> The defendant is sentenced to pay the plaintiff €100.00
> The plaintiff has a claim against the defendant to refrain from passing on the plaintiff's IP addresses to Google under Section 823 (1) in conjunction with Section 1004 of the German Civil Code.
> It is undisputed that the plaintiff's IP address was forwarded to Google when the plaintiff visited the defendant's website.
Why "what the hell"? This is exactly what happened, and a logical consequence the moment IP addresses are classified as private data. Which it is in a system where it can be used to find the civil identity of the user, which is the case in Germany via Vorratsdatenspeicherung and the rampant misuse of the legal system.
Note how the decision contains the question of whether leaking the IP was necessary. They noted it is not necessary to serve the fonts via Google, it can happen without leaking the IP (I assume they mean self-hosting):
> Google Fonts kann durch die Beklagte auch genutzt werden, ohne dass beim Aufruf der Webseite eine Verbindung zu einem Google-Server hergestellt wird und eine Übertragung der IP-Adresse der Webseitennutzer an Google stattfindet.
translated:
> Google fonts can be used by the defendant in a different way, so that a connection to the website does not make a connection to the Google server, thus without transmitting the IP address of the website visitor to Google.
Which is good news! It is a totally consistent decision with the current privacy rules and best practices: Do not save or leak private data if not necessary, always minimize data exposure as much as possible. The as much as possible part is very important - if there is no way to embed Youtube videos without leaking the address, then that's still possible to do. Sounds fair to me.
This case is about IP address exposure, not cookies. This would still happen. So everyone showing youtube videos would be affected unless users also start agreeing to IP exposure… this could probably be avoided by extending the sites terms.
I see quite a few web pages in Germany that do not load JavaScript or any other content from YouTube,Twitter, Facebook until you explicitly opt in. Basically, the content is replaced by a placeholder saying “click here to load external content from.” - it’s technically not very hard to do so, and I quite like it. I don’t need to be tracked by any of those entities everywhere I go. Tracking and creating profiles is one of the large problems of Facebook like buttons and similar.
> this could probably be avoided by extending the sites terms.
Reading the judgement, I don’t think so. Consent is required before exposing the IP address and is must be explicitly given. Terms can help in cases where there is a technical requirement, for example “if you want to watch this embedded video, you must consent to this”, but they won’t save you when you just embed.
> it’s technically not very hard to do so, and I quite like it
For the average user, it's yet another thing to click without thinking, just to be able to visit a page.
> Consent is required before exposing the IP address and is must be explicitly given
There's the crux of the problem, it's difficult to know what to consent for without first displaying the website, so you implicitly give consent for "just the bare minimum", until you accept the rest. This sounds great, but is both an absolute nightmare for website developers (it's not very easy to do, with how the internet was designed, inline scripts, fonts, CDN stylesheets) and for "most" end-users who just expect good defaults and don't want to sign a consent form every time they visit a website.
> > it’s technically not very hard to do so, and I quite like it
> For the average user, it's yet another thing to click without thinking, just to be able to visit a page.
And yet, they’re still protected: They’ll click on the video when they want to watch the video, load the like button when they want to like, the tweet button when they want to tweet. And all the other times when they visit a website that offers any of this functionality, no data is transmitted to YouTube, Facebook, Twitter.
> This sounds great, but is both an absolute nightmare for website developers (it's not very easy to do, with how the internet was designed, inline scripts, fonts, CDN stylesheets
There is no need to ask for consent for every Stylesheet you load from a CDN. You’re allowed to use cloudflare, cloudfront, fastly,… - they’ll all provide the required DPA that allows you to use them without consent. You need to be careful when it comes to things like like-buttons etc. that get loaded from places that use them to create user profiles for non-consenting users. Yes, that’s hard. But the culprits are the entities that siphon up every bit of data. Direct your ire there.
> There is no need to ask for consent for every Stylesheet you load from a CDN. You’re allowed to use cloudflare, cloudfront, fastly,… - they’ll all provide the required DPA that allows you to use them without consent.
And Google doesn't? (Honest questions)
On first look serving a font from Google and a stylesheet from Cloudflare seem very, very similar things.
The primary difference is that you usually have a contract with cloudflare that they host and serve your data on your behalf. A DPA would usually be part of the contract. Cloudflare also doesn’t mine the IP addresses that they gather as part of their operations to build advertising profiles.
AFAIK google fonts does not require any contract. Google could certainly offer a contract, a DPA, etc., assert that they are subject to the GDPR and waive processing of the data they gather from operating google fonts as a service.
I think these are the wrong solutions. What they're trying to do is to desperately hold on to doing "business as usual". Just now with a CYA fig leaf, and do I detect a hint of possibly a dash of malicious compliance?
What the EU actually wants to accomplish is to set a standard where people do business in a different (safer/higher quality/more ethical) way[1]; which many believe is both better for consumers and for business.
I wouldn't be surprised if a next round of regulations were to explicitly target (actual or perceived) malicious compliance.
My recommendation would be to find other ways of achieving your technical/advertising objectives that minimize the touching of peoples PII.
[1] This is not unusual, the EU originated as the European Economic [Community/Union], and the regulating of safety, quality and ethics standards between businesses and trading countries has been in their bailiwick for a long time (as behooves a trade treaty organization). Not all kinds of regulation are bad for commerce. This kind promotes fair competition and interoperability, while preventing races to the bottom and tragedies of the commons.
Strong disagree. This is more to me like Germany having jack all of a tech sector and trying their hardest to drag the rest of the world to their level.
When everybody would use it, and ISPs would sell access, that could help the users to regain control over their data, and make privacy on the internet finally first class.
> So everyone showing youtube videos would be affected unless users also start agreeing to IP exposure
Yes, and that's a good thing! A web page should only communicate with the server i've reached, there should be zero third-party involved unless i explicitly consent.
That for example <img> tag can use an arbitrary URL is explained by the fact that back in the day storage/bandwidth was expensive. The same is true for video to this day, but i guess it's good that heavy-to-load content is click-to-play.
Are you sure about the „explicitly“ part? I think it in certain cases, implicit consent should be enough, e.g. when a payment processor is contacted from a website. Even if you were running your own payment gateway, the user of your shop should be aware that the website will have to share information with their bank or credit card company. I think sharing data with third parties should not be easier than offline, but also not harder. Or do you sign a consent form each time you swipe your CC?
You are correct. However me simply visiting a homepage (service) does not require communicating my data to third parties, and doing so is not in the legitimate interest of any of the first parties involved. In this case it would fall under the obligation of explicit content.
The GDPR does not require consent for everything. It allows processing data that’s required to provide the desired functionality and payment processors would be covered (IANAL, to take with a grain of salt) You’d still need to mention that in the pages privacy policy, but other than that you should be fine, as long as you have the proper paperwork in place (DPA,…) and the payment processor is themselves GDPR compliant.
I find that hard to understand.
What server have you reached? Many sites are designed to be hosted by many servers at the same time.
Sites hosted on Amazon are moved around depending on load and your location.
Often you'll get part of the site from server X other bits from server Y.. images and css from an asset server and api data from one of many app servers.
You are correct. I just don't think that's a reasonable state of affairs. If that was part of a p2p model (eg. torrent/IPFS) it could be considered a reasonable tradeoff to allow for more eco-friendly (shorter routes, no need for high-powered servers) retrieval scheme.
Hyperlinks are the foundation of the web. However, when we started loading resources (eg. images) from third parties due to high bandwidth/disk cost, we opened a Pandora's box which i believe does more harm than good.
IP information will still be sent to Google, and a notice would have to put up before.
Easiest way to deal with this is to self-host the videos. Most people over-estimate how popular their websites are, and for the ones who don't, getting a dedicated instance with unmetered bandwidth is trivial to get and setup for video-hosting.
It is not in any way trivial to self-host video these days.
In the past when video was a novelty and no one had any real expectation of performance or quality, it didn’t matter much because expectations were low.
But so much work has been done since on reliability/performance/network efficiency and very few products can provide that. Without that work, people will think your player is broken, you will waste mobile traffic, etc. Even Reddit can’t get it right and they are a top 10 website.
Unmetered is often means 1 Gbit. With 4K video that means less than 100 streams. It may work, but the moment the video is shared among friends the site can be in trouble.
Plus YouTube handles all re-encoding and adjust the quality based on the speed and device.
It is possible to do it with open-source components, but it requires a server farm and just not feasible using single cheap private server or VPS.
> and adjust the quality based on the speed and device.
Now if only browsers would implement native HLS and/or DASH support then every site could have this without having to package a bunch of JS with different quirks of reach site.
Of course, it is not really in Google's interest to help YouTube competitors so this is unlikely to happen for Chrome.
> Easiest way to deal with this is to self-host the videos.
For most videos, this would be a copyright violation. i.e. there are now two laws which prevent reasonable technological solutions, making it harder for most people to host and produce content - favoring the already heavily advantaged big companies.
Good. It's about time we took a hard damn look at the ludicrous mockery of common sense that copyright has made of things. Maybe people will start to appreciate the freedom to create once they realize that $industry has made it nogh impossible to do anything without getting sued.
The solution to bad law is not to ignore it, it's to follow it to the letter, every time. Only then will people sit up take notice, and weigh the tradeoffs. In particular, we've let industry run away with far too much of the public's right to do things.
The part I find hard to understand is how you decide whether it is a necessity to load external content.
For example, say I want to embed an instagram post on my website. You could argue that I should talk to the person who took the picture and get a license for the image so that I can host i on my own domain rather than loading the content for instagram. In practice this is obviously much, much more cumbersome than embedding the IG post and so would result in huge changes how websites work (by vastly reducing any externally loaded content).
In a similar vein, you could argue that serving cached content from another host is not strictly necessary. Why not just run your own caching servers? It's probably worse in most ways (my cache server << cloudflare's cache server), but if minimising the amount of content loaded from external hosts is your aim then it is feasible.
> For example, say I want to embed an instagram post on my website.
In that case, you could:
a) get a license (your suggestion),
b) link but not embed Instagram pages, or
c) embed in such a way that it shows a user-controlled notification that opening the embed will connect to Instagram and as a consequence sends data to Meta.
And indeed, some websites use c) without any problem, they even integrate it into the cookie popup. BBC even steps it up: all of their Twitter citations are screencapped and linked instead of other websites just embedding Twitter (in their defense, they can say that this is to preserve the context in case that the user subsequently deleted the post).
> c) embed in such a way that it shows a user-controlled notification that opening the embed will connect to Instagram and as a consequence sends data to Meta.
This is how we arrive at cookie popups and annoying "you're leaving our website" notifications. I posit that perhaps both of these could be a feature of HTTP protocol and the browsers - i.e. a browser could just display a small standard icon in its UI notifying user that he's consenting to cookies, and another one notifying him that he's being redirected outside of the domain he's in, The user could then configure the browser to auto-accept or auto-deny such attempts, review all the consents he's given earlier etc. - all in all, it would result in much better UX.
Google has probably not proposed and implemented something like this in Chrome already only because it would actually improve privacy and that's obviously not in their interest. Which proves that de facto giving up Web standards to the commercial entity was never a good idea. If the EU was better at execution, they would mandate something like this as the law, instead of the current requirements which can be met by just spamming users with popups no one reads.
The "annoying" popups is also how you end up with businesses like plausible analytics that provide analytics, but don't require the popup, because they dont store the information that causes the popup to be required.
We were not better off 15 years ago. We were just blissfully unaware of the problem of large-scale PII collection that was already metastasizing in the shadows.
Imagine a kind of decision square. Rows are "consciously" and "unconsciously", Columns are PII collection, and privacy (no PII collection) .
This gives us a list of 4 possible scenarios (from least to most desirable).
1. unconscious privacy, 2. unconscious PII collection , 3. conscious PII collection, 4. conscious privacy
In detail (least to most desirable situation)
Box 1: Early internet everyone had unconscious privacy. No one was collecting PII, and no one was aware of it.
Box 2: Early 21st century, people started collecting PII at an ever increasing (and frankly alarming) rate. You may have encountered tall tales where people got sent baby advertisements before they themselves even knew they were pregnant.
Box 3: The goal of the GDPR, shine a light on the situation and make everyone conscious that there is a problem; and unveil the extent.
Box 4 (future): fix the underlying problem.
GDPR already addresses box 4 a little bit. Just by shining a light on these practices, some of the slightly shady bits at the edges are already solved.
Now that the situation is visible and known, we can take further political steps at mitigation.
> Early 21st century, people started collecting PII at an ever increasing (and frankly alarming) rate. You may have encountered tall tales where people got sent baby advertisements before they themselves even knew they were pregnant.
What's disheartening is that in physical stores, this already started happening in the '90s, mainly for analysis of loyalty programs' data.
> i.e. a browser could just display a small standard icon in its UI notifying user that he's consenting to cookies
If you need to notify the user that he is "giving consent" then there is no consent.
> and another one notifying him that he's being redirected outside of the domain he's in
There is rarely a reason to redirect to other domains. The most common case is making outbound links go through a redirect for tracking purposes - and that I won't miss.
>> and another one notifying him that he's being redirected outside of the domain he's in
> There is rarely a reason to redirect to other domains. The most common case is making outbound links go through a redirect for tracking purposes - and that I won't miss.
You misunderstand this part, which is forgivable if you're outside Germany. This is about the mandatory "You're leaving X, we do not have control on their data collection or endorse this site's contents. Do you want to continue?" you'll see on German-language website because a court in Hamburg says that they're implicitly liable if they didn't state that.
c) is very popular among various German websites I frequent. Instead of the embedded content there is a blank area and you can consent with one click to send your data to $service which will then load the embedded content. Sometimes it also includes a direct link so you can open the embedded content in whichever way you like. I don't find this to intrusive or annoying, especially since the website can save your choice for later and can choose to never ask you again.
Or in Instagram’s case for me, you read the article and see a strange mess with empty holes today, because your IP address hasn’t logged into any Meta properties in the past year and so Instagram won’t serve you embeds anymore.
I agree that this is a big danger. When this thinking is taken too far you have an easy weapon in hand to destroy websites of your competition, the result would be having no websites in Germany anymore. But so far I've only seen clear-cut cases as this - that Google Fonts is not a valid option has been obvious since the DSGVO, maybe longer. So I refuse to be concerned and trust in a honest best effort approach (I host websites in Germany, there is always risk in that).
The website tried to rely on legitimate interest as the legal basis for processing the data, and that precisely requires a balancing test between the interests of the website host and the interests of the data subject.
If you want to make sure that you're not getting the balancing test wrong, you can always go for the legal basis of last resort: consent. Just ask the user whether you can load content from Instagram and only do it if they agree. In fact, since in parallel to the question of your legal basis under GDPR, you also have to comply with the cookie provision from the e-Privacy Directive, where there is no "legitimate interest" exception to the requirement to ask for consent, you will have to ask for consent anyway (as Instagram embeds place cookies).
> In fact, since in parallel to the question of your legal basis under GDPR, you also have to comply with the cookie provision from the e-Privacy Directive, where there is no "legitimate interest" exception to the requirement to ask for consent, you will have to ask for consent anyway (as Instagram embeds place cookies).
