specific widget data -- I was hoping to experiment with this using the dev version of the TN site and the dev install of Piwik, rather than the live ones...

Also, I need to add a campaign url for some badges that Transition Training are testing (currently using GA but am going to change them to piwik soon).

Shout if you need some help with this?

Re cookies, I'll be adding a page re cookies later this week, thankfully the cookie law changed a little at last minute - ​http://m.guardian.co.uk/technology/2012/may/26/cookies-law-changed-implied-consent?cat=technology&type=article

The Guardian won't let me read that article unless I accept a cookie from them!

The Piwik server has the Do Not Track plugin installed -- any broswer that sends the DNT header won't be tracked, though I guess I need to test if a cookie is set in these cases...

The only other cookies I'm aware that we set are the session cookies for logins -- this is how Drupal logins work.

I've collated some useful texts from others on what cookies are and how to manage etc within your own browser and tools to add on too. Had wondered if we use a module for the alert for now - such as ​http://drupal.org/project/eu-cookie-compliance to save coding up a custom pop up script to alert users which I can style up in TN colors. Would appreciate your thoughts on the module if you have any.

Hmm, IANAL but given that we only use cookies for authentication wouldn't some text on the login page together with a updated privacy policy be enough? This plugin seems to be more about covering ones back than doing anything of use...

Remember we have this draft new policy: ​http://wiki.transitionnetwork.org/Privacy

[laura]

Hi Chris - thanks for the feedback. I've seen so many sites that have implemented annoying popups which tbh I'm sure will fade very soon indeed - I feel there has been mass confusion about the 'law' and as we're not being too bad with our cookies we aren't in a bad place with it all, though useful for those who enjoy reading cookie policies et al there will be a page for them! I'll be adding a link to the bottom links on all pages (in the footer) with the title privacy and cookies and adding the texts which are taken in part form your wiki page and some of the bits I've collated from others too.

The 'web widget' module we use on the site, when creating a view for the widget has a tick for adding Google Analytics, (It's a really simple module) which we've never actioned, and presume that to add a piwik link isn't too difficult either. (it could already be there).

Re the training team badges, they are simple embed a linked image badge promoting the TTraining for ini's to put on their sites and they've just created a new batch. All I need is a simple campaign url to add onto the url (something that shows in the analytics under campaigns - Transition Training Badge as the title - don't have to be unique for each badge, just so it's easy to collate general stats on how many (if any!) clicked on the image link to get to T Training page on the TN website. Would you recommend using this - ​http://piwik.org/docs/tracking-campaigns/url-builder/ or is there something better within the Piwik account page to create these?

[chris]

Replying to laura:

Hi Chris - thanks for the feedback. I've seen so many sites that have implemented annoying popups which tbh I'm sure will fade very soon indeed - I feel there has been mass confusion about the 'law' and as we're not being too bad with our cookies we aren't in a bad place with it all, though useful for those who enjoy reading cookie policies et al there will be a page for them! I'll be adding a link to the bottom links on all pages (in the footer) with the title privacy and cookies and adding the texts which are taken in part form your wiki page and some of the bits I've collated from others too.

Great. I would suggest we remove the GA module now to save writing a new policy that includes GA and then having to do another when GA is removed -- does that make sense?

Regarding Piwik, there is a new version of the DNT plugin that I need to install: ​http://dev.piwik.org/trac/ticket/2048#comment:13

Once I have done that I will test to see if a browser with DNT switched on will get a cookie from stats.transitionnetwork.org -- currently one does get one.

The 'web widget' module we use on the site, when creating a view for the widget has a tick for adding Google Analytics, (It's a really simple module) which we've never actioned, and presume that to add a piwik link isn't too difficult either. (it could already be there).

I'm not sure I understand is this separate from the PSE widget? And if so can you point me to an example of this 'web widget'?

The PSE widget example of Jim's site did have GA and Piwik tracking webbugs already.

