Quarto and the European Union General Data Protection Regulation (GDPR)

[bam098]

I'm new to Quarto and I would like to set up my personal website (incl. blog) using Quarto. However, I still have a question before setting up the website: Does Quarto make any requests to external services? Does Quarto comply to the European Union General Data Protection Regulation (GDPR)?

I just wonder about that, because in Germany there have been cases where several websites used the Google Fonts service and apparently this violated the European Union General Data Protection Regulation (GDPR)? https://en.wikipedia.org/wiki/Google_Fonts#Privacy_issues

I'm not sure if this is not the right place to ask this kind of question. If it is not, I apologize. I just didn't know where else to ask it.

[mcanouil]

It will mostly depends on what you do with Quarto.
Quarto uses seveal open source "tools", listed in https://quarto.org/license.html

It is my belief that Quarto in its default setup does not violate the GDPR, but I might be wrong.

Regarding Google Font, you can download them, and use your local copy.

[declann]

Hi,

The Observable runtime is liable to make CDN calls. Some observations I've noted:

• qmd file with only markdown: no ojs cells (nor Julia/other which I amn't using so far): everything in my webpage served locally
• qmd file with a simple {qjs} cell doing 2+2: everything served locally
• qmd file with _.range(0,10): results in a call to jsdelivr to load lodash

Imports from observablehq unsurprisingly lead to calls to api.observablehq.com. They can be mitigated by hosting locally and loading using FileAttachments (confirm rights with license. I think this approach is OK from OHQ terms but I might be wrong). A quarto process for this would be smoother than a manual process.

+It would be better if lodash, and other things that might be fetched from the runtime, can be served locally - for performance and privacy reasons - or at least for this option to be available? Observable runtime appears to be quite flexible to make this possible.

(Performance is actually big here despite cache, see my comments in #5411)

Finally, there are other cases where I noticed calls to Google Fonts: where at render time I wasn't connected to the internet, so it wasn't possible to download theme fonts locally during the render process, so a link was included. I didn't look for warnings in the CLI output, but my conclusion is if you want to understand how your Quarto site is behaving to make compliance decisions and to write your privacy policy accurately then I think you need to check how its behaving in practice.

edit: to not leave this comment on a negative note, we can clearly remote this requirement in relation to the issues noted with development that doesn't seem very major. I think its consistent with how Quarto wants to behave, if we agree on that then I think it becomes a matter of logging some issues and if issues aren't addressed then noting known behavior in the documentation (which is exceptional quality).

edit2: alternatively, only note Quartos known behavior, to facilitate compliance and privacy policy work

Regards,
Declan

[dragonstyle]

Those are both supporting MathJax. I expect us to use this approach when rendering a self-contained or embed-resources HTML document which includes Math. The JS files are quite large, so we link to external sources to reduce the download size of the generated HTML document. You can control this using self-contained-math: false.

If you're seeing this in other circumstances, it would be good to know about because I'm not 100% sure why they would be there.

[declann]

Thanks for the response, I'll note here if I notice this again in my own use of Quarto.

Do existing options allow me to use a local copy of MathJax? I didn't find something.

Since my website doesn't use MathJax & it isn't included in other pages, right now I'm manually commenting the MathJax/polyfill tags that the listing feature generates, you can see this here:

https://models-on-a-plane.pages.dev/stories/

The website functions incl. listing function works as I intended & without unintentional remote resources & without MathJax - so it's not clear to me why the listing function loads them at all!

Do you know if the polyfill requirement is tied to MathJax, or tied to the listing feature? My guess is its tied to listing, to support some old browsers, and could be slightly more difficult to serve locally.

Overall, unless I'm missing something I think Quarto is missing an option to serve local resources instead of remote ones. This is genuinely a little complicated for OJS (I have a hacky workaround I can note separately in due course), but the problem is wider than that. I think there is a Google Fonts issue also (see https://cbrnr.github.io/blog/removing-google-fonts/ ).

[dragonstyle]

The polyfill is also required for MathJax - the listings feature is actually just enabling Math rendering since it doesn't 'know' what the contents of descriptions will be and whether math rendering will be required. I don't see a way to control this explicitly (either as an HTML option or for listings specifically). Both would make nice enhancements.

[declann]

The behaviour makes a lot of sense to me now, thanks!

[declann]

Just to note a new one, I've started to use Python cells and when I call ojs_define require.js and jquery scripts via cloudflare CDN are added to HTML output.

edit: Also, they don't appear to be used; I can comment out without any impact.

[declann]

Does Quarto make any requests to external services?

In very common cases yes. I'd make the following Quarto suggestions to improve user experience and facilitate flexibility:

• an option for locally-served Google Fonts
• an option for locally-served math resources (alt. or a single option for both of these)
  • incl. the polyfill.io dependency - which is a dynamic response from an external service, but maybe some static local asset will work
• for OJS, control over CDN references (hard to complete a good user experience here)

+There are probably other areas where Quarto makes remote calls I haven't encountered/understood yet.

Does Quarto comply to the European Union General Data Protection Regulation (GDPR)?

Interpretation and IANAL but this is really each websites responsibility I think?

There isn't something inherently wrong with using Google Fonts, but there are obligations about consent, etc. (but again I am not a lawyer)

However, IMO Quarto should help users understand how generated websites work in terms of resources, and can be better at this.

[lerchchr]

Old question, but very similar topic:
Webkoll gives for Quarto this report. Using localStorage is similar to cookies. Is there a way to avoid this with Quarto?

[cderv]

Thanks for sharing this report. We'll have a look. Regarding your question about localStorage, it is used in Quarto only to store grouped tab so that all tabset on the page are switched together. Code is here:

quarto-cli/src/resources/formats/html/quarto.js

Lines 803 to 894 in 555a4d1

	// grouped tabsets
	window.addEventListener("pageshow", (_event) => {
	function getTabSettings() {
	const data = localStorage.getItem("quarto-persistent-tabsets-data");
	if (!data) {
	localStorage.setItem("quarto-persistent-tabsets-data", "{}");
	return {};
	}
	if (data) {
	return JSON.parse(data);
	}
	}
	function setTabSettings(data) {
	localStorage.setItem(
	"quarto-persistent-tabsets-data",
	JSON.stringify(data)
	);
	}
	function setTabState(groupName, groupValue) {
	const data = getTabSettings();
	data[groupName] = groupValue;
	setTabSettings(data);
	}
	function toggleTab(tab, active) {
	const tabPanelId = tab.getAttribute("aria-controls");
	const tabPanel = document.getElementById(tabPanelId);
	if (active) {
	tab.classList.add("active");
	tabPanel.classList.add("active");
	} else {
	tab.classList.remove("active");
	tabPanel.classList.remove("active");
	}
	}
	function toggleAll(selectedGroup, selectorsToSync) {
	for (const [thisGroup, tabs] of Object.entries(selectorsToSync)) {
	const active = selectedGroup === thisGroup;
	for (const tab of tabs) {
	toggleTab(tab, active);
	}
	}
	}
	function findSelectorsToSyncByLanguage() {
	const result = {};
	const tabs = Array.from(
	document.querySelectorAll(`div[data-group] a[id^='tabset-']`)
	);
	for (const item of tabs) {
	const div = item.parentElement.parentElement.parentElement;
	const group = div.getAttribute("data-group");
	if (!result[group]) {
	result[group] = {};
	}
	const selectorsToSync = result[group];
	const value = item.innerHTML;
	if (!selectorsToSync[value]) {
	selectorsToSync[value] = [];
	}
	selectorsToSync[value].push(item);
	}
	return result;
	}
	function setupSelectorSync() {
	const selectorsToSync = findSelectorsToSyncByLanguage();
	Object.entries(selectorsToSync).forEach(([group, tabSetsByValue]) => {
	Object.entries(tabSetsByValue).forEach(([value, items]) => {
	items.forEach((item) => {
	item.addEventListener("click", (_event) => {
	setTabState(group, value);
	toggleAll(value, selectorsToSync[group]);
	});
	});
	});
	});
	return selectorsToSync;
	}
	const selectorsToSync = setupSelectorSync();
	for (const [group, selectedName] of Object.entries(getTabSettings())) {
	const selectors = selectorsToSync[group];
	// it's possible that stale state gives us empty selections, so we explicitly check here.
	if (selectors) {
	toggleAll(selectedName, selectors);
	}
	}
	});

I don't think this is really a concern regarding GDPR so that you need to avoid this. Though if you don't use group tabset than localStorage won't be used.

It is not reported by your report but we also use it for storing color scheme value.

quarto-cli/src/resources/formats/html/templates/quarto-html.ejs

Lines 146 to 154 in 555a4d1

	const setStyleSentinel = (alternate) => {
	const value = alternate ? "alternate" : "default";
	if (!isFileUrl()) {
	window.localStorage.setItem("quarto-color-scheme", value);
	} else {
	localAlternateSentinel = value;
	}
	}

Same - I don't think this is a concern regarding GDPR either.

Thanks a again for the question.

[lerchchr]

Thanks for the swift reply. I agree there should be no concern regarding GDPR in terms of the content of localStorage - it could be different form a more legal point of view.
Technically, I stumpled upon this:
If I use grouped tabs, the content of the localStorage "quarto-persistent-tabsets-data" is as expected, e.g. {"language":"Python"} (see screenshot 1)
.

But if I don't use (grouped) tabs, "quarto-persistent-tabsets-data" is still stored without any content, ie {} (see screenshot 2)

Why should it be necessary the store "quarto-persistent-tabsets-data" if there are no (grouped) tabs without any content?