I don't think that's true. The cookie provision is misunderstood when you think you have to ask for consent for functional cookies. Follows from the GDPR, and there is no specific cookie law actually implemented in european countries. See also https://gdpr.eu/cookies/. Ah, but maybe I misunderstood and you are only talking about the cookie set by the embed?
It is not true that "functional" cookies are generally exempt from the consent requirement. What is concretely exempt are necessary cookies for a service that the user explicitly requested. This is not the case for cookies placed by Instagram embeds.
Sorry, but an opinion from 2012 has no chance to be relevant if it disagrees with the current GDPR interpretation I linked to. Note how it explains that the ePrivacy Regulation is not in effect. I do not see how there could be any basis to legislate cookie usage if it is not linked to private data/analytics, if this happens it will not survive the courts I think. I do understand that this cookie consent interpretation is common - one just has to look at those stupid cookie consent forms on private blogs - but it does not follow from real legislation.
However:
> This is not the case for cookies placed by Instagram embeds.
Yeah, I can see how this is complicated and how it fits the topic. It's not a third party cookie for the embed, but for the website it might be, and is it even a functional cookie? I doubt it. I'm not sure how those would be judged and what is a reasonable way to work with embeds. It's only certain that there is not a solution as easy as it was in this case, where self-hosting the fonts was possible.
You're making the mistake of thinking that the cookie consent requirements are somehow a consequence of GDPR. The cookie consent requirements exist separately from and additionally to GDPR as a consequence of the e-Privacy Directive. What GDPR changed in regard to cookie consent is what exactly constitutes "consent", as it updated the Data Protection Directive in that regard, but it did not change when consent for cookies is required.
Other than court judgments, the Article 29 Working Party opinion is the most authoritative opinion you will get on the interpretation of the e-Privacy Directive, which is the "real legislation" that you need to look at.
edit: Nobody claims that the e-Privacy Regulation is in effect, by the way -- of course it isn't, it hasn't even been passed. The cookie consent clause of the e-Privacy Directive is however in effect, and has been since 2009.
Also the e-Privacy Directive does exempt strictly necessary cookies from any consent requirements, or am I completely confused now?
Edit: No, I'm not. The GDPR page I linked states the situation that follows both from the GDPR and the e-Privacy Directive. It also fits to what is written in the directive itself.
Strictly necessary cookies for a service the user explicitly requested. And, importantly, this is true even if no personal data is involved and the process is therefore not covered by GDPR at all -- the cookie clause of e-Privacy Directive applies regardless.
Careful. That is an 100% unofficial site. It is not chartered or funded by the EU. The linked article is from “Richie Koch”an editor working on human rights stories who wrote the article on behalf of Proton VPN, which runs the GDPR.eu site as a content marketing scheme. The linked article is not the law and not official guidance, though it provides a reasonably good summary.
Everything sqrt2 says in the comments is entirely correct, as far as I can tell.
Fair point. And thanks. I think now that my position - while how it should be, consistent with the GDPR and repeated at multiple places - is possibly not in line with a court decision from 2019 or so, that interpreted the e-Privacy Directive in a wrong way imho, and at the very least might depends on local practice of how EU "law" is applied. So you two are probably right.
Ridiculous to govern non-privacy relevant tech usage like this. I still think that's illegal where I live. Regardless, let's hope the e-Privacy Regulation or future court decisions solve this.
The part that is tricky, is where we offload additional burden of knowledge and responsibility to the website providers.
When it is on the user to figure out whether they are allowed to use a product – and that means in fact any product – that one of the biggest companies in the world is allowed to offer in my country legally, we are in trouble.
Law is complex. Tech is complicated. Most people are not law or tech experts. Getting sound advice on both is expensive, and the trend to increasingly need more of both is worrisome.
This seems neither fair nor reasonable to me. Or particularly democratic.
I have to say that this is such an example of new technology being scary but the problems with old technology being ignored.
I'm still waiting for the ability to have mail received from someone or a company without giving such parties my name and physical address. This could very easily be implemented in many ways, but somehow does not exist.
There is no reason for a mail order company to know my full name and physical address to deliver anything to do, and I feel this sis far more compromising than an i.p. address.
It's an argument for, as I said, that people have a tendency of disproportionately focusing on the harmful effect of new things, all the while ignoring anything that is sufficiently old.
I find giving ulterior parties my name, and the physical location on the planet I live far more scary than being tracked by cookies without such cookies being able to be tied to such things.
This is not good news. This indeed very bad news. Especially for entrepreneurs in Germany who must constantly fear to be convicted for something as ridiculous as this.
Yes, but they have a contract with the VPN and the VPN has a data protection officer. Here they just send data to Google and Google has not made any promises to protect the data.
Not quite? Wouldn't the users browser have sent its own IP address to Google? That's different that "forwarding" it, and it may not even be enough for Google to connect the user to that site.
The web site did no such thing -- it served up a document that contained the reference. It is the end user that CHOSE to delegate interpretation of that document to a web browser (ad a counter example, look at how RMS browses the web). Yes this is less practical. But since the decision only deals with what is "possible", then logically it should be fully consistent.
Now from a practical standpoint, I'd like to see a privacy consent header which informs the web site of the privacy options the user has selected. Absence of that header or absence of specific selections will result in annoying popups like we have now.
It strikes me that this is exactly the same scenario, in reverse, that we have with people being convicted of "hacking" a website by entering a URL that wasn't supposed to be exposed. Things like "consent" and "authorization" are murky when we delegate our will to computer programs like browsers and servers.
If URL "hacking" is illegal, then we have decided as a society that persuading a piece of software to do something does not equate to informed consent on the part of the person operating it (and by extension that we're meant to make some sort of guess as to what they do intend).
I strongly disagree with this interpretation. In my view, a person maintaining infrastructure is a position of power and therefore should be held to specific standards in regards to how it treats users.
Users on the other hand are just people. Being a user on a service does not grant you power over other users (not out-of-the-box anyway). Sure you can scan for vulns and/or follow a public link to a top-secret document: in my view that's nothing wrong. Now reverse the situation: why should a remote server administrator dictate the computing performed on your machine?! Is it ethical for some website operators to start scanning your local network?
A service operator knows about threats, hopefully has counter-measures in place, and can always ban you (or specific requests) if it comes to that. A user is mostly helpless, especially when it comes to computations performed by a script you unconsciously downloaded and executed from a server. How many users are aware of what RCE even means and that a web browser with JS enabled is essentially RCE-as-a-service?
> it served up a document that contained the reference
A document that is expected to be executed by the receiving system. Might as well log in to your companies production server as root and send the completely meaningless string of letters "rm -rf / \n", not your fault if the receiving system actually executes it.
GDPR specifies a different interpretation of events, that takes precedence here: the user chose to visit GDPR-bound site A, and the law requires site A not to compel the user to visit any site B that is not bound by law or treaty to honor GDPR as well.
You’re not wrong that one could logically evolve your interpretation from circumstances, but GDPR’s authors chose not to accept your interpretation as sufficient, and went further than that.
I was thinking more along the lines of the "allow location" and "allow notifications" popups. The web site will ask you first, and if you say yes the browser then asks you in its own popup. Or you can tell the browser to always accept, or always allow on a per-site basis.
1) google won't know what site told the browser to do that.
2) this is probably more of a browser issue than a site issue.
3) the reason browsers dont complain about content coming from different domains is because the entire ad industry depends on that behavior. That may need to stop ;-)
Not all browsers send Referer headers. These days it's only useful for doing log analytics and hotlink protection from the browsers that do send the header.
This argument was tried in the Fashion ID case. A company had inserted Facebook Like buttons on the web page, and argued that it was not responsible for the ensuing disclosure of personal data (such as IP addresses or possible tracking cookies) to Facebook. See, it was the browser and not the website operator that disclosed the data, and the website operator never had access to the data in the browser in the first place!
The European Court of Justice did not buy this argument. By coding the website in a particular way, the website operator was responsible for causing the user's browser to act in a particular way, so it was the “data controller” for the collection an transmission of personal data by the Facebook Like button, though Facebook is of course jointly responsible for what their code does.
The underlying argument is that someone is a data controller and thus responsible for GDPR compliance when they determine the “purposes and means” of processing, alone or jointly with others. Embedding the code for the button was an exercise of this power to determine purposes and means. In contrast, the website operator is not a data controller for whatever Facebook does with the collected data on its servers, because it cannot control what FB does.
The given case from Munich is a very straightforward extension from the Fashion ID judgement, though the website operator didn't even claim that they weren't responsible. Instead, they argued that they had a “legitimate interest”in loading fonts from Google servers, which the court rejected. While I consider it probable that Google does not use data from Fonts servers for tracking, the judgement correctly points out that Google is well-known for tracking – but this doesn't matter anyway, since already the disclosure of personal data without a legal basis is a problem.
That seems on the surface to be a ridiculous argument.
I can go "bash < somefile" and I can go "csh < somefile" and I can go "cat < somefile". It's my choice to use bash, csh, or cat. somefile will have data in it, that data will be interpreted by MY choice of program to read the data. If I don't want the contents of somefile interpreted as commands I shouldn't be passing it to something that runs commands based on its content. replace somefile with `curl someURL` and nothing changes. If I don't want my computer to connecte to other computers based on what content comes back from `curl someURL` that's my responsibility.
Maybe a better example. It type `npm -i somepackage`. npm then looks in somepackage and sees dependencies and downloads them. By the same logic as the judgement npm or `somepackage` is responsible for leaking PPI based on the dependencies listed. Not the user for running npm in the first place.
The same with `apt update` and `apt upgrade` etc...
The ruling would apply in tons of places that seem like they'd make it hard for things to keep working.
If the CDN abides by GDPR laws and doesn't process user data then it is fine. But if the CDN you use process user data for its own gain rather than just serve the request then that goes against GDPR. It is your responsibility as a developer to ensure the services you use follow these laws.
If you don't have a contract stating that the other part will honor GDPR then we will assume that the other part will misuse all data sent to them, so you aren't allowed to send any data at all.
This was a static web address and not a CDN for this website, the company doesn't have a contract with Google about this and the user didn't go to Google.
Hundreds of thousands if not millions of mom and pop blogs are linking to images, fonts, scripts, etc from various sites. Are you really going to fine them all?
You're basically arguing any link to an image on imgur or flickr or wikimedia is should be fined.
> You're basically arguing any link to an image on imgur or flickr or wikimedia is should be fined.
Why do you think that? I would never agree that a link should carry any responsibility to the site owner, even if it linked to porn, warez or really illegal stuff.
I think there is not. You are not allowed to download the video and host it yourself, that would be a copyright violation. Am I missing a legally valid way?
Okay but let’s say you have permission to host the content — e.g: you actually own the video.
Do you still think it’s reasonable that it should be a legal requirement that to embed a video on your web page you must develop your own video delivery infrastructure?
You could just link to YouTube and not embed the video.
I think the important part is that this is an issue, only because companies like have had a surprising hard time not misusing every single bit of information sent their way. The result is that companies have forced governments to step in and now they are overregulating.
If you specify preload=yes or other take any steps whatsoever to promote preloading of the (non-GDPR) YouTube link, then you would definitely be responsible for the user’s IP leaking to a non-GDPR site, and risk owing fines under GDPR.
If you do not request preload behavior, then you’re just linking another site on the web, and users are considered to understand that links go to other sites, and that’s acceptable. A theoretical GDPR complaint would find that the user agent was responsible for the behavior, not you as site operator.
You pay for that content delivery by selling the users data to Google. Do you think that is fair that the user should pay for your video hosting with his data? If the user wants to see the video, sure, but that hasn't been made clear yet at this stage.
Well, it depends. If it's a short video that fits into your available traffic that you can just self-host with a video tag, why shouldn't you take that option? If it would be a huge burden like where you really would have to develop infrastructure despite that not being in your budget nor competence, then of course not.
I already agreed in a comment above that these questions wrongly answered by a pure privacy maximizing position carry a huge danger for the german web.
That specific scam does not have to work anymore though. Abmahnungen in Germany are the most stupid and lawyer serving system in the world, but the CC image scam got closed by judges deciding no monetary harm was done. Possible that these lawyers are still trying, but note that the article started 2018.
The linked article also never went to court because they decided to pay instead:
> September 21: After months of silence, we have received another letter from Kanzlei Schröder. This time, they threaten to take us to court unless we pay 400€ by October 1. We decided to pay. That was our last interaction with Kanzlei Schröder.
Frivolous lawsuits, maybe, but frankly that’s irrelevant to the discussion at hand, which is the legislative liability of running a website. I’ve never heard anything even close to what the GP describes happening in any other country.
Software patents are a construct of the legislature that hands out a template for privateers to create liability. I wouldn't want to do anything in the US market.
A smaller nightmare than the dystopian surveillance the free-market free-for-all in the USA has manifested.
The government has the absolute authority to regulate you into a corner, if need be, to protect its people from predation by powerful interests. That's what governments are for.
Why can't they just read the terms of the license before they use the content? By this logic, saying that you didn't cause any economic damage because the software is freely available ought to be a valid reason to violate the terms of the GNU GPL.
You are doing Your Thing™ and the lawyers are doing Their Thing™, and you are both incompetent at the other one.
The worst you could do to a lawyer is that maybe you could embarrass them about their lack of network engineering knowledge, but they in turn can extract real money from you through various means.
Also defending oneself results in involving a different lawyer enriching lawyers as a whole anyways.
> maybe you could embarrass them about their lack of network engineering knowledge
I’m fairly certain it’s possible to do much worse to a laywer, especially a technically clueless one.
Defending oneself from a frivolous lawsuit (e.g. judge has already said ‘you can’t do that’) in a sensible country like Germany might not cost you anything.
Much, much more likely however, is that they wouldn’t go to court at all (because, you know, they would lose, and even if both sides pay their own cost they’d lose more money than they could potentially make).
> It is undisputed that the plaintiff's IP address was forwarded to Google when the plaintiff visited the defendant's website.
In this context, "It is undisputed" does not mean "It is a truth universally acknowledged by everyone", but rather "there is no dispute between the defendant and the plaintiff that this happened; in the light of that non-disagreement, the court is not required to decide whether that happened or not, and will accept that as a fact".
So in this case, the defendant (as well as the plaintiff, of course) agreed that "the plaintiff's IP address was forwarded to Google when the plaintiff visited the defendant's website". If there was a place to bring forward this "agency argument", this was the place; however the defendant seems to have chosen not to bring it forward.
It may be because the defendant's lawyers are unprofessional and forgot; it may also be because they are professional and so they knew this argument would not hold.
The plaintiff's browser did what the defendant's code ordered it to do.
If the defendant's code violated GPDR (which seems to be the court's conclusion) by sending the plaintiff's browser somewhere, it's a defendant's problem, not plaintiff's.
Yeah, that's exactly the agency argument. It's not as if the plaintiff's browser is actually under control of the defendant, a user agent is not forced to follow the instructions that are contained in a website it requested on behalf of its user.
I don't think forcing each and every single website provider to implement their own consent forms is the right approach to regulating this. User agents should have the ability to convey and enforce privacy preferences on behalf of the user, and website providers should be legally required to comply with these if possible (or refuse service if not). But requiring ever more complex, explicit and custom opt-in consent forms for various provider, third party and user jurisdiction combinations is just inane.
