Disable calls to external servers (Google Fonts/APIs, Polyfill.io)

As mentioned in the ticket - regular license would be required to make this a priority thing and an exception. If you were not planning to have a license of DA - feedback.directadmin.com is the best place for this.
Hi! To be honest, I see major issues with how this was handled:

1. The first reply of the support was a copy and paste reply which implied the linked thread was not read and there was no value provided by the reply. I can live with that but nothing I would pay for.
2. Then, as we discussed here and as I mentioned in the ticket, this is not a typical 'feedback'. I would see it as a critical bug or a misconception in the architecture. Actually, posting this public could cause issues to customers in specific countries.
3. To me it seems like it was tried to sell this as a feature request a customer should be happy to have about as it's nice to have but optional. As far as I know and with respect to the current development in our industry, this is very likely not a nice to have feature but simply a legal/compliance function a software has to have. Otherwise it's very likely a violation of GDPR and an issue for in-industry-valued audits. So either it's existing or it's a major issue (with risking chances to risk) and I'm sure this is a risk nobody wants to take nowadays.
4. The way it was mentioned that buying a pricier license might or might not help sounds to me like playing the tiny footnote game. Whether and when I would get something for the upgrade would be left open. I'm sure it's not meant like this but for sure it was another red flag as I know it from less professional companies and I'm sure, DirectAdmin is in no way on the same level as such companies. On the other ahnd it shouldn't communicate like this then.

I could link several references about this but it would be written in my first language so I doubt it would make sense for this forum. A short research should quickly explain what's the issue behind all of this and why it's very risky to implement it like this in a platform/website with sensitive content and a changing industry; taking account of Schrems I, Schrems II, Schrems III (?), the fact that Privacy Shield is dead and further court decisions and opinions of national and EU-wide regulatory authorities.

I hope my feedback might shed some light on this topic from my point of view and why I have to disagree on this.

Best Regards,
 
4. The way it was mentioned that buying a pricier license might or might not help sounds to me like playing the tiny footnote game. Whether and when I would get something for the upgrade would be left open.
It wouldn't, note that all licenses come with full 30-days money-back guarantee, so if you don't get what's been promised in that time - you'd just get the money back :) Anyway, I'm just a tech guy, so I wouldn't like to go into the discussion of the 'selling point'...

I've opened first page which came to my mind - https://www.ebay.de, and I see javascript and html content from external domain loaded. I'm not saying it's a good or a bad thing, but I wonder why would this be a violation of GDPR?
 
Hi! To be honest, I see major issues with how this was handled:

1. The first reply of the support was a copy and paste reply which implied the linked thread was not read and there was no value provided by the reply. I can live with that but nothing I would pay for.
2. Then, as we discussed here and as I mentioned in the ticket, this is not a typical 'feedback'. I would see it as a critical bug or a misconception in the architecture. Actually, posting this public could cause issues to customers in specific countries.
3. To me it seems like it was tried to sell this as a feature request a customer should be happy to have about as it's nice to have but optional. As far as I know and with respect to the current development in our industry, this is very likely not a nice to have feature but simply a legal/compliance function a software has to have. Otherwise it's very likely a violation of GDPR and an issue for in-industry-valued audits. So either it's existing or it's a major issue (with risking chances to risk) and I'm sure this is a risk nobody wants to take nowadays.
4. The way it was mentioned that buying a pricier license might or might not help sounds to me like playing the tiny footnote game. Whether and when I would get something for the upgrade would be left open. I'm sure it's not meant like this but for sure it was another red flag as I know it from less professional companies and I'm sure, DirectAdmin is in no way on the same level as such companies. On the other ahnd it shouldn't communicate like this then.

I could link several references about this but it would be written in my first language so I doubt it would make sense for this forum. A short research should quickly explain what's the issue behind all of this and why it's very risky to implement it like this in a platform/website with sensitive content and a changing industry; taking account of Schrems I, Schrems II, Schrems III (?), the fact that Privacy Shield is dead and further court decisions and opinions of national and EU-wide regulatory authorities.

I hope my feedback might shed some light on this topic from my point of view and why I have to disagree on this.

Best Regards,
It would most like be best to pick a company in the EU that makes a control panel. They will most likely be completely compliant. They also will be in tune with your needs more.

In non EU countries they for a lack of a better way to say it they won’t care until privacy makes a big arrival in the entire world.

I think GDPR is a great start but until it’s the norm you will most likely have to buy a product from within your area.