Re the training team badges, they are simple embed a linked image badge promoting the TTraining for ini's to put on their sites and they've just created a new batch. All I need is a simple campaign url to add onto the url (something that shows in the analytics under campaigns - Transition Training Badge as the title - don't have to be unique for each badge, just so it's easy to collate general stats on how many (if any!) clicked on the image link to get to T Training page on the TN website. Would you recommend using this - ​http://piwik.org/docs/tracking-campaigns/url-builder/ or is there something better within the Piwik account page to create these?

That looks perfect for what you want to do.

[chris]

I have created a separate ticket for the updating of the Do Not Track plugin, see ticket:414

[laura]

Replying to chris:

Replying to laura:

Hi Chris - thanks for the feedback. I've seen so many sites that have implemented annoying popups which tbh I'm sure will fade very soon indeed - I feel there has been mass confusion about the 'law' and as we're not being too bad with our cookies we aren't in a bad place with it all, though useful for those who enjoy reading cookie policies et al there will be a page for them! I'll be adding a link to the bottom links on all pages (in the footer) with the title privacy and cookies and adding the texts which are taken in part form your wiki page and some of the bits I've collated from others too.

Great. I would suggest we remove the GA module now to save writing a new policy that includes GA and then having to do another when GA is removed -- does that make sense?

Yes all okay for that - but if possible can we keep on until the end of the month so I can finish collating this months stats for the TN team under GA. (not long til the end of the month!) I've mentioned we're switching over to Piwik fully too.

Regarding Piwik, there is a new version of the DNT plugin that I need to install: ​http://dev.piwik.org/trac/ticket/2048#comment:13

Once I have done that I will test to see if a browser with DNT switched on will get a cookie from stats.transitionnetwork.org -- currently one does get one.

The 'web widget' module we use on the site, when creating a view for the widget has a tick for adding Google Analytics, (It's a really simple module) which we've never actioned, and presume that to add a piwik link isn't too difficult either. (it could already be there).

I'm not sure I understand is this separate from the PSE widget? And if so can you point me to an example of this 'web widget'?

They are listed here: (scroll down to web widgets lower into the page)
​http://www.transitionnetwork.org/syndication-and-social-media - I altered how the embed code outputted as the default is a little clunky for users.
Here is a sample of the widget page for the news one - ​https://www.transitionnetwork.org/sharing/widget_news
and the output by the module itself for the embed codes which isn't as nice to use but use ... ​https://www.transitionnetwork.org/sharing/news

and here is the link to the view that works with the web widget module - ​https://www.transitionnetwork.org/admin/build/views/edit/widget

In the widget view editing bit - there is an element for adding google tracking (which we have switched off - which adds some element of a campaign or other - not actually used!)

The PSE widget example of Jim's site did have GA and Piwik tracking webbugs already.

Re the training team badges, they are simple embed a linked image badge promoting the TTraining for ini's to put on their sites and they've just created a new batch. All I need is a simple campaign url to add onto the url (something that shows in the analytics under campaigns - Transition Training Badge as the title - don't have to be unique for each badge, just so it's easy to collate general stats on how many (if any!) clicked on the image link to get to T Training page on the TN website. Would you recommend using this - ​http://piwik.org/docs/tracking-campaigns/url-builder/ or is there something better within the Piwik account page to create these?

That looks perfect for what you want to do.

Great - will use that one then!

[chris]

Replying to laura:

Yes all okay for that - but if possible can we keep on until the end of the month so I can finish collating this months stats for the TN team under GA. (not long til the end of the month!) I've mentioned we're switching over to Piwik fully too.

That sounds fine to me. It'll also coincide to the switch to ​Good Energy -- we could make some noise about both changes in a blog post or something perhaps?

They are listed here: (scroll down to web widgets lower into the page)
​http://www.transitionnetwork.org/syndication-and-social-media - I altered how the embed code outputted as the default is a little clunky for users.
Here is a sample of the widget page for the news one - ​https://www.transitionnetwork.org/sharing/widget_news

OK, I think it should be simple to add a Piwik webbug to these pages but:

• I'm not sure how / where in Drupal this should be done? I have tried adding the Piwik tracking code to the widget footer on the dev server, ​https://dev.transitionnetwork.org/admin/build/views/edit/widget -- it appears to me that "Full HTML" allows <script> and <noscript> elements -- however I can't see this code added to the widgets which are generated, see for example ​https://dev.transitionnetwork.org/sharing/widget_news -- am I doing something wrong here?
• I'm not sure if there are any Piwik issues that should be considered when adding tracking to 3rd party sites, I have ​asked about this on the Piwik forum as I haven't found an answer to this question anywhere.

In the widget view editing bit - there is an element for adding google tracking (which we have switched off - which adds some element of a campaign or other - not actually used!)

I haven't found this, does it have a URL?

[laura]

screenshot google link for webwidgets in views

[laura]

Replying to chris:

Replying to laura:

Yes all okay for that - but if possible can we keep on until the end of the month so I can finish collating this months stats for the TN team under GA. (not long til the end of the month!) I've mentioned we're switching over to Piwik fully too.

That sounds fine to me. It'll also coincide to the switch to ​Good Energy -- we could make some noise about both changes in a blog post or something perhaps?

Anything for blog posts welcomed. I have a batch of draft posts here on my own desktop relating to web and tech and anything interesting to add always welcomed!

They are listed here: (scroll down to web widgets lower into the page)
​http://www.transitionnetwork.org/syndication-and-social-media - I altered how the embed code outputted as the default is a little clunky for users.
Here is a sample of the widget page for the news one - ​https://www.transitionnetwork.org/sharing/widget_news

OK, I think it should be simple to add a Piwik webbug to these pages but:

• I'm not sure how / where in Drupal this should be done? I have tried adding the Piwik tracking code to the widget footer on the dev server, ​https://dev.transitionnetwork.org/admin/build/views/edit/widget -- it appears to me that "Full HTML" allows <script> and <noscript> elements -- however I can't see this code added to the widgets which are generated, see for example ​https://dev.transitionnetwork.org/sharing/widget_news -- am I doing something wrong here?

I'll have a look at dev tomorrow morning - and it maybe needing a chat with Jim re this on any thoughts he had with implementing tracking. We're using the webwidgets module but seems we're using a different way of it working for the PSE widgets...

• I'm not sure if there are any Piwik issues that should be considered when adding tracking to 3rd party sites, I have ​asked about this on the Piwik forum as I haven't found an answer to this question anywhere.

In the widget view editing bit - there is an element for adding google tracking (which we have switched off - which adds some element of a campaign or other - not actually used!)

I haven't found this, does it have a URL?

See attached screenshot of where to see...

[chris]

Replying to laura:

Anything for blog posts welcomed. I have a batch of draft posts here on my own desktop relating to web and tech and anything interesting to add always welcomed!

OK, I'll try and draft something when I get a chance.

Regarding the tracking I have worked out how to add a webbug to these widgets, I have added an image to the footer and you can see it at the bottom of this page if you view the HTML source:

​https://dev.transitionnetwork.org/sharing/widget_news

We can add additional items to the query string to generate specific stats, specifically:

• action_name - Defines the custom Page Title for this page view
• idgoal - The request will trigger the given Goal

However I think it would be more flexible if we were able to use the javascript tracker and in order to do that I think the template for the widget will need editing, assuming we can use a javascript write to write a javascript write?

This is something we can discuss at the meeting tonight.

[chris]

Jim has suggested adding the JS tracking code to the header using PHP format.

[jim]

To be clear, that's the views header: edit it (override if needs be); paste tracking code; ensure format is PHP (to keep all content); save.

[ed]

so what's going on with this then? this was about a cookies policy and looks like it turned into a widget tracking issue... what's the score?

[ed]

hmm?

[ed]

1. Agreed with Chris 19/03/12: update the privacy statement for 01/013/13 as we move off Google Analytics (CHRIS to write)
2. Agreed with Chris 19/03/13: we don't really need an annoying pop up as we aren't doing anything that isn't standard which we need to inform users about, and a good privacy statement will cover us
3. Privacy statement and terms and conditions for PSE - what are we and aren't we tracking? I need an answer on this as I'm doing the T&Cs for the widget *now* - need an answer. Moving this to blocker

[laura]

re, recent updates to the law (for bedtime reading)...