Consent forms are not required, just host the font. They are also way more expensive and complicated to implement than self-hosting fonts. Asking for consent over usage of third-party fonts borders on pettiness from the website owner.
> User agents should have the ability to convey and enforce privacy preferences on behalf of the user, and website providers should be legally required to comply with these if possible (or refuse service if not).
The burden of respecting privacy choices in every single other case (data in the backend, data shared with partner, paper data) is already with the website. Every non-privacy-respecting implementation in the frontend is made by website owners.
Keep in mind that sometimes websites don't work with blocking other stuff, or are more difficult to use when blocking fonts (Google Material). So this is not even a practical suggestion.
There are two options to do what's required by the law: either A. not sending users' personal data to third parties; or B. receive informed consent from the users before sending their personal data to third parties.
If the option B seems unwanted for some reason (any reason), there is still option A. Implementing a different solution (that breaks the law) has consequences.
This is a pretty sad state of affairs IMO. The fact is that CDNs and similar third party services play an important role. Websites wont stop us6them, it's not feasible (btw if I "host" my fonts in S3 do I have to get consent for sharing IP with Amazon? With DNS? with every router that goes through tracert?) .
In reality, websites will add more crap "opt in" CYA forms at first loading, making the interaction fugly and unusable. We can discuss here in HN how that is unnecessary and whatnot, but that's what's going to happen...
I just wish that websites wouldn't force us outside of the EU to the asinine UX required by the EU (I hate having to press ACCEPT ALL on each page I visit.... whatever I dont want is already blocked by an extension anyways).
> The fact is that CDNs and similar third party services play an important role.
They no longer do, since browsers implemented cache isolation.
> if I "host" my fonts in S3 do I have to get consent for sharing IP with Amazon?
No, you're supposed to contractually bind your vendors/service providers as data processors with a contract (“data processing agreement”) per Art 28 GDPR. There's some debate around whether US-based companies are legally able of entering into such an agreement (say hello to the Cloud Act from me), but the general consensus still is that non-US cloud regions might be OK, and that CDNs that let you sign a DPA (like Akamai, Cloudflare, Fastly, …) are also OK. In contrast, Google Fonts does not seem to be covered by the Google Cloud DPA.
> with every router that goes through tracert?
No, such mere transmission doesn't count as processing, and/or the intermediaries are responsible for their own compliance. In any case the connection should be protected by TLS so that only the client IP address + your domain name is visible to intermediate routers.
> websites will add more crap "opt in" CYA forms
Unfortunately, I agree, though the point of this judgement is that self-hosting some assets is a perfectly cromulent alternative. I think relying on “consent” would be difficult in a case like this, since it is not generally possible to make access to a service conditional on consent to unnecessary processing activities. Using a CDN for assets like files is unnecessary.
> I just wish that websites wouldn't force us outside of the EU to the asinine UX required by the EU
For EU-based websites there is no choice, as the law doesn't care about where the users are.
There's also a bit of irony in here that there has been a lot of work in replacing the cursed cookie consent requirements that gave us most of these annoying consent banners – but the past few months revealed that the US tech giants have been successfully lobbying against the proposed ePrivacy Regulation. So please redirect your ire against Google. Without them this might have been fixed in 2018.
There's a difference between data sent to the website provider (and through it, indirectly to third parties), and interactions between the browser and third parties. The linked ruling forces the provider to ask the user for consent for third parties (even though the provider has nothing to do with the interaction!), instead of mandating a direct opt-in interaction between the user (agent) and third parties.
Imagine embedding many social media sites. Instead of forcing the social media sites or browser vendors to create embeddings that ask for consent themselves, the website provider has to ask for consent on behalf of all external sites before loading any content. As a web developer, this is a nightmare.
> even though the provider has nothing to do with the interaction
I beg your pardon, but in this case "the provider" (website) has directly sent the user's browser to a third party (google fonts) by including an instruction in the code (HTML) that the provider has sent to the user's browser. The browser did not decide to contact google fonts all by itself; it was directed to do so by the provider. Arguing the provider "has nothing to do with the interaction" looks a bit disingenuous to me.
I don't think you get the agency argument. Of course the request to the third party provider is causally related to the website sending the instructions. But while that is necessary for it to happen, it is not sufficient. The user agent's execution, on behalf of the user, makes it happen.
I do get that argument; I just don't think it holds any water.
If one hires a hitman to kill someone, that one may still be held accountable to manslaughter, even if that specific person didn't kill anyone themselves. It may also not matter how many degrees of separation are there between that person and the hitman: as much as putting a (Bitcoin) bounty on someone's head (with a "smart contract" or whatever) may be considered manslaughter, even if nobody knows who the actual hitman is.
"Agency" is not a magic get-out-of-jail card.
Also, one may try convincing a judge "Your honor, it's true that I wrote the code that encrypted the plaintiff's network and wrecked a havoc, but I did NOT execute it; the plaintiff could have instructed his CPUs to not execute my code"; I don't know if this argument would hold.
Finally, there might be a "reasonable burden" argument in this case. It's reasonable to expect that website builders would know how browsers/internet work. It's not reasonable to expect that website visitors (general populace) would know that. Hence, the burden of GPDR compliance is better put on the builders' shoulders, which is exactly what happened in this particular case.
Summary: A company did try the “it was the browser, not us” argument in the “Fashion ID” case. The court did not fall for it. Data controller and thus responsible for compliance is whoever determines the purposes and means of processing. Being able to control what the website does seems to be good evidence for being a data controller.
In this Google Fonts case, the website operator didn't even try this discredited argument.
> Sure your honor, the victim died by carbon monoxide asphyxiation, but it was his choice to inhale the gas, even though it smells the same as normal air"
"Your honor, the victims of my ransomware attack decided to use a modern CPU to run my code. The attack would not have succeeded have the victims used Z-80, so there's no one to blame but the victims themselves."
Yeah like when you use a browser no where did you literally cause & consent to loading and running stuff.
False analogy.
Ironic that people use this line of reasoning to defend ad blockers (I'm responsible for whatever software I run) but then use the opposite argument when they don't like what the software does.
> a user agent is not forced to follow the instructions
Luckily! A large german media corporation called "Springer" has for years, and is still, unsuccessfully trying to get the courts and politicians to rule that users can not manipulate web content and must run it as intended, as changing it would violate copyright and is a sabotage of their program. And i bet they aren't the only ones globally. Also: how many devices are locked down and can only run code as it is provided by trusted third parties? Try installing an ad-blocker on a smart-tv or a playstation.
Website have no authority over the browsers accessing them. They can't order. Just state information. "There's a font over here" not "you have to go access this font over here".
That browsers by default tend to follow links to resources automatically doesn't change that. It's still the agent the user has chosen to represent them when talking to the website making the decision not the website.
If a legal body want to make the call that users shouldn't be responsible for choosing what their browsers automatically do or don't do on their behalf that's fine. But it's absurd to do it by making it the website creators problem. It's the browser that's choosing to do things without asking the person it represents for explicit permission. It's the browser sending the information to the third party. Put it on the browsers!
We've got a handful of choices for browsers. They all gratuitously send every bit of information they can get their hands on to every website they can. Just straight up informational security Judas'. And GDPR blames websites? It's crazy to me.
or too under-powered in relation to the powerful organizations that take advantage of them, or too overworked by all the tasks and details of their lives to deal adequately with all the things it might be beneficial for them to deal with, but are not strictly necessary for getting through the day.
No. It is so that they don't have deal with developers tricks and misdirections and intentionally misleading uis and so on. It is also so that they are not required to learn tons of obscure and otherwise useless knowledge to function reasonably.
None of that makes them stupid. Just like, when I am in grocery store I can be sure all food there is reasonably safe, even if I don't know anything about them. I am not expected to research them all personally for dangerous substances else "I am stupid for poisoning myself".
When talking about UX, there's this bad habit of using people's mothers or grandmothers as examples, because they are 'too stupid' to understand the UI that was built. Aside from the obvious problems, this also implicitly removes blame from the designer/implementor of the interface.
I always prefer to reframe it as someone with a very important, intelligence requiring job, say vaccine reasearcher, who doesn't have time to deal with your shitty UI when they want to print a document.
The browser is the user-agent, ie. an agent acting on behalf of the user. The browser chose to fetch the font, based on the orinal response. It could be configured not to.
You could also say that the user is opting in to loading a font from google when he actively sends the request to google. You could also say the user is opting in to storing cookies by accepting the file and writing it to his own disk, and sending the file back when the site asks for it. I think it is too late for these kinds of arguments in the EU though, and maybe with good reason, if it turns out the average citizen is not actually able to configure these kinds of decisions.
> You could also say that the user is opting in to loading a font from google when he actively sends the request to google.
Consent is not consent unless it's informed consent. If the user was not made aware of the request in a clear way before the request happened, he did not have a choice. If the person (and by person we mean the human being, not their browser) did not make the choice, then he did not consent. There's no "technically" about it, the question is only if the person knew what was happening and was given an opportunity to opt in.
So it is the responsibility of the website owner, to make sure that the user is informed about how his own browser works. Couldn't you make a case for shifting this responsibility to e.g. the browser vendor or the regulating bodies who decide on web standards?
The responsibility of the website owner is not to send users' personal data to third parties, OR to receive their users' informed consent to such sending BEFORE that sending occurs.
That's the law. It's enforced by courts.
Web standards aren't law. They aren't enforced. You can't sue anyone in W3C court for using non-standard CSS or forgetting to close a `<b>` with a `</b>`.
>not to send users' personal data to third parties
>receive their users' informed consent to such sending BEFORE that sending occurs.
Neither of these are what's actually happening in this case. According to this court's decision, the responsibility of the website owner is not to send instructions to the user's machine that might expose their personal data to third parties after the user's machine follows these instructions, OR receive informed consent before such instructions are sent. I'm not saying the GDPR doesn't apply here, but at least it's clearly a different situation.
For the purposes of this Regulation:
(1)
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
— Clause 26 of GPDR [0].
Whereas I would point out the directly or indirectly part, the latter of which happened here.
It hardly matters in the court of law what you "could also say".
The law is clear: you don't have to send your users' data to third parties, but if you decide to do it, you have to receive their informed consent first. In this case, the defendant chose to send personal data to a third party without receiving their informed consent.
The option of conforming with the law by not sending that data anywhere still stands, as does the option of receiving informed consent beforehand.
But technically, the user itself is sending his own data to the third party, and the original website is merely requesting the user to do so. You could interpret it like this: "To use this website, it's best if you have this font. You can get it from here: https://google.com/fonts/blah". It's not exactly the same case as a more obvious GDPR violation, where the website would collect information from the user, and then send it to a third party (e.g. selling user data to a data broker).
>It hardly matters in the court of law what you "could also say".
On the contrary, it's exactly what the court is there for.
> the original website is merely requesting the user to do so
... in a violation of GPDR, because user's informed consent was not received beforehand.
> it's exactly what the court is there for
I might have been more clear: it hardly matters what you or I could say — what does matter is only what the lawyers say. In this case, I assume that either A. the defendant's lawyers have brought this argument before the court, and the verdict still was what it was; or B. the defendant's lawyers have failed to bring this argument before the court.
The courts are not there to discuss arguments made in HN comments.
Technicalities don't matter. The user never consented to this data being shared with third parties, and there is no simple mechanism for the user to block them that is available to all website users. As other mentioned, GDPR also requires opt-in.
There is a case for third-party requests, and considering that some websites make tens and sometimes hundreds (eg Yahoo) of third-party requests, passing the burden of filtering those requests to the customer doesn't really scale.
The burden is fully on the website operator here. They wrote the software, and it's most certainly closed-source. Just as the burden of keeping my data safe on their backend is on them, the burden of keeping my data safe on my frontend is also on them.
> passing the burden of filtering those requests to the customer doesn't really scale
I think it scales better than forcing millions of website providers to engage in the legal fiction that they are an intermediary between the user and all external content providers that are embedded on their page
> all external content providers that are embedded on their page
All the embedding is being done by the people building the websites, so yes, they do have full control and therefore full responsibility.
Just because I don't perform a crime or violation myself, it doesn't automatically absolve me when I pay or ask someone to commit it.
> forcing millions of website providers
Millions? There are billions of website visitors, and most of those don't have any control or deep knowledge over their tools. There are only 3 significant browser technology suppliers at the moment, and none of them provides the hypothetical tools to users, only third parties, and those tools often break websites.
Website builders, however are significantly more technical and able to control their tech stack. If anything just hire another company. The burden should definitely be on them.
How many of these billions want or are even capable of understanding what they do when they click the "i accept" button? Legal complexities seem even further removed from public understanding than technical ones. This approach seems equally ineffective for achieving what this regulation is intended to achieve, to not just to have the users sign away their rights with a click, but give them an understanding of what they give away. But I'm not sure whether that will ever be possible.
I agree that its a big problem that the big browsers do not act in the interest of their users, and that their vendors are in fact disincentivized to do so. That would be a good reason for antitrust action and public funding, since they should be public goods.
> How many of these billions want or are even capable of understanding what they do when they click the "i accept" button?
I don't see how this is relevant, but:
Again, whether those consent forms are understandable or not depends solely on how websites implement them. The fact they are confusing is purely because website operators want them to be.
These confusing forms are not a requirement of the GDPR. How they look and feel is up to the website hosting them. They go against the spirit and some go against the letter of the law.
The goal of GDPR is letting people answer to the question such as "Can I give your data to company X?". The fact that the internet became a cesspool of privacy violations doesn't change the original intent of the law.
> This approach seems equally ineffective for achieving what this regulation is intended to achieve, to not just to have the users sign away their rights with a click, but give them an understanding of what they give away.
The law already states that rejecting should be as easy as allowing. The fact websites don't make it means they're breaking the law, and I hope they get punished by it.
> I agree that its a big problem that the big browsers do not act in the interest of their users, and that their vendors are in fact disincentivized to do so
We already have a Do-Not-Track header, but websites refused to obey it for more than 10 years, to the point they were removed from browsers.
Solutions were always there. It is websites that chose not to comply.
I know, which is why I said: "and maybe with good reason, if it turns out the average citizen is not actually able to configure these kinds of decisions."
Not in practice. It requires configuration that is non-trivial for most users and might not be available for them in all cases (eg: using a computer in a library).
In fact, I can't think of a solution that doesn't require third-party software/hardware/product and some computer expertise (AdBlock? Pi-Hole? VPN? Little Snitch? Hosts File?).
Ublock Origin in advanced mode can be set to block all third-party requests by default. I browse the internet that way, but it's definitely not for everyone.
I also browse the internet this way, but yeah. This solution is not available to people not using their own computers, people using certain browsers that don't have it, or just people that haven't heard of it.
Also Google can definitely make use of That information because they know so much about the user that a single IP connect is enough to establish that a specific user visited that website.
Not only from your own domain, but from your own servers. If you still server-side send the IP to Google servers, it's still sharing of personal data with a 3rd party.
I wonder how this works when you rent servers from VPS providers. If you host data on their servers, does it mean you share it with them? What if this data is behind a root password? What if it's encrypted?
Note that if you are an American, this still isn't a solution. This ruling prohibits any US citizen having EU IP addresses. So if you as an American host your own servers, you either have to remove all connection logging or ban all Germans.