On a regular note. Please stay well and safe. I hope you and you family stays safe wherever you are in the world.
 
The GDPR is kind of an odd element in the online community and often feels counterintuitive. However legally speaking it is true that if you are within the EU, you should not use these services. https://easygdpr.eu/2020/08/privacy-shield-invalidated-what-happens-now/ this blog for example says to host google fonts locally and not embed outside EU services that will be loaded in automatically.

The bottom line is that you shouldn't serve content from outside EU/USA content without the users consent.

At the same time it is true, many companies are not following this ruling the first day it came into affect.

Aside from embedded web resources, there are services such as Dropbox, Office 365, other Google services, and other cloud services. As far as I know, many of these parties are still busy trying to work something out.

A local legal blog I read up on regularly suggests for this moment to at least inventory what services you use that are under affect of this ruling. So you can keep an eye on it and maybe even start looking for alternatives.

From a company such as DA, I would think it would be good to at least state to keep monitoring the situation, and take appropriate action when possible, e.g. when many companies are doing something similar, for its EU customers. All major USA based companies are doing something with GDPR.
 
If you grep 'google' in assets/apps.js in evolution you'll even find references to pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
Not sure what to think about that...
 
It would most like be best to pick a company in the EU that makes a control panel.
As logical as this may sound, the GPDR provides in rules for non-EU company's that do (or want to do) business within the EU to obey the GPDR rules. As seen from Facebook and Google, they can get high fines when violating those rules. Also smaller companies have to take that into consideration. So either comply or don't do business here in the EU, bluntly said.

Images might be not that interesting for privacy, so like smtalk I'm not sure how this would violate GPDR (indeed even most other big company's use them), but I do would like to know what Google's pagead2 is doing within a DA theme.
 
If you grep 'google' in assets/apps.js in evolution you'll even find references to pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
Not sure what to think about that...
I filter all my home network via The Pi Hole on a Raspberry Pi, so all that b/s gets blocked.... But, I digress..... Off-topic......

And people wonder why I dislike the Evo theme....
 
I filter all my home network via The Pi Hole on a Raspberry Pi, so all that b/s gets blocked.... But, I digress..... Off-topic......

And people wonder why I dislike the Evo theme....
Is optional feature in “customize evoltion skin”, which is turned off by default, and lets you enable it and add your own ad the main reason why you dislike it? We’re open for suggestions, just like we listened to a customer who asked for such an optional function.

How would you suggest to leave both sides happy? The ones requesting it, and the ones not wanting to even see the feature available. Maybe there is a simple way to leave both sides happy, which is not so obvious to me yet :)
 
rules for non-EU companies that do (or want to do) business within the EU to obey the GPDR rules.
Yes, but this is not widely accepted as some believe it impact the other countries sovereignty. This is a form of tyranny by an outside government. < Redacted: I take it back I was harsh it didn't need to be said I apologize. If the EU citizen needs privacy they need to pick an EU company, that's the only sure way to be safe. Which goes back to my post
and is stated right here.

Consider replacing software from the US with software from the EU.
This great for the EU. It opens up new markets. Start building your own FB, Youtube and others. Huge revenue opportunity for the EU.

Now don't get me wrong Privacy is a right and some countries mine included are pretty bad. Change on the whole is needed. I think GPR as whole is on the right track however once it impacts my freedom it is null.

Enough politics yuck... I hate politics.
Facebook and Google
Sure big guys are the worst and will be a target. I hope Cloudflare and Firefox gets it soon.
I filter all my home network via The Pi Hole on a Raspberry Pi
Me too I love it.

How would you suggest to leave both sides happy?
In general I would not use CDN I would put in the actual source.

Related to Ads I found that really strange in the Control panel. No other panel has this and IMHO ads have no place in a control panel. It should be totally removed. People who want Ads can figure that out on there own website.
 
Last edited:
I follow your reasoning Brent but I must disagree because of 2 points
1) Although I'm not particular pro EU (there are big debates in each EU country on this), a good thing out of it is GDPR; it forces everyone to think about privacy; much needed everywhere: from small webshops who will just collect your data indefinitely; don't update their software and get hacked, and your data is on the streets -- to the tech giants who own so much data which we have never seen before.

2) Fact of the matter is; DA is widely used in the EU, I highly doubt DA would say goodbye to the customer base because of 1 or 2 cdn links in the skin. The trade off is hugely out of proportion. All it requires is being aware of where you load resources from while developing. Once you do this it is easy to keep everything local. Using a cdn or google fonts and such is just a quick shortcut to what can be done with only a little more effort.

Personally I have already downloaded some Google fonts and use them locally, really it's not that difficult. There is a tool for it: https://google-webfonts-helper.herokuapp.com/fonts

Same thing would apply to the few other external resources I would assume.
 
Hello together,

It wouldn't, note that all licenses come with full 30-days money-back guarantee, so if you don't get what's been promised in that time - you'd just get the money back
I see your point and it's a good one but for me it's unclear when 'as soon as possible' means. It could be more than 30 days. Of course the 'damage' would be negligible.

I'm not saying it's a good or a bad thing, but I wonder why would this be a violation of GDPR?
It's about the situation that you expose customer or site visitor information to third parties who can process or leak this further for own or third party interests. Actually I think the IT industry is one of the few ones where you can do stuff with data without even knowing what others will do with your customer/site visitor data. If you would do the same in other industries, good luck (yes, insurances are an exception to this ;) ). This is the point that changed. Regarding ebay: I didn't check their site but there are several aspects to check to make a proper statement, e. g. if they did adopt the 'new' court decision of Schrems II already, if a public site is as security-wise relevant as a control panel, which juristdiction they have to keep in mind, etc. Furthermore there are many companies which don't or didn't mind about specific laws, especially GDPR. So it's hard to make a proper statement here without doing a very time-consuming in-detail review of the page, privacy policy, etc. Regardless of that, I'm sure that they did document this behavior properly, including the risks and pros/cons to make a proper decision.

The GDPR is kind of an odd element in the online community and often feels counterintuitive.
To me this is very intuitive, at least in this case: You want to collect some kind of data for yourself or to pass it to third parties, thus you have to make sure what happens with the data. That's quite a basic concept and anything else is to the least morally quite interesting because you simply can't know the impact you cause for others.

It's as basic as this: If you sell your products and services from within the EU or to someone in the EU, you have to respect the local laws. Same with if you obtain data from a resident from over there. This is no different than with other laws/regulations, e. g. you can't simply sell toxic items in France just because it's legal in your country.

The bottom line is that you shouldn't serve content from outside EU/USA content without the users consent.
Even with user content (which is the 'weakest' kind of permit to process this data compliant with GDPR), I don't see a good argument why it's implemented like this. I highly doubt it has a noticable performance speed and I can't think of a different argument for this. On the other hand there are several reasons against doing it like this.

Even if we agree on that it's fine under GDPR, it's not fine for audits. You simply can not just contact external servers without clear documentation of this: Why is this necessary? What are the risks? Why was this done? Which servers are contacted? How often? How are the possible risks mitigated? Does this violate import/export laws? I don't see how these questions are answered for DirectAdmin docs/usage.

From a company such as DA, I would think it would be good to at least state to keep monitoring the situation, and take appropriate action when possible, e.g. when many companies are doing something similar, for its EU customers. All major USA based companies are doing something with GDPR.

This is a huge point here. I'm surprised that DirectAdmin didn't take care of GDPR and other regulations which are discussed since the last five years. Google, Microsoft, etc. doesn't change hundreds of processes just because they love it. They do it because there are very sensible fines involved and risks that their products/services are banned in this /huge) market. It's the same for this issue. It was simply another security risk and legal risk open for quite some time.

If we ignore that it's about USA or Google, I think it's easier to imagine this scenario: How would you feel if you use DirectAdmin and you just notice it contacts servers in China, Russia, Ukraine, Egypt or Somalia? In fact, it's the same for USA but likely gives a more bad feeling. This should raise a warning that this might be not okay.

So either comply or don't do business here in the EU, bluntly said.

That's the perfect summary of the issue for DirectAdmin and that's why I think it's an interesting idea to try to sell this as a feature. It's not and it won't be.

Images might be not that interesting for privacy
If it does open/require a connection to a third party server, provides some sort of additional context or if it's used for some kind of tracking, it's relevant. It doesn't matter if it's a script, an image or whatever. At the end it raises the same concerns and questions to answer. They might be just easier to answer, depending on what you deliver.

Yes, but this is not widely accepted as some believe it impact the other countries sovereignty. This is a form of tyranny by an outside government. If the EU citizen needs privacy they need to pick an EU company, that's the only sure way to be safe. Which goes back to my post
and is stated right here.
No, I have to disagree on this (see above regarding my example with toxic items/product liability). Just because it's legal in your country, it's not legal to export it like this.

In general I would not use CDN I would put in the actual source.
That's it and it's the very same for any other resource/asset I might have missed/don't know about.

Related to Ads I found that really strange in the Control panel. No other panel has this and IMHO ads have no place in a control panel. It should be totally removed. People who want Ads can figure that out on there own website.
Even if we want to have ads and it's a requirement for someone, I think DirectAdmin has no native way to provide ToS, privacy policies, cookie banner, a way to report problematic ads, document this properly etc. I think for such a feature, there are other features missing which are important to do realize this properly. Of course you can use DirectAdmin with other softwares and fulfill these feature gaps by using different softwares together but then: Does a bigger company who deals with this properly really want to use different softwares or customize DirectAdmin AND has a need for ads? I think I never have seen this in practice and it's unlikely that this is some kind of hidden champion feature.

So even if this is fine and no legal risks, I don't see a proper way to find out all external loaded resources without investing lot of time. I think there's no documentation about this which is just another issue itself.

Regardless of my criticism here, I'm happy to see that we have a valuable discussion about this. This can happen easily but it matters how it's dealt with.

Best Regards,
 
good thing out of it is GDPR; it forces everyone to think about privacy;
Totally agree.
get hacked, and your data is on the streets
It all already there now. The genie has been out of the bottle for a long time.
don't update their software
Totally agree look at all the people who post on here that still run PHP 5 or have centos 6. I can't make them upgrade. They should to the world a favor and upgrade until they do we can only hope to punish the hackers when caught.
tech giants who own so much data which we have never seen before.
Totally get it. We let them do it. We (all of us) let Privacy go. Yes we have to take it back. I just dont need a government for some other place to tell me what or how to do it. As I said on a whole it's a good thing. Just dont come to my house and tell me what food to eat...
I highly doubt DA would say goodbye to the customer
That is the thing it's not a DA issue it's an EU citizen issue. Not that I can speak for them and they dont want me to as they are Canadian. The EU business owner or citizen has been told by their government what to do. So do it. Don't ask me or anyone else to do it for you.
The trade off is hugely out of proportion. All it requires is being aware of where you load resources from while developing. Once you do this it is easy to keep everything local. Using a cdn or google fonts and such is just a quick shortcut to what can be done with only a little more effort.
Not sure this matters. The EU law is law if you live in the EU you must be assimilated.

Personally I have already downloaded some Google fonts and use them locally, really it's not that difficult. There is a tool for it: https://google-webfonts-helper.herokuapp.com/fonts

Same thing would apply to the few other external resources I would assume.
I assume this would work but I dont know the law of your country.

I fundamentally think we agree
 
Last edited:
you have to respect the local laws.
No we don't do business. I can't be responsible for you... you have to be responsible for you.
This is no different than with other laws/regulations, e. g. you can't simply sell toxic items in France just because it's legal in your country.
Correct dont do business. As a EU citizen dont buy the items and dont buy stuff in France. Don't punish France if they sell you something and we dont know you are from EU. You are speaking of tangible goods not privacy so not the same. On the internet I can be anyone..

I don't see how these questions are answered for DirectAdmin docs/usage.
Why should they be. It not there job to interpret you countries law. That is your job.
If we ignore that it's about USA or Google, I think it's easier to imagine this scenario: How would you feel if you use DirectAdmin and you just notice it contacts servers in China, Russia, Ukraine, Egypt or Somalia? In fact, it's the same for USA but likely gives a more bad feeling. This should raise a warning that this might be not okay.
You dont do business... you silo yourself off and sell to the patriots that live in your country. This is no different from running a grocery store or gas station in the city you live in..
That's the perfect summary of the issue for DirectAdmin and that's why I think it's an interesting idea to try to sell this as a feature. It's not and it won't be.
Correct but the other way dont buy from outside the EU. Its a choice you make not a choice someone else makes.
Just because it's legal in your country, it's not legal to export it like this.
I am not exporting anything to you. You have the right to put up a big moat and not expect anything but it your job to protect yourself.
That's it and it's the very same for any other resource/asset I might have missed/don't know about.
Well at least we agree here.
I think DirectAdmin has no native way to provide ToS, privacy policies, cookie banner, a way to report problematic ads, document this properly etc.
IMHO opinion that's not on them it is on you.

I love dialog. I do think you wont find a solution here as it not EU created but hey thats me.

None of my statements are DA's as I am just an American. To be clear I am for privacy. I think decentralizing the internet is great. I think we should boycott facebook, google, cloudflare dns and firefox. Have you looked a Key Help https://www.keyhelp.de/ ?
 
Last edited:
I do think you wont find a solution here as it not EU created but hey thats me.

Even if it's not about privacy, it's a bad idea for security reasons too so however you look at it, it's an issue and will become a major one. The DA team can delay this decision but I'm sure one day, they have to face this finally and make a decision.
 
Even if it's not about privacy, it's a bad idea for security reasons too so however you look at it, it's an issue and will become a major one. The DA team can delay this decision but I'm sure one day, they have to face this finally and make a decision.
I totally get that. The thing is you need to do what's right for you and what make you sleep well at night. I dont think you are going to find all the documentation, changes and compliance here on your time table. As you said they had 5 years to do something.... I like you are giving them a fair shot but considering your one of only 3-6 people I have ever heard talk about gdpr let alone make this big of a deal over it. Not sure you will be happy here. Have you checked Plesk they have some of the best docs I have ever seen. Most all of your post are about GDPR not related to how it looks, performs, and features. Seems like you are throwing out the the baby with the bathwater but again not my call it is all you.

I personally know beyond a shadow of a doubt people in the EU are some of the smartest and technically gifted on the planet. I could even call them out by name on this forum. I dont need to because they know me and know who they are. You all can make or produce anything to fit your Unions needs over there and it will be great. Heck the entire world might buy it.
 
I like you are giving them a fair shot but considering your one of only 3-6 people I have ever heard talk about gdpr let alone make this big of a deal over it.
That's right. Beside that I'm quite sure many people won't or didn't choose DirectAdmin for reasons like this. DA team will just not know it. Basically, this is the same what happened to other softwares/companies, nothing special to DA.

Most all of you post are about GDPR not related to how it looks, performs, and features. Seems like you are throwing out the the baby with the bathwater but again not my call it is all you.
Well, privacy and security at the moment. Simply because I don't have to review all other if this isn't given. I mean, I love some stuff of DirectAdmin but it doesn't help me with this must-have and of course I will not move anything productive to DA without having this cleared, thus I won't invest too much time.

Heck the entire world might buy it.
I completely agree; on the other hand it's not about us providing new solutions to non-EU products. I'm very confident that we will see the same expectations/regulations coming in other countries, e. g. USA and China: There's a clear movement towards more security and privacy as we just saw how bad it went in the past 10 or 20 years with less complex technology. I'm quite sure we don't want to see the same happening again with more complex technologies with more devastating possible outcomes. Thus we don't have to build everything on our own.
 
Beside that I'm quite sure many people won't or didn't choose DirectAdmin for reasons like this. DA team will just not know it.
For sure.
I will not move anything productive to DA without having this cleared
If you are already on a more compliant platform why are you even looking.
us providing new solutions to non-EU products.
Right that is my point go make your own.
I'm very confident that we will see the same expectations/regulations coming in other countries.
True, but it wont fit the EU standard, the US standard, China's Standard and on and on so the EU will still need to create their own.. Privacy is about protecting others from what is yours. So you won't ever be able to rely on another entity to provide that security. You will need to build your own castle, your own moat and get your own alligators. This is my point you must protect you. Anything else is folly..

I'm quite sure we don't want to see the same happening again with more complex technologies with more devastating possible outcomes.
We destroy, ignore, put off, waste, and ruin a lot of stuff here on earth...Humans are a devastation. Some are good but on whole we only live about 90 years so it's hard to sweat the big stuff. :cool:
 
This is a form of tyranny by an outside government. If the EU citizen needs privacy they need to pick an EU company, that's the only sure way to be safe. Which goes back to my post
and is stated right here.
I don't agree with that totally. It's untrue and harsh to call this tyranny. It has nothing to do with tyranny.
It's complying with laws. If non-EU company's want to do business in the EU, they have to comply with EU lawsjust as EU company's have to comply with US laws when they want to do business in the US.
If they don't want to comply to laws, they can't do business in the country's they want to do business with, goes for every country.
Privacy is not to protect others from what's yours, but to protect others from stealing or abusing your private data. And it's mostly setup because of the explosive rising abuse over the years and gathering private data to sell or abuse.

Next to that, it's also possible for non-EU company's selling via the internet, to make a seperate statement voor EU customers, that the software is not compliant to EU GPDR (if that is indeed the case) and may not be used if they require GPDR to be fully respected. At least I think some clausule might be lawfully correct, but I'm not sure.
Anyway, that's another discussion, so I won't discuss further on this place about this, but will follow the topic.

Still curious about what's the pagead2 from Google is doing in the Evo skin.
 
Back
Top