• ​http://blog.silktide.com/2013/01/the-stupid-cookie-law-is-dead-at-last/ (not quite dead, but some useful info and links)
• ​http://www.ico.gov.uk/news/current_topics/changes-to-cookies-on-our-website.aspx (took place back in mid Jan)

and prob more helpful, a good clear 'plain english' page explaining cookies and how used - a nice model is here of which some of the texts for explano-blurbs could be 'liberated' from - ​https://www.gov.uk/support/cookies with a mix of their privacy texts too - ​https://www.gov.uk/support/privacy-policy

[chris]

Replying to ed:

1. Agreed with Chris 19/03/12: update the privacy statement for 01/013/13 as we move off Google Analytics (CHRIS to write)

I have updated the draft here:

​https://wiki.transitionnetwork.org/Privacy#Draft_New_Privacy_Text

Does it need more details about cookies adding? Details regarding what cookies we set for people if they don't login and also what cookies we set for people if they login?

Also I'm not much of a writer -- I'm happy to help with the technical details, but I'm sure someone else could write some more friendly blurb than me...?

3. Privacy statement and terms and conditions for PSE - what are we and aren't we tracking? I need an answer on this as I'm doing the T&Cs for the widget *now* - need an answer. Moving this to blocker

The widget has exactly the same webbugs as any other page on the Transition Network site -- we are embedding a page from the Transition Network site onto other sites using an iframe.

[ed]

1. Excellent outline so far. Yes please - If you can describe the cookies we set for not logged in and logged in, that would be excellent. Ed will editorially fluff it. The reccomended pages by laura are great: ​https://www.gov.uk/support/privacy-policy and ​https://www.gov.uk/support/cookies

2. PSE and privacy - OK then I'll assume that if they put the widget onto their sites, then they are agreeing to our privacy policy which I will link to in the widget FAQs and T&Cs.

Also re-assigning to Ed from Laura, but input needed from Chris here for #1 please.

[ed]

Also tested to see if we can see the piwik tab - and i can't with various accounts - see wiki

[chris]

Replying to ed:

Also tested to see if we can see the piwik tab - and i can't with various accounts - see wiki

OK, this is an issue for Jim -- if I do My account -> Edit the I see a long page which includes this section with a tick box which isn't disabled:

Piwik configuration

Users are tracked by default, but you are able to opt out.

| | Enable user tracking

This is because we changed the settings here, ​https://www.transitionnetwork.org/admin/settings/piwik#edit-piwik-custom-0-wrapper to:

Custom tracking settings:

| | Users cannot control whether they are tracked or not.

|.| Track users by default, but let individual users to opt out.

| | Do not track users by default, but let individual users to opt in.

Allow individual users to customize the visibility of tracking in their account settings. Only users with opt-in or out of tracking permission are allowed to set their own preference.

I guess there are some other permissions that need changing so that people without admin access get this option?

[chris]

Replying to ed:

If you can describe the cookies we set for not logged in and logged in, that would be excellent.

I still have to do this, it'll take an hour or so, I'll set up a copy of Firefox and use something like that live http headers plugin to document exactly what cookies are set by which apps.

I have also been thinking a bit about the bigger picture and wondering if we need to step back a bit and consider what we are logging and why?

I'd suggest that we should aim to record the minimum data that we might need, and no more. This could mean that we consider:

• Server logs, it is sometime handy to have system logs going back some time, how long, a year?
• What about Nginx and php-fpm logs, do we need to keep them for more than a month?
• If the site is being attacked server logs are handy to see what is happening but apart from that are they ever needed?
• What about the drupal logs, are these still going to the syslog?
• What about things like logwatch emails, should mention of this level of detail be needed in a privacy statement?
• Piwik stats, do we need to save any IP addresses? If we have the country and the user tracking cookie isn't that enough?

[chris]

Replying to ed:

If you can describe the cookies we set for not logged in and logged in, that would be excellent.

I took a look at the headers and posted the results in two comments on another ticket, see ticket:371#comment:34 and ticket:371#comment:36 and I wrote up a summary here:

• ​https://wiki.transitionnetwork.org/Privacy#Cookies

[ed]

Added to ​http://www.transitionnetwork.org/site-help

Good work all!

Closing