Seems pretty simple to me. I visit not-google.com, then don't load anything from elsewhere without being asked first. It's not too dissimilar to app-level permissions.
The counterargument to this is that you are knowingly using a piece of software that has, and has always had, the default behaviour of autoloading remote resource links it finds in HTML.
> you are knowingly using a piece of software that has, and has always had, the default behaviour of autoloading remote resource links it finds in HTML
Actually, most people don’t actually know that. And why would they? Why should they get bogged down in such technical minutiae? Why require users to play tedious uBlock whack-a-mole of enabling resources from external domains until the website starts working in order to have any semblance of privacy?
Just because something is common doesn’t make it right.
The vast majority of people don't know what the last half of your message means. They cannot, and should not, be expected to make fully informed decisions. Industry (as always) has demonstrated they're not interested in educating or helping the user in any way about this. So they need to be regulated.
By the same token, if you run a binary executable, you are knowingly using a piece of software that has, and has always had, the default behavior of autoloading any dynamic libraries, running any unprivileged machine instructions, making any unprivileged system calls, and having access to all the appropriately mapped memory it might find or obtain.
So you could conclude that my program can do whatever it wants within those constraints, and it's your problem as a user if it does something you don't like.
But I don't think it is fair to expect normal people to analyze a program for malicious behavior before running it. And I don't see how it is relevant whether that program is a compiled binary or a spaghetti blob of html, css, javascript, and web assembly. Also it is not clear that such analysis is permitted by the draconian copyright laws.
> you are knowingly using a piece of software that has, and has always had, the default behaviour of autoloading remote resource links it finds in HTML
Am I? Maybe I am, because I have worked as a web developer, but most people don't really have this knowledge.
And even if they suddenly start having the knowledge, what is their choice? Stop using the web for good?
The point of GDPR is to bring the responsibility back into the provider’s side.
Instead of blaming the user for not having technical means and personal rules to apply privacy best practices, the site creator has to offer options to review the situation _before_ letting loose all the trackers and third party carnival.
And it makes sense to me. If tomorrow a site decide to get their favicon from microsoft‘s new marketing service, it would be unreasonable to expect the users to know to block that.
If the user visits foo.de they obviously expect that some data is transmitted to foo.de
They also might know that companies use service providers and therefore necessary data might be shared with 3rd party companies (which is fine according to the GDPR).
However the user can also expect that that a) foo.de minimizes data transmissions and b) 3rd parties conform to the GDPR rules (which Google can't).
If the user is logged in to Google (e.g. for Gmail) Google would be able to connect the user with foo.de with a high likelihood. This in turn might expose the users behaviour to automatic analysis by foreign government agencies without any legal oversight (since the user most likely isn't a US citizen)
Not only that... I visit foo.com , the browser will query 3rd parties for DNS, moreover when retrieving data from foo.com several shops will need to be done (see traceroute foo.com) . All of those should be disclosed and explicitly approved by the indefensive user!! And then, is foo.com hosted in servers that are not property of the website provider? (AWS, GCS)? oh shit, that's sharing without consent!! Another prompt for the user. Oh wait but that prompt should come before sharing the data!!
GDPR is going to manage to make the internet unusable. Who would've thought it was going to be bureaucrats the ones to kill the web!
Where is exactly is the line for needed for operating a website and being optional?
What if you create your website in wix.com, the data from your domain will be shared with them AND it is needed for this data to be shared for operating the website.
EDIT: To make it clear, I always recommend self-hosting fonts and agree that Google CDN fonts should be avoided. But even if you self-host the fonts, those are still hosted on a server that is very unlikely to be your basement.
Why do you think google fonts exist?
For google to Get visitor IP all over the web without any form of user consent, this is exactly what the gdpr tries to kill.
What value exactly is there in Google seeing that IP X requested font Y, assuming there’s no Referer header - which there won’t be, assuming Referer-Policy is set sanely (which by default it is in all browsers)?
If you are logged in to Google and visited YouTube earlier that day they already know that you are behind IP X with device Z and use that information later on by connecting it with the font API key of mydomain.de
Which is really shitty behavior from a browser that wants to claim to care about privacy.
But even without a referer it gives Google some information, even if its just that this user (ip, useragent, other identifying bits) is currently exists.
But GP has a point: An IP address (together with a timestamp) may be used to identify you a person but if it's not connected to actual personal data (e.g. what website you visited), "leaking" it to Google doesn't provide Google with any data about you.
I mean, IP address ranges are publicly known. If I now run a `for` loop over all IPv4 addresses and write them to my HDD, am I suddenly illegally storing personal data of all the people behind those IP addresses? Obviously no. An identifier by itself is not worth anything, unless it's connected to actual personal data.
EDIT: Never mind. GP's assumption that "there’s no Referer header - which there won’t be, assuming Referer-Policy is set sanely (which by default it is in all browsers)?" does not seem to hold in my browser. So Google does not only receive the IP address but also the HTTP REFERER.
The court judgement addresses this exact point. There are previous judgements (Breyer v Bundesrepublik Deutschland) that establish that dynamic IP addresses are personal data. There are reasonable means to identify the data subject with the help of third parties, such as the ISP. “For this it is sufficient that the defendant has the abstract means for identification of the person behind the IP address. Whether the defendant or Google have the concrete means for linking the IP address with the plaintiff is irrelevant.”
That there is correlating information like timestamps, useragent strings, or referer headers increases the likelihood of actual identification, but the mere reasonable possibility of identification is sufficient for IP addresses to be personal data.
You're missing the point (and mischaracterizing the court decisions): An IP address by itself (without any additional information, e.g. the URL of the website requested by that IP address) cannot possibly be personal data, as was illustrated by my "for loop" example.
The present court case and also the one you're referring to (Breuer v. Bundesrepublik Deutschland[0]) do not say anything to the contrary. They were concerned with situations where there is additional data that could be used e.g. to build a user profile. For instance, the Bundlesgerichtshof judgment addressed the question of "whether dynamic IP addresses of website visitors constitute personal data for website operators" [0] (which clearly know which website the visitor visited and therefore possess additional data about the visitor).
For something to be personal data, it must be information that relates to an identifiable natural person. There are two criteria here: (1) it must relate to a natural person, and (2) that person must be identifiable.
Your “loop over IP all addresses”example does not involve personal data because the information doesn't relate to anyone – it is just a list of numbers. Even if it were to relate to individuals, no court would order an ISP to disclose information about corresponding subscribers for such generated IP addresses. Then, the identifiability argument in Breyer cannot work.
In contrast, an IP address that is part of an IP packet received by a server clearly relates to the person sending the packet, if there is such a person. And, with the help of third parties, the person on the other end of the connection is reasonably likely to be identifiable. This does not depend on the website operator having any additional information such as cookie identifiers, other than the date. To avoid confusion, let me quote the relevant part from Breyer:
> 49. Having regard to all the foregoing considerations, the answer to the first question is that [Art 4(1) of the GDPR] must be interpreted as meaning that a dynamic IP address registered […] when a person accesses a website […] constitutes personal data within the meaning of that provision, in relation to that [website] provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person.
The only additional data involved here is that held by the ISP, not by the website. That the judgement scopes its conclusion to website providers must be understood not as a limiting factor (as in: IPs can be personal data only for website providers), but as a contrast to the uncontested observation that IPs clearly are personal data for ISPs.
An IP address that relates to an identifiable person is personal data by itself. Thus, its mere disclosure to a third party without a legal basis is a breach of the GDPR. The article you linked highlights the “absolute vs relative” identifiability discussion, but this reasoning holds even under the “relative” standpoint because Google too is a website operator who has the same reasonably likely means for identification as the original website operator, if not substantially better means due to its trove of other data it can correlate with the IP address.
In this LG München case, the court determined that sharing this data with Google was illegal, regardless of whether there is any additional data. It is, in a sense, a very formal argument, that doesn't consider it necessary to dive into specific fact patterns (that's the abstract vs concrete means part quoted in my previous comment). The court did consider the impact of Google's tracking abilities in calculating damages, though.
To summarize my disagreement with your comment: (1) I assert that an IP address by itself can be personal data for a website operator (such as the defendant or Google), per the Breyer argument. (2) The LG München judgement in this Google Fonts case is not concerned about additional data when considering the legality of processing. (3) Additional knowledge held by the website operator is irrelevant for both this case and the Breyer judgement. Since a negative is difficult to prove but a positive can be shown by a single example, could you please point out the paragraphs in the Google Fonts case[1] or the ECJ's Breyer judgement[2] where I'm mistaken for disagreements 2 or 3?
You are extremely naive if you believe Google can't infer anything if the referer is missing.
An IP + user-agent combination (both of which are sent) is enough to uniquely identify a typical home user with high certainty unless they're behind a carrier-grade NAT and use a very popular browser.
Let's assume Google can identify the user but doesn't get a referrer. So what? The only information Google receives is that some user visited some unknown website at a particular time. How exactly would that lead to Google increasing its profits?
> If I now run a `for` loop over all IPv4 addresses and write them to my HDD, am I suddenly illegally storing personal data of all the people behind those IP addresses
That's actually a good point. The IPv4 space is pretty limited. I guess the GDPR law makes it PII if you bundle both the IP with an action made by that IP (e.g. that IP visited that website).
The ruling says the website owner illegally shared the user’s IP address with Google. AFAIK, this is an incorrect interpret of events. The website merely tells the user’s browser that the content is intended to be displayed using a font that, if not installed on the user’s computer, can be downloaded from Google’s server. It is the the user’s browser that initiates a request to Google’s server. A request by the website itself to Google sharing the user’s IP address never actually occurs.
While you somewhat correct, in that the browser sends the request, but it is not a 'can be downloaded' but rather an imperative saying 'get that font from that server'.
In the end, the w3c standards define, that browsers execute the commands they receive from the server and in this case, the server tells the browser to download the font. So the site-owner configures his website in a way, that this site instructs browser to share the IP address.
This is the essence of CDNs, though. Every offsite CDN is subject to this same ruling, meaning any developer trying to use a third-party CDN for something as simply as loading jQuery is subject to this. For example, on load, https://evanandkatelyn.com/ grabs stuff from: twitch.tv (embedded player), youtube.com (embedded player), facebook.com (likely just a like button), and what I assume are several wordpress CDNs (c0.wp.com, i0.wp.com, s.w.org, ssl.p.jwpcdn.com).
If this ruling is upheld, either (a) browsers need to immediately stop interpreting these commands, instead providing user prompts for _each offsite load event_, or (b) a very large swath of websites are all open to the same legal issue. As a small example, the Aesop wine company site (https://www.aesopwines.com/), made with Squarespace, uses typekit, squarespace, and google CDN loads. They're subject to the same ruling, right? And so on, and so on...
> browsers need to immediately stop interpreting these commands, instead providing user prompts for _each offsite load event_
No, why should they? The ruling makes the (pretty realistic) assumption that users are in no position to decide about individual load requests. Therefore, those are the responsibility of the site author.
This way to interpret the events seems most consistent with real-world usage. Meanwhile pretending the user is responsible to vet any individual network requests seems like a legal fiction - except there is no reason why it should be applied.
By this argument, then, should third party requests always be blocked? If the user "is in no position to decide", that means that the only way to avoid potential liability would be to load everything from the same domain, right? No CDNs, no off-site scripts, no off-site embeds, ever. Seems a bit extreme to me.
To my knowledge, there are other avenues beside consent under which the GDPR allows data exchange with third parties - in particular if such an exchange is essential for fulfilling the service. The point here was though, that the data exchange was not "essential" because you could simply self-host the fonts or proxy the request through your own servers.
But yes, it would seems to me that this interpretation of the law sort of communicates that third party requests should be a measure of last resort. That would definitely cause a shift in current web dev practices, but I'm not sure it's a bad thing.
> avoid potential liability
I think "potential" liability is an odd criterion. Any law is a risk of potential liability. If the effort to find out if a law actually applies to you is already too much, then I guess anything less than anarcho-capitalism would be unacceptable.
Do you, as the website operator, have the right to copy and serve these fonts to your visitors? (Actual question; my guess is that you don't according to Google Fonts, but could be wrong.)
> proxy the request through your own servers
Isn't this worse? Assume that your visitor does not want Google contacted at all as part of their visit; isn't, then, the potential leak of an IP address simply a side effect? The website is still leaking timing of when a visitor accessed the site, potentially their usage patterns...
Personally, I think this is a bit of an absurd argument... I think, at most, consent should be enough for third party requests. I was mostly responding to GP's claim that the user can't reasonably consent to such use.
> Do you, as the website operator, have the right to copy and serve these fonts to your visitors?
Good question. I have no idea, but apparently the court thinks self-hosting is ok in this case.
> Isn't this worse? Assume that your visitor does not want Google contacted at all as part of their visit; isn't, then, the potential leak of an IP address simply a side effect? The website is still leaking timing of when a visitor accessed the site, potentially their usage patterns...
There is a specific set of data which is defined as "personally identifiable information". IP address is part of that set, but I don't think timing information or anonymous usage data are. So the question in this case is specifically "does the request leak information defined as PII?". You can prevent that effectively with proxying: Google would only see the IP address of your proxy but not the address of the user.
> Assume that your visitor does not want Google contacted at all as part of their visit
I don't think a user can enforce this under the GDPR. They only have a right to block you from sending their PII to Google, not to block you from talking to Google at all.
> Do you, as the website operator, have the right to copy and serve these fonts to your visitors?
All the fonts on Google Fonts are open source. When GDPR came into force in 2018 I downloaded all the fonts I needed, checked their licenses, and uploaded them on my servers along with necessary notices as required by the licenses.
The matter could also be sidestepped if the CDN were to offer a GDPR data processing agreement (DPA) and would make guarantees about the locations of servers. The free public CDNs understandably don't do this, and it seems Google Fonts is not covered by the Google Cloud DPA.
At least in Germany (possibly also other European countries) a design pattern only loading Facebook/Twitter/Youtube/... content with explicit user consent is nowadays pretty common.
But shouldn't the site owner pay for a CDN and host the resources themselves? In which case the CDN wouldn't own the IP information. I think the problem here is that the website author is getting free bandwidth in exchange for their user's IP address, which in the example Google can then use for tracking and other things in exchange.
> But shouldn't the site owner pay for a CDN and host the resources themselves?
Not sure I understand this. Whether you pay for a CDN or not, you'll still be guilty of sending the user's browser to an external domain without consent (because it happens before the page is fully loaded). The only GDPR-compliant solution seems to be self-hosting everything.
That's true but the mitigation to that is that it would have been OK if the user has consented to this "data processing".
The court isn't ruling this sort of technology en bloc but says in its ruling that it is a problem because the user didn't consent to his personal data (IP address) being given to a third party (Google in this case).
Personally I have mixed feelings about this ruling too because this sort of technical solution is widespread and an army of GDPR vigilantes has the potential to cripple large portions of the web by filing similar suits. Or we won't be able to access websites without having to go through entire multi-page EULAs and consent forms for every and all kinds of similar 3rdparty technology embedding.
Law is a blunt tool and will have unintended consequences, unfortunately :(
A lot of websites won't serve addresses from Germany.
I've seen companies doing that with just the GDPR cookie warning, it wasn't worth rewriting code and annoy non-EU people with the warning so the detect IP address and redirect to a page saying they don't serve that region.
Let's be honest, what have we gain from the cookie warning?
That is a minority and mostly only US-centric sites that are otherwise chock full of advertising/tracking technology - exactly what was GDPR meant to deal with.
However, GDPR and this type of ruling has EU-wide impact because of the single market (e.g. a French website can and does server also German customers). Businesses (especially the ones from the EU) can't afford to not comply or to not serve customers within the EU.
There is an important point to this ruling that shouldn't be omitted:
> Der Einsatz von Schriftartendiensten wie Google Fonts kann nicht auf Art. 6 Abs. 1 S.1 lit. f DSGVO gestützt werden, da der Einsatz der Schriftarten auch möglich ist, ohne dass eine Verbindung von Besuchern zu Google Servern hergestellt werden muss.
To roughly translate: One can use Google Fonts without forcing users to make a request to google servers (by downloading the fonts and serving them locally) so this doesn't fall under GDPR (which allows sharing/using user data if it is necessary for functionality).
Which would most likely include CDNs but a point could be made for things like youtube and twitch where that isn't really possible/feasible.
Edit: One addition to the "necessary" part: Necessary for what the USER wants to do when visiting your site. Might be arguing semantics but this is law after all, which is all about semantics
Then get Squarespace to stop pinging random third parties on page load. The website owner is paying for Squarespace, why is it loading Google CDN (and Google trackers?)
It's loading fonts. So squarespace needs to host those fonts, fine. But more to the point, it could be argued even the Squarespace CDN is "different" from the actual website, so we need CDN shims that forward local domain requests to the CDNs and return the results. All to hide an IP number for downloading fonts." Moreover, "host it yourself" is easy if you're technically skilled, but very, very difficult if you aren't.
> And hosting a font file entails dumping it next to your index.html file and adding some very basic CSS. Not exactly difficult.
If you are a 60-year-old woodworker living in Appalachia trying to set up an online store to sell hand-carved flutes, this task is essentially impossible.
So they will have outsourced their website to some external entity that does possess the required technical knowledge. This required technical knowledge should include the ability to host a simple file.
The 60-year-old woodworker living in Appalachia will be relieved to know that browsers are able to display text in their online store without having to add any font files at all. If the 60-year-old woodworker living in Appalachia decides they absolutely must have a custom font on their website then self-hosting that font file is not any more impossible than adding the HTML/CSS required to fetch it from Google.
Caching was never mentioned as being a requirement. I'm only giving the most basic solution for achieving compliance with regards to hosting a font file.
Scope creeping, on a Sunday no less... where are we headed
ianal, but I think CDNs would not be affected by the ruling, since they serve an important function.
Google Fonts was deemed illegal here since it's not necessary and you can easily provide a font in a privacy-preserving way.
Not a lawyer as well but I'm not sure about this. Let's use the "jQuery served by a CDN" example here: You can easily argue that using jQuery is necessary for your site to function but there is no real benefit to the user by doing this with a CDN when you could just ship jQuery from your own server. AFAIK the benefit of CDNs is largely nullified nowadays by browsers using a different cache for each primary domain anyways, so you can't even really point out a potential benefit for the user (faster load times) here.
> the w3c standards define, that browsers execute the commands they receive from the server
I'm no expert in the matter, but this seems a little convoluted to me? To me, the server does not issue instructions, per se, it returns a declarative text/binary response that describes the sturcture of the website, it is then up to the browser, that the user installed and chooses to use and may configure (and possibly configure to leak their data, even if spec-adhering behaviour of rendering the webpage should not), to attempt to understand the document and retrieve any other resources that may assist displaying the content correctly.
On the other hand, if one was to send CPU instructions back to the user, I guess it's also there choice to execute them...? Also, it's not possible to determine which resources are for display purposes (fonts), and which are for tracking purposes, the browser will blindly have to retrieve the resource, so websites have a certain responsibility to issue privacy-respecting "instructions".
I'm trying to argue both sides here, I still believe that the user chooses voluntarily to use the browser, visit the webpage and therefore parse the document and initiate any subsequent requests that the document proposes, on the other hand, this is beyond most people, they just want to view a frickin' website, so perhaps the lives of web developers should be made harder to make the lives of the average Joe, who is not an IT expert, a little easier? The architecture of the web is inherently not privacy-respecting, in order to save bandwidth (and for sake of simplicity), we only send fragments and let the browser choose what else it needs, which can be tracked.
It's like walking in a park. You choose to show your face to people, we've come to just accept the fact that by the laws of nature, we cannot prevent other people from seeing our face (unless you use a mask, but then you make them very uneasy), we leak data that others can remember and use to identify us later.
Try making this argument with compiled code instead of HTML:
"The company included the code to do $BAD_THING in the binary executable, but it was the user's choice to run it, and he could have easily modified the binary to ignore $BAD_THING, but didn't. Therefore, it was the user doing $BAD_THING, not the company."
A lot of people in this discussion are splitting hairs here, trying to blame the user or the browser. The technical details of what a browser does are less important than the end effect: Fundamentally, the web developer added "stuff" to the HTML, knowing that this "stuff" will cause most browsers in the field to access these fonts on another computer. The fact that the end user could technically block it, doesn't change the developer's intent.
Correct. The question for law is: what does a reasonable person expect?
This is a problem because people (in general) are not good at understanding or reasoning about what computers do... and the entire purpose of the web is to put a simplifying, abstract model in between what humans want to do and how computers work. Models are always wrong, sometimes useful. The web is very useful because it is wrong.
If the web were more like Gemini -- I'm not advocating for this -- every link would be an explicit change, and the argument that a reasonable person would be aware that different things came from different entities would be solid. If JavaScript existed but a web page could not request any resource from a non-origin domain, the argument would be solid.
It's not reasonable for a random user to have to internalize a model that says that sometimes the font used by a page is local, sometimes it is supplied by the website, and sometimes it is a call to a third party. It's true, but it's not reasonable.
From my experience, I think the average user treats the browser and the internet as a black box anyway, they don't reason about what is happening. As long as they can get to what they want, they don't really care what happens in between. Cookie notices get in the way, and therefore annoy them. Most also just accept the fact that there data gets leaked everywhere and there's not much that they can do about it. I genuinely don't believe that the average user can make sense of the TOS that they agree to when signing up for something...
This is definitely not a good thing, and should change, but I also believe that ad-driven companies will continue to find a way, we just continue to rack up operating complexity, which in turn, favours large companies. This ruling seems like a pretty weird and unhelpful way (in the grand scheme of things) of helping protect user privacy, but then again, that was not the goal of the lawsuit.
Yeah, I guess this stands. But HTML is not executable. It has to be parsed, like words in a book, not chemicals in a tube. Who is liable, the person who creates the poison, or the book (encyclopedia) which describes the process (and therefore the person who wrote it/distributes it)?
Again, I'm not saying what is right and wrong, but I think this issue is fundamentally much, much more complex than the court may have thought, and more importantly, may have repercussions on almost every website out there.
> Yeah, I guess this stands. But HTML is not executable. It has to be parsed, like words in a book, not chemicals in a tube. Who is liable, the person who creates the poison, or the book (encyclopedia) which describes the process (and therefore the person who wrote it/distributes it)?
I know as soon as you typed this, you probably thought "oh crap, what about Python?" so I won't go there.
I think the major underlying thing here that makes developers uncomfortable with this court ruling is that the whole industry of software development has a chronic and pervasive problem with the idea of consent. I'm not saying individual software engineers don't know what consent means, but we constantly put out software that does things without giving the user informed consent and control, and resist all efforts to force us to ask for this consent.
Imagine trying to use the Software Industry's idea of consent when dating: "Hey, Alice, do you want to go out on a date with me? I'll only accept the answers [Yes] or [Ask me again later]". Ridiculous! But software regularly does this! "Hey, Bob, I love you and I'm going to keep sending you text messages. Do you want [all my text messages] or [only essential text messages]?" Ridiculous, but look at the "consent" options when it comes to cookies.
Not to be crass, but when software wants to get users to do something, they need to treat it as if the software is trying to get laid: You need to ask for, and receive, informed consent at every step of the way, at every new and different request. This is an uncomfortable idea to developers who are used to just commanding the code to do things.
I didn't, actually, but it's a fun thought experiment :)
Python code is instructions that are executed in a very precise manner, they could, in theory, encrypt a hard-drive. You execute the program the same way you execute binary instructions.
HTML is a description of a problem, there are different interpretations, and different solutions, depending on screen-size, etc. You don't always get the same result. Technically, JS could mine crypto, but I don't believe that's illegal (correct me if I'm wrong?), just very inconvienient, and there wasn't any JS involved here. You could make a browser that leaks data due to misinterpretation of the HTML. The problem also lies with the eager-evaluation of HTML, it's difficult to put a disclosure or ask for consent, such as the responsibility clause of most software licenses, without greatly annoying the user...
> makes developers uncomfortable with this court ruling
Guilty. At the end of the day, we need to get stuff done, without creating a private internet infrastructure for our customer. The small guy is at a disadvantage here, not big companies.
Not really. You are making this much harder than it has to be by bringing in irrelevant technical arguments. The court mostly cars about intent and effect, not technical minutiae.
Also by your logic machine code isn't executable either since it too has to be parsed (by the CPU which transforms it into microcode instructions).
In your paradigm: shell, Python, Ruby and Java programs are not executable either, since they require interpreters before they become machine code. Java calls this bytecode and wants to run on a whole JVM, which is rather like a browser.
To follow down the difference here I think that the browser is much more aware of what it is doing than compiled code. It know what this is a stylesheet or a font, it knows it is coming from a different origin and more. Technically the browser is very capable of blocking all third party resources (if you assume that party == domain).
With compiled code stopping it from executing one particular instruction or feature is much harder.
Basically I think the declarative is a significant difference.
Of course I don't think the law thinks that. Otherwise we would have implemented technical measures for limiting cookies such a permissions (with legal backing) rather than these legal-only ones which are abused more often than implemented as they are supposed to be.
I think you confuse user, the Human, and user, the Programming Idiom.
User, the Human, is not going to be asked weather or not the browser should open every one of the possibly hundreds of references in a web page!!
Now, user, the Programming Idiom, might be configured, programed, etc.. to behave differently, but the reality is that is that's not how the modern web works. If the browser is not configured to behave the way it comes from the box by Google, Microsoft or Apple, most pages will not work correctly.
So I think your configuration/technical argument is purely theoretical. The court cannot expect the average user to understand do any of that.
> User, the Human, is not going to be asked weather or not the browser should open every one of the possibly hundreds of references in a web page
Exactly, because we strive for a balance of convienience with complexity. Most people wouldn't mind downloading a font from Google, they already use it directly anyway. This isn't how law works, as an engineer, I'm just trying to find some sanity in what to me seems like an insane court decision with possibly very big repercussions for the rest of the internet.
But User, the Human has the means to command its User Agent, the Browser, to conveniently skip loading whatever they would not like to see, like fonts, executable scripts or ads.
Your post basically amounts to blaming victims of malware and spyware.
"Sure your honor, the victim died by carbon monoxide asphyxiation, but it was his choice to inhale the gas, even though it smells the same as normal air"
I'm not trying to put any blame here, we can twist metaphors to support either side of the argument.
I definitely think that websites have a huge responsibility in keeping the user safe, but this feels to me like an over-extension of GDPR that will make websites much more difficult to develop in the future for the layman without a team of layers. It's a font, there was no malicious intent.
But I am trying to put blame: people who wrote the malware/spyware code are to blame. Similarly to people who write website code that leaks user personal information. The choice to embed third-party code was made by them.
It is nowhere near reasonable to ask a common user to protect themselves from such things: they might not have the technical expertise. They might not be using their own computer (library, etc). The browser doesn't provide enough tools for it and requires third-party solutions. Third-party solutions can either cost money (Little Snitch), additional hardware (Pi-Hole), are not available in all browsers (uBlock Origin due to its interface) or require technical knowledge (other ad-blockers that use lists).
This is called plausible deniability- the site owner knows what he is doing, but does not care. He could have downloaded the font or used a analytic service which does not collect IP address. Great ruling.
>The ruling says the website owner illegally shared the user’s IP address with Google. AFAIK, this is an incorrect interpret of events.
I wouldn't say so. By making use of the Google Fonts service, the website owner set up a scenario where the browser would then share the user's IP with Google. That's the default behavior of most browser setups. It's as good as sharing with Google directly, no? I feel like the scenario is similar to setting up a trap. Technically the victim activates the mechanism, but surely the one who sets the trap carries the blame?
> Technically the victim activates the mechanism, but surely the one who sets the trap carries the blame?
Well said.
Law is not a programming language, the fact that the website didn't _technically_ share the IP, but did it through the browser, is not relevant.
I agree, but the definition of the law can also be interpreted many different ways, until it's clarified, I guess. This seems to me like a very grey area.
There was no trap, in my opinion, document clearly specifies that an additional resource, here a font, will help the website look as intended by the designer. It's visible and its effects are well known (it's part of a well understood specification) and can be blocked. Websites have a responsibility, absolutely, but this is just feels like going too far...
The going far feeling might come from the Overton window being pushed away in a direction. Regardless of what's right, healthy, good or bad usual things feel normal, and unusual will feel like going too far. The thing that matters in this feeling is what someone is gotten used to, which is not an objective quality of the thing, but an attribute of the viewer.
Not a lawyer, but to my knowledge, GDPR does not care if something technically "can be blocked" with some effort. It cares if there was clear, voluntary consent to share a particular bit of data - which wasn't the case here.
Then GDPR should blame the browser vendors for shipping with JS execution enabled by default and demand that JS execution for all browsers be turned off by default. To repaint the stories spun by the grand parents: If I hold up a dagger and announce the fact, why would you run into the dagger anyway without protection? Put on some armor, dude. The client browser had all the information it needed to not make the request (geolocation, external resource, purpose of external resource) and yet it did. I know this is just shifting blame but it's also a good argument for returning HTTP 451 to EU clients and be done with it.
>If I hold up a dagger and announce the fact, why would you run into the dagger anyway without protection? Put on some armor, dude.
Let's say I'm dumb, and I run into the dagger that you're holding. The case is then investigated by the law enforcement. Who do you think they'll blame? Would I be deemed guilty, and would my crime be not having armor on?
I'm not either, and neither are most developers. My takeaway from this is GDPR doesn't care, leaked data is leaked data. I'm just worried about this implications this will have for non-malicious intent that the internet has evolved to use over time. Perhaps this is for the better, but I fail to see that future at the moment.
This is, for better or for worse, how the internet works. There may be better alternatives, but we're stuck with this for now. The truth is that an extraordinary amount of websites use a third-party resources, jQuery from CDNs, fonts from Google, etc. This ruling will never stand in higher courts imo, because it would break the internet through fear.
I'm curious to know whether DNS and your IP being in the the header of packets travelling through various different countries that can be sniffed is also considered as unwilful data sharing?
This ruling will 100% be upheld in the higher courts.
The website is arguing that they have a legitimate interest in downloading fonts from Google in client browser, but as the court correctly states the website can provide these fonts directly. There is no reason to infringe on the user privacy, so there is no legitimate interest. And therefore use of Google fonts was without a legal basis.
