The European Data Protection Supervisor (EDPS) has developed open source software tools for the automation of privacy and personal data protection inspections of websites. These EDPS tools allow laypersons after a brief introduction to gather evidence on personal data processing operations of websites using a reproducible, reliable, and fast method. No third-party cloud service is involved to gather evidence. The tools are self-consistent and can be used in intranets without internet access.
The EDPS releases its tools under the European Union Public License (EUPL-1.2). The open software license allows experts to adapt the tools to their own needs. The EDPS welcomes any feedback and suggestions for improvements to be sent to: tech-privacy@edps.europa.eu.
Website Evidence Collector
The tool collects evidence of personal data processing, such as cookies, or requests to third parties. The collection parameters are configured ahead of the inspection and then collection is carried out automatically. The collected evidence, structured in a human- and machine-readable format (YAML and HTML), allows website controllers, data protection officers and end users to understand better which information is transferred and stored during a visit of a website, i.e. the consecutive loading of a number of web pages without giving consent or logging in.
The tool starts Chromium, i.e. a stripped down open source version of the Chrome browser, with a new user profile and loads all web pages included in the visit one after another with no further user interaction. During the visit, the tool collects amongst others:
- web page screenshots
- list with HTTP links from the entry web page, categorised by:
- internal link (same website)
- external link
- link to social networks and collaboration services
- list of visited web pages
- information stored in HTML5 local storage (including the responsible web page and component causing processing)
- all cookies in the browser profile (including the responsible web page and component causing processing)
- the HTTP traffic between the browser and the Internet as HAR file, in particular
- list of requests identified by EasyPrivacy filter list to cause behaviour tracking (including the responsible web page)
- list of requested first- and third-party hosts
- all messages exchanged via Web Sockets (alternative transmission method to HTTP requests)
Compatibility and Installation
The Website Evidence Collector should be compatible with Windows, MacOS, Linux and all platforms that support NodeJS and Chromium. However, the EDPS has run the Website Evidence Collector only on Linux and MacOS. For an installation on MacOS and Linux without administrator privileges, please follow our advice in the FAQ on code.europa.eu.
To use the tool you can either install it directly using using Node.js and the Node.js package manager (NPM) or you can use the provided container image with tools such as docker or podman Tutorials for both approaches are provided on our dedicated code.europa.eu page
Please read carefully the EUPL licensing conditions. As stipulated in its Section 7, the EDPS provides this tool on an ‘as is’ basis and without warranties of any kind, including fitness for a particular purpose, absence of defects or errors, or accuracy.
Bug Reporting
Issues can be reported on code.europa.eu/EDPS/website-evidence-collector/issues.
WEC Online
WEC Online builds on the Website Evidence Collector (WEC) as a multi-user web application that provides a user-friendly interface and is designed for organisations to be centrally deployed and made accessible to its members. It maintains all the features of the original WEC while making them accessible to non-technical users.
The source code of WEC Online as well as detailed installation and configuration instructions are available on code.europa.eu.
Please read carefully the EUPL licensing conditions. As stipulated in its Section 7, the EDPS provides this tool on an ‘as is’ basis and without warranties of any kind, including fitness for a particular purpose, absence of defects or errors, or accuracy.
Bug Reporting
Issues can be reported on code.europa.eu/EDPS/wec-online/issues.