[wp-trac] [WordPress Trac] #46986: DNT Parameter automatically for Vimeo oEmbed requests

Tue Oct 20 21:36:58 UTC 2020

#46986: DNT Parameter automatically for Vimeo oEmbed requests
-------------------------------------------------+-------------------------
 Reporter:  djc71889                             |       Owner:  garrett-
                                                 |  eclipse
     Type:  defect (bug)                         |      Status:  accepted
 Priority:  normal                               |   Milestone:  5.6
Component:  Embeds                               |     Version:  4.9
 Severity:  major                                |  Resolution:
 Keywords:  has-patch needs-dev-note has-unit-   |     Focuses:  privacy
  tests commit                                   |
-------------------------------------------------+-------------------------

Comment (by adakaleh):

 Before deciding on this, I think several points ought to be clarified:

 Replying to [ticket:46986 djc71889]:
 > Note that unlike Twitter (which was mentioned in the initial report, the
 Vimeo player does not contain cookies which are unessential to player
 functionality (like saving language preferences or viewer statistics) It
 does not track  'non-essential' cookies like google analytics and other
 third party cookies (used for ad serving, etc).

 The above statement is false. Vimeo's player stores an unessential
 tracking cookie called `vuid`. It's unessential because the video player
 works without it when DNT is used. This cookie can be used by Vimeo to
 track people across the web through its embedded videos.

 Vimeo also sets the `sync_active` key in local storage. This is what Vimeo
 [https://stackoverflow.com/questions/27614407/soundcloud-and-vimeo-
 synchronize-their-players-in-different-tabs-and-sometimes uses] to stop
 videos from playing simultaneously in different tabs and iframes. It can
 also be used to track people across websites, which is why Vimeo blocks it
 when DNT is used.

 The stats mentioned in https://vimeo.com/analytics can be obtained without
 unique identifiers. The same viewer might be counted more than once, but
 Vimeo could still show its clients ''"where they’re coming from, how
 they’re finding your videos, and what devices they’re watching them on"''
 (and more) without tagging each visitor with a unique ID. Even so, much of
 this data is perhaps too invasive and it's arguably a good thing that DNT
 prevents its collection.

 As for [comment:4 the issue raised by freshyjon]:
 > it allows the user to play multiple videos at once (which is NOT default
 behavior, and is arguably not very “Accessible friendly”).

 How is this an accessibility issue? To me it looks like a tiny
 inconvenience, far outweighed by the privacy costs of going through with
 this change.

 To conclude, please be mindful of the privacy implications herein. I
 suggest not allowing Vimeo to push its tracking-by-default exception into
 WordPress.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/46986#comment:25>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform