embed more social media platforms besides twitter + telegram

[msramalho]

Although Twitter and Telegram represent the vast majority of sources we have for the events, there are a few other platforms for which we would like to add embed support, namely:

• youtube - for example CIV0143, 2022/03/01, maybe with react-youtube
• instagram- for example CIV0133, 2022/02/28, maybe with react-instagram-embed

current embeds are used here

[fspoettel]

I would like to work on this in the coming days. @msramalho can you assign me the issue?

[ohcnivek]

I'd also like to help out!

[fspoettel]

Awesome, should we split up the work? I could take care of insta?

[msramalho]

Thanks for the interest in this one!

@fspoettel go for insta.

As for the youtube one, I'd say first to declare here can go ahead (just so there's not duplication of work), but @fspoettel feel free to give @ohcnivek a couple of days in case he wants to give it a go since he's a potential new contributor here (👋) and this is a good first issue.

[fspoettel]

sounds like a plan, thanks!

[ohcnivek]

it's my first time here! will try my best & follow up here if I need help 😄

[fspoettel]

I reviewed above instagram plugin and there is a major problem: it calls an /oembed endpoint on the FB Graph API to retrieve the embed html. afaict, these limitations are present for any approach that resolves an embed via the official API.

In order to call this endpoint, we need:

1. a FB API application and a client access token for the Graph API.
2. a manual review of our "app" from Facebook to get that token ‼️

I'm really confused how they plan to review the implementation before giving us a token to actually make it work. Also not sure how we can supply them with a review link as our app does not support deep-linking.

---

Embedding individual instagram posts via the embed button in Instagram is not a problem as it calls the oauth endpoint for the user when creating the embed, so no access token is required. It might be possible to "hardcode" this embed code and thereby circumvent calling the graph api in the first place. This could be brittle depending on how often this API changes.

[fspoettel]

@msramalho does bellingcat have a facebook graph application with required scopes already by any chance?

[msramalho]

I'd prefer to avoid using the graph API with credentials, and going for the 2nd option, even though from what I understand visitors not logged to instagram will not see the post (?)

[fspoettel]

I'd prefer to avoid using the graph API with credentials, and going for the 2nd option

Yes, I agree - it's nuts that Facebook hides this behind a very restricted api scope.

even though from what I understand visitors not logged to instagram will not see the post (?)

If Facebook allows us to construct an embed string manually w/o first calling the oembed API, then everyone should be able to see these embeds. The main ❓ is whether or not Facebook requires a call to the oembed API before it allows displaying a given posts as an embed. I need to test it to give a definite answer. I hope (and would expect) that any public post can be embedded in this fashion.

[fspoettel]

Just tested it and it appears they don't - we should be able to embed any public post in this fashion. I'll go forward with the 2nd option.

[msramalho]

Thanks for looking into it, happy it works as we wanted.

[ZLester]

Also interested in assisting if there are any more embeds that need to be done.

[msramalho]

Following up on the discussion in PR #39 I am indeed concern if some of these embeddings need to bring in scripts from 3rd parties and especially those with tracking capabilities. I would like to encourage some more discussion on that here, but the simplest way that already always users access to all links is a simple button that redirects to the original post.
Happy to hear your thoughts @fspoettel and @wattroll

[fspoettel]

From a GDPR (and privacy) perspective, an iframe is as bad as a script embed. there is no real difference, both can track and both require consent and a privacy policy.
Scripts running on the page are not sandboxed to the frame though (which is worse).

[fspoettel]

Personally, I think these embeds add a lot of value to the map as less context switching is required to assess events. It would be great to have a toggle "Show Embeds" in the source panel that converts "plain" links to real embeds so that 3rd party content (iframes and scripts) is only loaded on user request.

As mentioned in the Insta PR, their embed is a styled placeholder link until the script loads (=could be put behind consent) so this might be one way to go UX-wise.

[msramalho]

I also agree that the previews add a lot of value to the map and that if they are not shown by default users might have a worse experience (knowing the toggle exists + using it is not straightforward), but I am not a fan of injecting scripts outside iframes.

As for privacy/gdpr concerns, I'm curious whether we could have some additional message on the intro panel that would cover that or if it actually requires something like an "accept" button.

[fspoettel]

Alright, I'll close the PR then - I don't think there's a way to embed instagram in an iframe. It would be great to document expectations like this so people don't waste their time.

[fspoettel]

As for GDPR:

• you need explicit Consent if the underlying iframe sets cookies. some embeds have a noCookie param or domain in which case you don't. Telegram and Twitter both set cookies so you need consent here.
• All external data connections need to be documented in a privacy policy. Anything making a connection to a service not owned by Bellingcat would need to be documented here. This includes stuff like Google Fonts (yes, really). This also includes 3rd iframe embeds that do not set cookies as they might still log a user's IP.

The use of the injected Google TagManager script w/o consent is a direct violation of GDPR as well.

[msramalho]

Hi @fspoettel thanks for being so thorough, we will take these into account and try to fix it soon.
And apologies for blocking your instagram contribution for now, I know that's not a pleasant contributor experience.