BTW - The website could have used a different legal basis out of 6 available, like consent. See: https://gdpr-info.eu/art-6-gdpr/
> I'm curious to know whether DNS and your IP being in the the header of packets travelling through various different countries that can be sniffed is also considered as unwilful data sharing?
Unless there is another way to achieve the same purpose there is a legitimate interest in processing that data for the purposes expected by the client i.e. providing internet service.
> The website is arguing that they have a legitimate interest in downloading fonts from Google in client browser, but as the court correctly states the website can provide these fonts directly. There is no reason to infringe on the user privacy, so there is no legitimate interest. And therefore use of Google fonts was without a legal basis.
Would the same argument apply to using Strip or Paypal to accept credit card payments? The site could deal directly with a lower level payment processor which would reduce the number of third party entities that see the user's credit card.
I wouldn't say so, especially because the in the shops I encountered, they explicitly state that "Payment will be handled by XY provider. You'll be redirected etc etc". That's not exactly using a resource from a third party in the background.
This clearly falls into Art. 6 GDPR paragraph 1, point b) :
Processing shall be lawful only if and to the extent that at least one of the following applies:
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
This legal basis is a lot more clear and a lot less stringent than point f) legitimate interest as it does not explicitly require you to establish "legitimacy" and balance it against vague "interests or fundamental rights and freedoms of the data subject".
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
I'm not a layer (web dev in my spare time), but how far does "provide more directly" go? A private ISP? There's no limit, only what seems to be considered by the courts as "reasonable". Then again, that is how law is interpreted most of the time, no?
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
You can do basically anything with things like IP addresses as long as you have valid consent from the client i.e. they need to actually know, or at at least be able to learn, what you are doing with their data and decide that it is ok. So, no guessing here, just be transparent, and assume no consent by default.
In case of ISP they have to process your personal data because it is necessary for the performance of a contract of providing the internet service. Also, no guessing here.
The legitimate interest clause is a "catch all" clause for anything that legislator did not think about, so it is very vague by design. You do not want to choose this as a legal basis for data processing if you do not want to deal with legal uncertainty. But if you do choose it, you should have strong arguments that you really need this legal basis.
If similar companies to yours are able to do exactly the same thing in a way that is less impactful on privacy then you can expect that courts will not grant you a legitimate interest.
You can also do legal tests do determine whether you have a legitimate interest:
- The purpose test (identify the legitimate interest);
- The necessity test (consider if the processing is necessary); and
- The balancing test (consider the individual’s interests).
Also, based on my observation if you are not doing anything really egregious and you are willing to cooperate with data protection agencies (DPA) you do not have to worry about anything. If DPA decides you are doing something wrong they will tell you about it. And if you just adjust, like start to host fonts on your servers, they will let it slide or give you a small slap on the wrists. The really high fines are reserved for malicious conduct or gross incompetence with actual harm already done to people.
> This ruling will never stand in higher courts imo, because it would break the internet through fear.
It wouldn't break the internet. The internet was fine when the vast majority of sites hosted all their own content and didn't ask your browser to load crap from dozens of domains. It wasn't even that long ago. Honestly I think it was better.
But it has since evolved, greatly, in complexity. Just because things were like something once, doesn't make it easy to go back. Hey, I'm all for more privacy, I'd like to go back to how it was before but keep the good parts from today, but this would make it harder for the small guy without some advancements in IT, private CDNs and easier font management. IT is already a nightmare just to keep it from breaking.
That we’ve been doing a certain thing in the past, is no excuse to allow it to continue going forward. It is a good that we are challenging practices that we have taken for granted and validate whether we want such practices to continue.
"Can be sniffed", and "Provider is making a third party sniff" are two different things. Legally and ethically too.
Right now you're right, the internet works this way. But that doesn't make it right, or fair, or anything, it just is. And it's also no reason it couldn't work in a different way.
> I'm curious to know whether DNS and your IP being in the the header of packets travelling through various different countries that can be sniffed is also considered as unwilful data sharing?
The IP has to be there for the return TCP packet, so under GDPR this falls under "strictly necessary" information.
If someone sniffs you, they now have your PII. They can't do anything with it that is not "strictly necessary" without your consent, otherwise they're also on violation of GDPR.
The only people trying to "break the internet through fear" are the doomsayers.
Is it strictly necessary to have that many intermediate parties to handle TCP packets with the user's IP?
You can instead peer with the user's ISP, or install a machine into the user's network (something like a amazon echo / google home could work too) which establishes an encrypted tunnel to your main servers. Sure it would be more expensive to do this, but so would hosting your own copy of a font instead of using a CDN like Google Fonts. What's strictly necessary doesn't mean what's necessary in order for you to host the site cheaply.
It is considered strictly necessary under GDPR, yes, because TCP/IP (and UPD) is how the internet works.
Something being "strictly necessary" under GDPR also doesn't mean that each intermediate entity can do whatever they want with the IP address.
> which establishes an encrypted tunnel to your main servers
Grandparent was talking about "packets travelling through various different countries". This is just TCP/IP. Using a tunnel won't change this, intermediate routers will still see your IP. Your idea is no different from HTTPS.
If you don't want intermediate routers seeing your IP you have to lay 100% of the infrastructure between the customer's house and your website. Again, this is not how the internet works. And GDPR already covers potential privacy issues that might arise in this case.
> The difference is that now your IP is what all the intermediate servers see instead of user's private data (your user's IP address).
Nope. Your IP is also visible by each router in-between when using such a tunnel if the machine is in the user's network (in your Amazon Echo or Google Home). You need alternative infrastructure to bypass the internet.
Installing a machine directly in the ISP building is no different from Carrier-grade NAT that is already widespread. It also leaks some data about you that can be deanonymised. It is also extremely expensive.
Sorry, I don't mean to play the devil's advocate, this has already gone way off-topic so take what I say with a pinch of salt.
But technically, the IP is not strictly necessary? I can imagine a feasable future where it could be replaced with an anonymised IP from a larger pool generated by your ISP, with TLS for the payload. This could be solved at the internet infrastructure layer, and not required by to be solved by website developers.
> I can imagine a feasable future where it could be replaced with an anonymised IP from a larger pool generated by your ISP, with TLS for the payload.
This is already a thing with NAT and Carrier-Grade NAT.
However if the IP + port + time trio, coupled with other information (such as browser, stack, timezone, behavior) can be used to de-anonymise the user, this also instantly becomes PII.
> This could be solved at the internet infrastructure layer, and not required by to be solved by website developers.
It could, but until we get there, website developers will have to deal with it.
Identifiability for IP addresses uses an even lower standard. The GDPR says that for something to be truly anonymous, there must not be any “reasonably likely” means for identification, even with the help of third parties, even when relying on additional information. There has of course been litigation about this, in the form of the Breyer v Bundesrepublik Deutschland case. It was based on the GDPR's predecessor law, but it used virtually identical phrasing so the conclusion still holds.
The European Court of Justice constructed a hypothetical scenario to show that identification can reasonably be likely. Let's say the website was attacked by a hacker. In a logfile, you find the attacker's IP address and want to prosecute them. So you report the incident to whatever authority is responsible for such incidents, which then gets a court order so that the attacker's ISP discloses information about the IP address. As long as the ISP knows to whom that IP was allocated at the time, there is now a reasonably likely chain of events that leads to identification of the person behind the IP address.
In this case about Google Fonts, the court says that it's sufficient if the website operator or Google have the “abstract means” for identification, not whether they actually did this for this plaintiff's specific IP address.
A solution would be if the EU forbids ISPs from keeping such logs, but given repeated attempts at mass data retention laws for national security purposes and pressure from the IP industry^W^W film and music industry for copyright infringement prosecution purposes, that doesn't seem likely.
To handle resources, like a jQuery library, I'd love seeing URNs being used. A Universal Resource Name is supposed to uniquely identify a resource solely by its name, and say nothing about where to find it - which is the job of its sibling, the URL. A website could state that they need "urn:uuid:6e8bc430-9c3a-11d9-9669-0800200c9a66", and then the browser could decide where to look that up. In my local cache? The cache distributed with the browser? The ISP's repository of resources? The original first party? My VPN provider's fancy anonymized lookup service? Whatever the case, it feels like a robust way to handle shared resources, and of course to introduce a myriad new ways to break UX but hey it's progress!
By that logic, any and all tracking pixels, javascript, iframes, etc would be regulatory no man's land, because all of those are technically just "intents" the server signals.
Nevertheless, users are seldomly in a position to decide whether or not those intents are followed (and site owners can get quite mad if a user instructed their browser to "decline" such an intent e.g. through an ad blocker). All of that makes it reasonable to treat those intents as commands.
Users are enabled to set policy by disabling JavaScript execution by default. If GDPR sees an issue with current default policy, it should mandate that policy is in alignment with user expectations by default, by disabling policy. For web content, after all, doing everything on the server side is not impossible.
Where does it say they see an issue? They just argue that web assets are the responsibility of the site developer, not the user - which is the exact opinion site developers have as well in pretty much every other context.
It's also the expectation of users: Most users aren't experts and don't know what javascript, web fonts or GET requests even are.
You can't have your cake and eat it too.
> Users are enabled to set policy by disabling JavaScript execution by default.
They aren't. All mainstream browsers have removed the option to disable JavaScript. You have to install 3rd-party plugins to get the option back. Those plugins frequently break sites.
>The website merely tells the user’s browser that the content is intended to be displayed using a font that, if not installed on the user’s computer, can be downloaded from Google’s server.
"Your honor, I merely told the gun to strike the firing pin. Without a round chambered in, the gun wouldn't have done anything."
> and this can then be used for advertising purposes.
Can it? Is this within the range what Google is allowed to do in the EU right now?
Because, if that is the case and we also wanted to stop that, wouldn't it be a lot more reasonable to just... forbid Google from doing that, instead of slapping every confused wordpress hack in the EU with a fine?
Google cannot escape the US government agencies (CLOUD act) etc.
It doesn't matter what the promise.
They could sell their software stack to an independent European partner over whom they don't have any control and who doesn't transmit data back to the US.
If China can mandate Google to do something like that and having Google submit to it, effectively escaping US jurisdiction for this part of the world, why wouldn't it work in the EU applied to a completely different set of goals?
US jurisdiction doesn't even protect its own citizens against their government requesting data from google about them, why would it protect those of Hong Kong from their ... oh wait i get it
> Can it? Is this within the range what Google is allowed to do in the EU right now?
Google's current GDPR consent screen is not compliant. It provides an easy "accept" option but no easy decline option, which is against the regulation.
Given they are already breaking the law and successfully getting away with it (otherwise they'd stop), why would they not break it here?
In fact, it doesn't even have to be malicious; the data can accidentally be fed into a dataset that's used for ad targeting - maybe it was set up that way a decade ago, nobody knows about it and it isn't entirely obvious considering the entire targeting machine is a black box with thousands of parameters so it's impossible to definitely prove what data was used to target a particular ad.
It really depends. If the website links to a URL that is the same for everyone on every website which uses that font, then without a referrer header (which is up to the browser to send) there is not much tracking info.
But if the website uses a URL that is unique for that site, or even for each user, that is absolutely something I'd hold the website owner responsible for.
Of course. Good point. If an individualized URL would be used, it would be another story.
Though I don’t think that Google Fonts URLs contain individualized parameters by default that disclose either the user’s IP address or the site visited. The ruling also does not mention that this is what happened here. All the site user did, from what I can see, is embed a Google Font.
Had the site owner put an automatic JavaScript redirect to Google on his page, he’d be just as liable, according to the logic of this ruling.
This isn't "just" initiating a request to a random third party server.
Chrome sends a unique ID when accessing (only!) google servers, in the form of X-client-data HTTP header, uniquely identifying the user, and the site he is browsing (via referrer). It's a goldmine.
No, defendant made website in a way that request to Google is part of the required requests when you visit their website.
It does not ask person browsing for permission to do the request to Google. Probably there was also no mention anywhere that code of website will be connecting to a 3rd party server to pull fonts.
Your point was that Chrome sends additional tracking data specifically to Google. That is all Google’s doing.
But also let’s break down the many many things wrong with this case:
1. Your IP address is shared with many different infrastructure providers none of whom you know about: the CDN that is serving content, the server hosting providers, the TLS certificate revocation log where your browser checks if they given domain’s certificate has been revoked, the DNS server you used. It is a given that your user agent will tell half the Internet that you IP is trying to access a given website. Unless everyone hosts their own infrastructure entirely (no CDN, no external APIs, no external DNS servers, no leasing servers let alone AWS or similar), we will never not leak IP addresses. Your only solution to this is to use something like Tor.
2. Asking each and every website to create an increasingly more complicated consent form for every service they use is going to create a huge anti pattern. The cookie consent forms already suck harder than a Dyson. Why would anyone want more of that?
The correct solution is for Google to be punished for doing evil shit and to also build all the privacy controls into the user agent. This would still lead to some consent forms but at least the UI would be uniform and easy to understand. The current situation sucks bad and this case will make it worse.
That was not my point but of other user. Even though I can continue argument.
People that made website could make a website without linking to Google fonts.
All the other things you list like hosting providers are technically necessary to deliver website content or like request to TLS revocation log are implemented by browser and not by the defendant.
Yes complicated consent forms should get even more fucking annoying so companies should loose traffic if they don't think twice about using some 3rd party service.
If I have to click through 5 consent forms, I leave and company is not getting business. Other company that is caring about people data will have no need for such consent form and will be getting more business.
KEEP in mind that if you have your own cookies for your page to work like session cookies that are technically needed to login or use page, there is no consent form needed at all. People should just stop visiting pages that require consent.
Who does make my browser request the resource? Clearly the website owner who can also decide to make the browser load a resource fully under their own control. The user could block it, certainly. But I don't want my browser to ask me for every single URL if it's okay to request a resource.
So does this mean assets hosted by CDNs are illegal now? Since it doesn't ask the user's permission to direct the browser to another site to download said assets? And what if they're already cached in the browser. Distinction?
Seems like laws don't understand how tech works...
You’ll soon have to fill out a form as if undergoing surgery just to visit a website. (And, of course, were all gonna click “Accept all”, just as we do with cookie warnings and Apple TOS.)
These judges do not know what they do. They only care about getting the case off their desk, clinging to the first semi plausible argument that allows them to do so. If you look for vision, guidance or responsibility for shaping the future I which we want to live, look elsewhere.
>Seems like laws don't understand how tech works...
That's pretty much the definition of a law. Laws are written for people, by people. Not for computers.
This is sadly an unintended consequence of a very broad interpretation of GDPR, where an IP address is deemed as personally identifiable information.
If someone wanted to take this to absurd levels, similar argument, as has been made by this court, could be used to make the entire Internet illegal under GDPR - sending a packet exposes personal information of the sender to various third parties (routers of various ISPs) that the sender didn't consent to. And given that the recipient (service provider, website, whatever) could have arranged for having the data transferred on a floppy disk or by a pigeon instead ...
It is not only GDPR that suffers from this - e.g. in Austria it is illegal to drive with a dashcam because their court has ruled that a dashcam amounts to recording someone without their consent - and if you do so, it exposes you to a 20k€ fine!
