Pri­va­cy-com­pli­ant Embed­ding of YouTube?

Maximilian

Privacy-compliant Embedding of YouTube?

One of the classic data protection traps is the embedding of YouTube videos on the corporate website.

Even if it is commonly assumed in this context that the data collection by YouTube/Google (yes, YouTube belongs to Google) does not affect the operator of the embedding website, this in fact makes the operator the extended arm and contributor to a comprehensive data transfer to a US data collector.

The moment a video player is loaded on a website, personal data is transmitted to YouTube - usually before you have even clicked play.

Technically, what happens at this moment is that the website that embeds the video in question contains instructions for each visitor's browser to download from the server, which can be reached at www.youtube.com or www.youtube-nocookie.com, the information that the browser in turn needs to ultimately display a player to the visitor. It just so happens that the visitor's browser also receives another request to transmit some data at the same time.

If you think that if you don't type anything, there's nothing to transmit, you might want to take a look beneath the surface of your browser (anyone can do this with the "developer tools" available in every browser).

In fact, when loading a YouTube player, the browser transmits the following data in particular (the information actually transmitted by the website visitor has been replaced by explanations in capital letters):

{"videoId":{"ID OF THE VIDEO being viewed",
"context":{
"client":{
"hl": "BROWSER LANGUAGE",
"gl": "COUNTRY",
"remoteHost": "IP ADDRESS",
"deviceMake": "MANUFACTURER OF THE USED END DEVICE",
"deviceModel": "MODEL OF THE USED END DEVICE",
"visitorData": "VISITORID",
"userAgent": "BROWSER USED BY VISITOR, TOGETHER WITH VERSION AND OPERATING SYSTEM USED",
"clientName": "PLAYER VARIANT USED",
"clientVersion": "VERSION OF THE PLAYER USED",
"osName": "USED OPERATING SYSTEM",
"osVersion": "VERSION OF THE USED OPERATING SYSTEM",
"originalUrl": "UPDATED YOUTUBE URL AND ENABLING PAGE",
"platform": "TYPE OF FINAL DEVICE",
"clientFormFactor": "SIZE OF THE END DEVICE USED",
"browserName": "BROWSER NAME AND VERSION",
"screenWidthPoints":WIDTH OF IMAGE DISPLAYED AT PLAYBACK TIME,
"screenHeightPoints":HEIGHT OF IMAGE DISPLAYED AT PLAYBACK TIME,
"screenPixelDensity":PIXEL DENSITY OF THE USED SCREEN,
"utcOffsetMinutes":TIME SHIFT AGAINST UTC,
"userInterfaceTheme": "DESIGN OF USER INTERFACE",
"connectionType": "TYPE OF INTERNET CONNECTION",
"timeZone": "TIMEZONE",
"playerType": "TYPE OF PLAYER",
"tvAppInfo":{
"livingRoomAppMode": "TV PLAYER MODE"},
"clientScreenNonce": "ID OF THE PLAYER",
"adSignalsInfo":{ USER PARAMETERS FOR ADVERTISEMENT.
"params":[{"key": "dt", "value": "NUMBERFOLDER"},{"key": "flash", "value": "0″},{"key": "frm", "value": "2″},{"key": "u_tz", "value": "120″},{"key": "u_his", "value": "2″},{"key": "u_java", "value": "false"},{"key": "u_h", "value": "800″},{"key": "u_w", "value": "1280″},{"key": "u_ah", "value": "800″},{"key": "u_aw", "value": "1280″},{"key": "u_cd", "value": "24″},{"key": "u_nplug", "value": "3″},{"key": "u_nmime", "value": "4″},{"key": "bc", "value": "31″},{"key": "bih", "value":"- NUMBER SEQUENCE"},{"key": "biw", "value": "- CIFTER SEQUENCE"},{"key": "brdim", "value": "0,0,0,1280,0,1280,800,676,721″},{"key": "vis", "value": "1″},{"key": "wgl", "value": "true"},{"key": "ca_type", "value": "image"}]},
"thirdParty":{"embedUrl": "ADDRESS OF IMBEDDING WEBSITE"}},
"playbackContext":{"contentPlaybackContext":{"html5Preference": "HTML5_PREF_WANTS",
"lactMilliseconds": "LATEST CONNECTION TO SERVER",
"referer": "REFERRING TO YOUTUBE",
"autoCaptionsDefaultOn":AUTOMATIC SUBTITLE SETTING,
"playerWidthPixels":WIDTH OF PLAYER IN PIXEL,
"playerHeightPixels":HEIGHT OF PLAYER IN PIXEL}},
"cpn": "UNIQUE ID OF PLAYER",
"captionParams":{SUBTITLEPARAM}}

In principle, the inevitably technically necessary process of disclosing the IP address through contact with YouTube servers is sufficient to transmit a uniquely identifying personal data to a U.S. recipient. Beyond that, however, YouTube, with the help of the operator of an embedding website, obtains a stockpile of further personal data that is more reminiscent of NSA methods than of supposedly "harmless" IT service providers.

Even a fraction of the data transmitted in this way enables YouTube/Google to perform so-called "fingerprinting," i.e., the unique identification of an individual user via individual characteristics that can be tapped in the course of his or her interaction with a server.

This method allows YouTube/Google to identify users without the use of cookies, which are now more or less obsolete in their universe.

Now, this transfer of personal data to a U.S. recipient is not that problematic from YouTube/Google's perspective. YouTube regards itself as a processor of the respective embedder, which thus processes personal data only upon explicit instruction of the embedder. Data that comes into YouTube's clutches as a result of embedding is thus processed on the explicit instructions of the embedder.

The buck thus stops with the person who embeds YouTube videos on his website. This party is responsible for data transfer processes that take place in connection with the provision of the website. Illegal transmission processes tolerated or even actively caused on the occasion of the use of the website lead to the direct liability of the website operator.