Mahara

Add YouTube-nocookie to youTube filtered URLs and make it a config setting

Bug #1885664 reported by Kristina Hoeppner on 2020-06-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mahara	Triaged	Wishlist	Unassigned

Bug Description

Google automatically tracks anyone viewing an embedded a YouTube video. There is a solution to be GDPR compliant: It's to use youtube-nocookie.com

See https://dri.es/how-to-remove-youtube-tracking for the background.

It would be good to include that URL as default in our 'Allowed iframe sources' list.

Furthermore, since we want to be GDPR compliant / need to in certain circumstances, I wonder if we should make it a default in the config.php that system admins can say that all YouTube videos should be converted to the nocookie URL (would need to be regular YouTube URLs as well as ones from mobile devices and the YouTube shortened ones I guess). We already convert the URL into proper iframe code and could add that as regex.

It would be good to have it available in the site admin area but also be able to override it in the config.php so that site admins can't easily change things. The default would be nocookie to comply better with privacy from the start.

We may need to have a button to update all URLs (like we have for clean URLs when they are set for the first time) if we can't make that conversion on the fly. YouTube URLs appear in the 'Embedded media' block as well as in serialised text in journal entries, text blocks, and notes. That serialised text might be difficult to change. This is important for sites that would be switching from the regular to the nocookie URL.

If we make it a setting and someone changes from nocookie URL to regular YouTube URL then we are not updating all URLs though in case someone had set the nocookie URL specifically. The update would only be for YouTube -> YouTube-nocookie.

Tags:

Kristina Hoeppner (kris-hoeppner) on 2020-09-05

Changed in mahara:
milestone:	none → 21.04.0

Lisa Seeto (lisaseeto) on 2020-09-29

Changed in mahara:
assignee:	nobody → Lisa Seeto (lisaseeto)
status:	Confirmed → In Progress

Revision history for this message

Lisa Seeto (lisaseeto) wrote on 2020-10-01:

After offline discussion, we will adjust the way that future YouTube links are created at the block level. An upgrade step will be added to alter existing URLs to use the no-cookie address.

Revision history for this message

Mahara Bot (dev-mahara) wrote on 2020-11-16: A patch has been submitted for review

Patch for "master" branch: https://reviews.mahara.org/11450

Revision history for this message

Lisa Seeto (lisaseeto) wrote on 2020-11-25:

Further research into this topic shows that adding 'no-cookie' might not provide the solution we are really looking for. This article details how YouTube uses other methods in order to track when the 'no-cookie' is present. https://axbom.blog/embed-youtube-videos-without-cookies/

The article also shows and example of what the "European Data Protection Service" has done to address this: https://edps.europa.eu/press-publications/press-news/videos/cnn-regulators-probe-facebook-over-data-privacy-giovanni_en by having an overlay over the embedded content requiring the viewer to click to accept the T&C on YouTube.

Kristina Hoeppner (kris-hoeppner) on 2020-12-06

Changed in mahara:
status:	In Progress → Triaged
milestone:	21.04.0 → none

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2021-10-14:

Original patch abandonded as we need to revisit our approach.

Kristina Hoeppner (kris-hoeppner) on 2022-10-13

Changed in mahara:
assignee:	Lisa Seeto (lisaseeto) → nobody

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.