Absolutely not surprising. I am originally from Germany and the whole of Bavaria is excruciatingly underdeveloped when it comes to IT.
Outside Munich, it gets even worse as you venture deep into beer county where people who can reformat Windows are admired as the next Linus Torvalds and competition consists of people with varying degrees of beginner-level knowledge competing against each other.
Merkel once said that the internet is a new territory for all of us... I am surprised the court even understood half of this.
Bavaria only? If it had been up to Germany’s buerocrats, the whole internet would not exists.
(Also, no cars. For calling a Ford Model T an “automobile” if it still needs a human driver is misleading to consumers, according to, again, the Munich district court.)
Where is my personal responsibility in making sure that the food I buy isn't poisoned and that the producer doesn't use slave labor? Where is my personal responsibility in making sure that my friend will return me a loan I made to him? Of course it is sensible to make basic precautions, but it is also sensible to expect social institutions like the legal system to help.
Our society is immensely complex; it is quite naive to assume that everyone has enough time and power to watch out for things like that and fix them. It is also quite dystopian to think that people should by default treat every stranger and company as adversary.
> It is the the user’s browser that initiates a request to Google’s server. A request by the website itself to Google sharing the user’s IP address never actually occurs.
Manipulating a system so that it gives up information that wasn't intended to be given away, is called hacking.
When I specify that the font used on my page can be accessed at a particular URL, I’m neither asking you to download it (the font might already be installed on your system), nor am I requesting that, if you do download it, you pass along a “referer” header. I am not only not making your browser do this - I’m not even asking it to do so.
> When I specify that the font used on my page can be accessed at a particular URL
But this is not what you are specifying with Google Fonts (usually). You are saying: "To properly see this page, download this instruction file (CSS) from this other host". It doesn't matter if I have the font already installed, I still ask the CSS file to Google.
I doubt that WWW was designed with intention to allow that. A bunch of different people with different goals do stuff they want and the result is something that just happens without anyone's intention. And we have legal systems and regulations to clear up such situations.
It was explicitly designed to do that. HTML is explicitly designed to allow content from multiple places; it is designed to do so. Your browser is designed to read that HTML and fetch those resources to render the page. The internet is designed to cache that content. Your browser cache is designed to cache that content so future fetch requests are faster.
There's so many pieces explicitely designed to do this, for exactly this reason, that there is no question as to this being the intended behavior.
Font servers are decades old. CSS added support for it in 1998, replacing earlier less common methods. This is not new or unintended behavior.
Technology changes behaviour and therefore society, "don't use it" is not an option in many cases, for instance in the old days it was common pay bills by filling out forms attached to a bill and then snail mail or walk into the bank or a postal office for a clerk to either manual or automatic process it.
With internet banking much of that old style payment system has disappeared and many banks no longer accept that style of payment or even has an office that you can visit and if it is still possible there is hefty fee attached. Not using a browser is not really an option in current society.
Would that logic also work for loading images from other sites and services? I never sent the info to the server myself but told the browser to load the image from that server. Is you argument that it’s client-side code so doesn’t count?
The technical implementation details don't matter.
What matters is that the IP will be shared with Google as consequence of visiting the site as long as the user didn't take additional actions and without the user having took additional actions which made that happen.
This will also happen if I place a link on my site that does not clearly warn the user that it leads to a non EU website. User clicks it, and his IP address gets disclosed.
Really, if you participate in the World Wide Web, of course your computer’s address will be visible to others, and you can not always control it. Like driving on the Autobahn. People will be able to see you. It’s part of life.
GDPR differentiates between functional necessary and non-functional necessary parts.
And again technical nit-picking do not matter, but user intend does.
Similar that side you link to would also need to be GDPR compliant (or not provide service in EU countries).
The problem with google fonts is that the side which loads them agrees in your stead without your permission to google collecting your data and using it for non essential use cases.
While when you navigate to an side, it must not collect data beside purely functional data until you agree to it. (and yes collecting IP address can be purely functional, depending on what you do with it and if you delete it
in time. E.g. for security logs and DDoS protection it can be purely functional. (if some conditions are meet)).
Be aware what counts as "neccessary"/"purely functional"(1) is not always fully clear.
What about embedding a Google Map? I see those even on websites of German courts.
Are those allowed because the embed is needed functionally?
Or are they not, because you could instead use a cached image of the map and switch to a “live” connection to Google’s map server only when the user actually tries to move or zoom the map (and after displaying a consent pop up)?
So if I put a really giant mirror and burn your house at 3PM it's the Sun's fault?
The ruling is actually quite logical. The (convoluted) outcome is that the IP is leaked and it should take any tech person about 5 minutes to realise this.
If I place a link that says “Search”, and instead of starting a search on my site, I send you to Google.com, your browser will connect to Google’s server and thus telling them your IP address. Such a hyperlink that does not clearly warn users that clicking it will cause you to connect to someone else’s server would also have to be illegal according to this ruling.
Which is the same thing with cookies, you just set some string in a HTTP header, if the browser actually honors that is up to user (in the way what browser he installs and how the user configures it).
Exactly. Your browser preferences are your cookie settings.
The whole business of littering the web with cookie consent forms is as far from a sensible technical solution to the problem as can be imagined. The people who invented the web and who designed browsers have had at least the aspiration to build a system that’s going to work as a whole. Courts and lawmakers, in the other hand, have no such vision.
The ruling explicitly says the right owner does not need to take precautions, because such an obligation would restrict the right holder in the exercise of their rights worthy of protection.
If you ask me, this argument is what we in Sweden call "satan reading the bible". I think you're fully aware that the practical result, i.e. what happens in reality, is that as the court puts it:
> The transfer of the user's IP address in the above-mentioned manner and the associated encroachment on general personal rights
Furthermore, the court is correct in stating that:
> The use of font services such as Google Fonts cannot be based on Article 6 Paragraph 1 S.1 lit. f GDPR, since the use of fonts is also possible without the visitor having to connect to Google servers.
Let's not be naive, we all know the purpose of Google offering these fonts for free via their CDN. As the author of a website, I think it's completely sensible that you should be responsible for the decision of embedding these fonts from Google rather than just serving them yourself: you are, in fact, "leaking" the IP addresses of your visitors to Google without their consent.
This is in my mind just another one of those things that have been considered completely normal for a long time, but really shouldn't. A bit like how literally everyone used Google Analytics 15 years ago without really thinking about what that meant for the ethical processing of personal data.
You’re making a good argument here. And you might just be right. You’re saying that website owners should be legal-politically responsible for typical privacy risks incurred by users if they are using popular browsers. And perhaps that is the right way to go.
However, what strikes me is that the court hasn’t even seen this problem at all. Your train of thought - that the request was issued from the user’s browser, but that the site owner was essentially in control because he essentially tricked the user into sharing his information with Google without being asked - is just not being discussed at all.
It might be very well that the end result is just. But then it would be a case of the blind chicken finding a grain.
GDPR specifies otherwise than your interpretation, logical as yours may be from a technical standpoint.
The site operator chose an optional way to embed fonts in a way that divulges PII to a non-GDPR destination. As there is no legal or technical requirement to embed Google Fonts, the site operator is therefore liable.
If use of Google Fonts was mandatory for the web to function, then the site operator would not have been found liable. It is not: they can be mirrored locally, or simply not used, and the web as viewed from the user’s perspective will continue to function just fine. (IANYL, etc.)
The website owner decides what's asked to be done. The browser is still owned by the end-user can choose to make the request. This is why ad-blocking is fundamentally required.
I can put “rm -r /user” in my HTML as long as I want. It’s the user’s browser that decides what gets executed. This is a fundamental principle in the architecture of the internet. You cannot make another computer do anything. You can only send messages, and the receiver decides how to act on those.
Except you cannot. If you are aware of a vulnerability that triggers the destruction of user's data from the browser just visiting a website, abusing it would be illegal.
No because hacking generally circumvents the intended system design. The architecture of the World Wide Web explicitly allows for user discretion in fetching and executing linked content. There's no slippery slope from using a system within design parameters and executing malicious instructions on other people's systems without their permission and/or knowledge.
Good point. There is a distinction to be made. For fraud, we have those distinctions. If I send you an email that looks like an invoice for a service you already ordered, but is really, at closer inspection, an order form, I am still responsible if I planfully designed the email so that the average recipient would be fooled. This also means that if I send that email to grandmas I’ll be held more accountable than if I send it to lawyers. These are all important discussions. The ruling we see here just doesn’t enter such discussions, because the court hasn’t even recognized the problem.
But I didn't identify myself as a policeman. Just a request from some random person on the internet. The person I asked to do it didn't comply, because he knows better what instructions to obey. So should his browser.
Let's say you know I'm the kind of person to easily give people money. I just got my paycheck, and you knowing this, you ask me to give you the money. I'll give you the money because that's the kind of person I am. But then I'm left with no money for the month, and all of its consequences.
Who do you think would carry the blame in this situation?
A regular user has no idea how these mechanisms work and can't be reasonably expected to do the configuration themselves. Since it's a clearly privacy-hostile behavior to include this code in the first place, the operator of the website should be prosecuted.
The court did not even see this issue, i.e. the distinction between issuing a suggestion or directive vs. actually executing the request directly. The court, in fact, states that the was the website itself that did the sharing. The ruling suffers from unsound reasoning.
It could be, however, that the website owner never brought up these arguments. The court does not have to do its own investigation. This is called the “maxim of disposition” in German law. Whatever both parties agree on what is true has be treated as true by the court.
So if the claim that the website itself issued the request to Google servers was uncontested, then this ruling is sound, based on the claims brought forth by the parties in this particular case.
If you are that caring about your privacy, you absolutely should use a browser that is configured in such a way that it doesn't leak your IP to anyone you didn't consent to.
I'm running systems that I'm modifying to the extent that satisfies me, but that's not the concern here. Right now I'm caring about everyone's default privacy level, not just my own. And in this ideal world, third party sharing is not opt-out.
Yes, definitely. Ad absurdum, browsers could be mandated to have the user opt-in to every single instruction that is executed. It's technically possible, the user has control.
I think it's a slippery slope to imagine/enforce a transfer of agency between the website user and provider, where the latter will try to make the opt-in appear as simple as possible. An ideal opt-in is more than the click of a button, it's an understanding. A button accompanied by a wall of text isn't understanding.
Code in the frontend is absolutely not "asking". I'd bet that most of the users have no idea what's going on in their browsers and devices, and those instruments then, in turn, shouldn't prey on this ignorance. I know that this is not how the world works, but a difference is that we could have control over this one.
Hopefully we won't see popups like "This site will forward your IP address to Google is that OK?", because I'm already beyond bored with "This site uses cookies do you accept?".
Actually, your comment made me wonder how far does this go? Where does "third party" end? If I self host on Hertzner or Linode, I imagine their infrastructure logs IP addresses like Google Fonts here. But surely that doesn't require consent. Why not, what's the difference? What if you host with a much sketchier provider? I could see politicians thinking users would want to know if their requests were served by, say, China or Russia.
It's ok that their infrastructure logs IPs that it has to. They commit via their DPA to protecting personal data such as embedded in those logs, not logging what they don't need, not keeping it longer than necessary, only sharing it with third parties that agree similar protections, anonymising and aggregating as needed, etc.
You probably want an agreement like that with a hosting provider for another reason, not just IP logging: They have physical access to all your on site storage, user databases, etc. It's good that they commit to treating data on those physical systems with appropriate respect.
For that matter, does the fact that reaching my self hosted site must travel the last mile along a service I paid for (my ISP), mean I must gain consent for using them?
You don’t even need to host yourself the asset, just setup a reverse proxy that drops personal information and redirect the request to the source (Google, or whatever). It’s a simple Nginx rule.
The local bakery down the street just needs to figure out what a reverse proxy is, what a redirect is, and what Nginx is and how set rules for it, and then weigh the pros and cons vs self-hosting assets.
I’m sure that’s easily doable for them, aren’t regulations fun?
that is true but it increases the barrier to entry for those who use google fonts for system resource issues, a lot of people offload because they don’t have the space or money to self host everything
one could argue that it is less eco friendly as well given how much space is going to be used repeating the same file on a multitude of servers
A $5 VPS comes with several gigabytes of storage. A standard web font (e.g. Roboto) is ~1MB. Bandwidth is essentially free through CloudFlare. Who doesn't have the space or money to self-host their fonts?
Currently on HN frontpage there is an article "How to avoid layout shifts caused by web fonts" [1]. It lists several techniques you can use to reduce font size. One of the examples shows how subsetting reduces Roboto Regular size to 11KB.
You're probably liable to pay the plaintiff 100 EUR for leaking their IP address to CloudFlare, as well as paying 100 EUR for leaking it to Azure/AWS/etc. /partially sarcasm
I'm really starting to question why aren't we using fonts that are standard part of browsers? Just have a reasonable sub-set supported by everyone. This would be great climate action too as we would not be wasting energy to redownload them billions if not trillions of time.
(in reply to krehl) And in that specific case you should probably have a DPA ready. Big issue with anything Google-related (and probably CloudFlare) is that they may transfer the data outside of the EU[0].
An interesting question. Someone should do a environment cost impact on self hosting fonts (and other resources) vs client having to make lot's of requests to various hosts for those resources.
For years I was going in the list of vendors and disabling everything. Now I became so bored by these prompts I decided to instead just accept everything and clean my cookies every week. I’m less frustrated this way, and still feel I have control over my privacy.
The interesting thing that a lot of services don't consider is that blocking these cookie banners is perfectly allowed and does not implicitly allow services to collect personal data.
Twitter is one of those service that just states "we collect data, deal with it when using this website" (which is already not legal) but the thing is, I don't even see this pop-up because uBlock is filtering it out. If Twitter now collects my personal data, it is not only breaking the opt-in component of GDPR but also doesn't even notify me about data collection.
Quite a lot of services have JS-only popups which I also don't see. Do they collect data? I think so. Do they know they are doing it illegally? I would bet quite a bit of money that they never thought about somebody getting past their cookie banner without consenting, so probably no.
On the other hand, there was a post on the front page recently that said that showing opt-in 3rd party cookie prompts resulted in over 90% refusal rate.
Ignorance is a bliss, but if given a choice to not share extra info with random companies, many will in fact take that opportunity.
So a popup warning that your visit to this website will be recorded by Google may be just what the doctored ordered to shake people of their nirvana and make them look at things a bit more closely.
There's no difference between that popup and IP sharing consent. It's not about cookies, it's about tracking and tracking risk.
Smart websites would just host the font files on their own domains but I guess the dumber ones will just add Google Fonts and similar to their consent list, yes.
How does this not reduce to hitting any server not owned by you is leaking your IP address?
If I host my website behind Google Cloud CDN they have logs of the visitors IP. If I host my site on S3 they log the IP.
Does this mean that a visitor must insteract only with services that I own until I can get concent to use "unnecessary" third party services?
I think it is pretty significant if "necessary" is reduced to "could have don't it without". Because sure I could avoid Google Fonts, but now I need to do splitting and per-browser detection myself. Ok sure, browser font support is pretty consistent these days and I know my site just uses English and emoji in some pages. But now I can't throw that site in cloud storage. I also can't use a VPS because there are traffic logs. So I buy a server in a datacenter. But what if they have some form of traffic logs? I guess my question is where does this definition of "unnecessary" stop.
The core issue with the linked situations is that the US Cloud Act applies, which means that US governmental agencies can request access to i.e. traffic logs, without a court order for mass surveillance.
Well, I'd say so yes. It's the same thing that came up when hotlinking was first a major thing[0]. In my opinion, anything but communication with the first party violates expectations. If I visit Imgur, then I expect to deal with Imgur, and not with their myriad of third parties all doing something else that's not directly my business.
People of course don't mind, reality is often like this too.
Does this ruling distinguish between “does” and “could”, though? Because any CDN could spy if they wanted. Google fonts has a pretty reasonable privacy policy[1]. I don’t read German, so I wonder if there’s nuance here that I’m missing (like, did they find that Google actually was misusing the data?)
Google is a US company and the US government can and do ask companies to provide any data on the servers even if it is against the policy Google has written in that document.
Google is an advertising network, they don't need to sell the IP to make money.
It's on the original website to prove that they only use your data for what you asked them to, if you want to do anything else, you need to request informed consent.
Using hosted Google fonts is not needed to run the website (as you can also easily embed them without having the user touch Google). And Google will not say they won't do anything with that data, as they would be lying since that's the whole reason google fonts and other free webdev resources by Google exists: to gather as much data about the user it can.
What if my origin server is behind Google Cloud CDN anyways? I mean it is possible for me to run my own datacenter with a direct connection to the users IP but that is obviously unreasonable. As soon as I outsource anything it can now see the users IP.
I guess this particular case seems somewhat reasonable, but where is the line.
Also note that Google Fonts is a lot more that just hosting a download. It has different font files for different browsers for max compatibility as well as font splitting so that you aren't downloading too many glyphs and weights that you don't need for this page. Reimplementing Google Fonts isn't trivial.
It unquestionably leaks information, and it is why projects like Decentraleyes exist.
Whether it is "unnecessary" is the interesting question. For fonts, it's really hard to claim that you couldn't have created the website without Google's fonts CDN.
Yes, it would. Actually so many uses of CDN's are nonsensical. I mean, I literally block those requests and sites just work OK. (For my definition of OK. If I don't see autoloading autoplaying video it's only a big big plus)
My reading is that nothing in the argument depends on the exact resource in question being a font, so I don’t see why it wouldn’t generalise to other resources.
> Google Fonts kann durch die Beklagte auch genutzt werden, ohne dass beim Aufruf der Webseite eine Verbindung zu einem Google-Server hergestellt wird und eine Übertragung der IP-Adresse der Webseitennutzer an Google stattfindet.
translated:
> Google fonts can be used by the defendant in a different way, so that a connection to the website does not make a connection to the Google server, thus without transmitting the IP address of the website visitor to Google.
What if I host my website on Google Cloud Platform? I guess it should be OK then to use Google Fonts CDN on the website, because it's the same entity, and visitor's IP was already leaked to Google when the HTML page was served. Can't really ask user for consent before loading the HTML page!
Does it mean Google, AWS, DigitalOcean, Cloudflare, Akamai, and everybody else (except Hetzner) are now outlawed in Germany? Because, as I said, I cannot ask for consent before serving the initial HTML, unless someone develops a magical IP-less protocol for delivering consent. I'm not sure if even Hetzner server is OK, it's still a third party even if Germany-based.
There is a technical necessity for your hosting provider to see the user's IP.
The GDPR does not require consent for passing on private information when there is a technical or legal necessity, as well as a number of other preconditions.
Using a CDN service operated by a non-GDPR business such as Cloudflare, Google, Amazon, or Akamai could potentially be confirmed to be a violation of GDPR, yes, if the CDN-hosted resources are used without opt-in. I’m eagerly awaiting the first complaint on these grounds to be reviewed and judged, now that the GDPR treaty with the United States has lapsed. It doesn’t matter where the CDN’s servers are; without the US having signed a treaty into law, each of their businesses are subject to compulsion by various US authorities to dishonor their commitments to the GDPR.
It looks like the court decided SCCs were not sufficient as Cloudflare is subject to US surveillance laws so they wouldn't be able to provide adequate guarantees.
It’s not a question of what is necessary. It’s a question of transparency and consent. You must gain consent for giving Google personal data for tracking purposes.
ELI5: Why does the EU not just prevent Google from using personal data they receive by law in any way they see fit? Would that not be a lot more effective than requiring the millions of small businesses and small web devs to figure it out on their end?
That's the main revenue stream of Google it would pretty much mean Google itself would be forbidden.
The EU gives companies the option and only requires all this hoopla if you want to use the data for something else than the user requested. The "problem" is that Google does want that, as they are an advertising network, so they give web developers access to their tools but tell you that you have to ask the user for consent. That everyone totally forgets those warnings and somehow forgets that Google is an advertising network is on them, just like it is your responsibility what are random dependencies you download using whatever dependency tool you use.
I was not arguing the sanity of the policy. I was merely correcting GP’s interpretation of the ruling. Better for the millions of small businesses to only have to post a list of sub-processors than to have to determine what would be “necessary” in the eyes of the law.
As a Deutscher this sounds completely nuts. Correct me if I'm wrong but any not 100% technically necessary third party request is considered illegally leaking personal data?!
Or do I 'just' have to inform the users that their fonts, images and other data that could be stored in source but is not?
In the case of fonts I'm pretty sure they get cached in the browser, so bundling them with the source just doesn't make sense?
Exactly. Why would you serve your own copy of the fonts if a previous request to that cdn may have cached them in your browser already? Opt-In goes against the architecture of websites. What's next? A popup for each third party request? It is not feasible and just another stumbling block - like Impressum for private persons and third party cookie consent to host websites in Germany. It makes more sense to fix the issue at the fundamental browser level by the vendor (natively, without the need for plugins) and explain the dangers to the users. Educated users block requests anyway for example.
I think hosting it by yourself is the solution here, but it's getting difficult to keep up with all the rules, especially when the fundamental design of the web moves in the opposite direction.
> a previous request to that cdn may have cached them in your browser already? Opt-In goes against the architecture of websites
Browsers partition their caches by origin and third-party origin (it's a bit more complex than that in reality) so common third-party resource e.g. fonts, used on one site won't be reused on another
Instead a fresh version of the font will will be fetched
Safari's done this since 2013 (?), and Chromium & Firefox adopting the same behaviour in 2020 (?)
Informing them is probably not enough – you would need explicit consent and a fallback option. The only reasonable option is not to do it or maybe it's possible to get a contract with google regarding processing of personal data.
We have a contract with our hosting provider that specifies what data they may collect, the limited purposes for which they can use it, and when it must be deleted.
This is called a Data Processing Agreement and is also part of GDPR compliance.
We have the same thing in place with all 3rd party vendors.
Leaking extremely sensitive user data, like their IP addresses, to third parties, enable them to finger print users.
Leaking those to third parties outside the EU, and in particular to companies whose revenue depends on this finger printing, like Google, just to serve a font, it’s the dumbest thing I’ve heard all week.
The whole purpose of the GDPR is to discourage this behavior, requiring websites to inform users of all their crappy unnecessary things they want to do before they do it.
The only reason Google gives you hot loading for free is to get your users data. Trading your users personal data to serve a font is brain dead.
IMO this fine of 100€ is too small. They should have made it 10% of their revenue to send the clear message that this is not ok.
I agree with everything you said except the last paragraph.
100€ was fine in my opinion, because a) it isn't that big of an infraction b) it probably was their first offense and c) this legal ruling is indeed setting some kind of precedence and therefore was unexpected given industry practices. If the ruling stands and other courts follow a similar reasoning I would expect higher fines in the future.
You have a point and I as a dev will ensure to follow this principle. The issue is that serving fonts and other assets from an external service is pretty much normal practice. This is new ground. The understanding so far was explicit tracking being the issue and not serving static assets. This ruling makes sense but goes way beyond what the consensus was so far.
Whose “consensus” ? Google or ad techs. That is not acceptable. The right way is GDPR pop up listing the companies you will share user data. With. If the user approves I am sure no court can touch you.
I meant consensus among developers. Using external _static_ resources has been a normal thing for very long and generally hasn’t been discussed under the light of GDPR.
In fact I would argue that most devs don’t assume that this is a problem at first glance. The general awareness and education should be better here.
Giving an IP Address to Google including referrer header is. They can do a lot with this and as long as the Google Font hosting service doesn't give out assurances (they can be sued for for breaking) that this data is not used in any way which would enable Google to track a person.
Curious how useful is an IP address with a simple HTTP get request?
As long as a sane Referer-Policy is set, the Referer won't be sent. Sure there's a lot more to browser fingerprinting but with just an HTTP request, all the data that would be known from it is the language and the user agent. Both of which are not unique data points and shared by thousands of other users. No cookies either in this case of Google Fonts.
You are logged in to to google and so are your family members.
You visit YouTube.com from IP X with device (user agent) Y.
Your family member visits YouTube.com from IP X with device Z.
Google Fonts gets a request via the API key of mydomain.de from IP X and device Y.
Google now knows that you visited mydomain.de
Edit: I stand corrected that Google Fonts doesn't use an API key.
I suspect they still can correlate the font request with the domain, however I have no proof.
Consider this an example for other services like maps.
Several people and devices could be shared by the same IP though, either who are on the same network or in the vicinity of the same mobile mast (or in the same mall or restaurant)... that's why IP often isn't used as conclusive evidence that you are the same person just because you are on the same IP.
Well technically you share a lot more data. IP, browser agent, time (which in combination with IP can tell exactly who used that specific computer) and cookies set on the *.google.com domain.
So it's actually interesting that the court only focused on the IP-address although the ruling would probably have been the same even if they widened the scope.
So how valuable would it be to you if I would share with you that I spent $20 yesterday on shopping groceries. Probably not so much. But if I would share with you 90% of my spending, you might be able to infer a lot more information about me.
So the question isn't how useful the single request is, but rather what can be done with a lot of these requests. And Google and Facebook are specialists in generating lots of said requests with services like google fonts and like-buttons. And once you realize that the sum of these requests is so valuable that they are considered personal information, you want to protect them with laws.
These laws, like the GDPR, are already in place and this is one of the instances where someone didn't respect such a law. So you can argue now, that this single request isn't so valuable, but isn't that true for every penny of a million dollars?
I understand what you're saying but it doesn't exactly address my curiosity of this specific case of HTTP GET requests for font files (no JS, no iframe, and no cookies either in this case).
Your thoughts about a like button widget, or even Google Analytics are perfectly valid. But I am talking about this specific topic under discussion, Google Fonts.
Can you someone translate? Does this mean that hot linking any static media or asset from a third party is against the law unless explicit approval from the user is first received?
If there are different means to host the asset and the hot linking would transfer data out of the EU (in particular to the US and to a giant marketing company) that might be problematic.
It has nothing to do with approval. This specific ruling is about the principle of data minimisation. If you process personal data you must do a risk assessment and make sure you only process no more data then strictly necessary. This applies even if you have consent. So in this case since you can host the fonts yourself to not share data (IP, time, browser agent, cookies) with Google you should.
"Can you someone translate?"
Here's my attempt at translating the first four paragraphs:
Dynamic IP addresses are a piece of PII (personally identifiable information) to the maintainer of a website. That's because the maintainer can identify the person using their IP with the suport of the ISP and the responsible authority.
The use of fonts services like Google Fonts is not protected by 'Art. 6 par. 1 S.1 GDPR' because the use of the same fonts is possible without connecting to the Google Fonts servers.
The visitor of a website is not responsible to conceal their IP (e.g. with a VPN).
The revelation of the visitor's IP to Google is a violation of visitor's rights. Given that Google is known to collect personal information to the discomfort of the user, the violation can be deemed so severe that it is justified to demand damages.
This means that embedding any resource from a non-GDPR destination URL is a violation of GDPR law unless explicit opt-in approval from the user is first received.
If you are subject to GDPR law, then the above applies to all sites owned and operated by you and your subsidiaries. If you are not subject to GDPR law, then the above does not apply.
Resources could be hosted by http:, https:, ftp:, or any other protocol. Resources could be .js, .gif, .html, or any other format.
If you’re asking “can I dynamically detect the user’s country of origin and enable GDPR protections only if I determine they’re in that country?”, no: the user has a right to legal protection if they are a citizen of a GDPR-protected country and are residing in a GDPR-bound country, regardless of what their IP address is.
> the user has a right to legal protection if they are a citizen of a GDPR-protected country and are residing in a GDPR-bound country, regardless of what their IP address is.
Nit pick: GDPR is written in terms of people "in the Union", not citizens.
If you have agreements in place with third party data processors to protect user privacy, this ruling does not prevent you from hot linking third party assets under that agreement. In effect, the third party acts as part of your infrastructure - just like you may already use a third party hosting provider, cloud database provider, auth provider, logging service, etc.
The GDPR constrains how PII is stored and processed. It doesn't stop you from using third party providers, but it does make you responsible for ensuring user privacy is protected, by delegation through binding privacy agreements and sufficient diligence.
Those types of agreements are already common. For example, if you're hosting on AWS providing service to users covered by GDPR, you should already have such an agreement. It's pretty straightforward. https://aws.amazon.com/compliance/gdpr-center/
Therefore if AWS offered a generic, third party font hosting or embedded video hosting service, you could hot link to that no problem.
Same with Cloudflare, Google Cloud, etc. as long as they provide the necessary agreements with you.
The problem with Google Fonts is there is no such agreement in place, you can't trust Google to not profile users statistically via font requests, and even if Google says they won't do that, you can't trust that their servers in the US won't be tapped by US authorities to monitor request logs, etc.
The data processing agreement with American companies is probably not enough because the USA doesn't sufficiently protect the users' privacy under the GDPR.
It's only possible to go this route if the country has the approval of the EU through the necessary legal frameworks. That's what Privacy Shield and its predecessor were, and both were deemed insufficient.
Your point about a data processing agreement is true, but I wouldn't rely on AWS/Cloudflare/Google until the EU and USA manage to get this stuff worked out.
I should have said adequate data processing agreements which comply with the GDPR. In practice the simplest way to do this would have third parties handling EU requests within EU boundaries, and not shipping analytics that contain PII outside controlled boundaries.
Some service providers appear to at least be addressing the issue, e.g. see the AWS link. Hetzner in Germany offers similar data processing agreements.
It would not be difficult for Cloudflare and Google to do the same. If you operate a CDN, almost by definition you have no problem hosting within the EU when sending content to users in the EU.
There is literally no other business reason for Google to maintain Google Fonts, but to augment its tracking insights. None. That's the sole purpose of the very existence of Google Fonts.
If you've ever had the pleasure of dealing with the licensing nightmare of foundries, it's quite easy to see that a small group within google had enough and started the project.
We've literally spend tens of thousands of dollars on our font archive, but decided that we can't continue to use these fonts on projects anymore, due to "we can change the licence at any time" clauses and rent seeking behaviour, that is eerily similar of the stock photo industry licensing (which pretty much has ruined photographers) and scientific publishers (which pretty much have ruined science).
I hate google as much as the next guy, but our small design company is in their dept for creating google fonts, and we plan on contributing to the the repository if we ever create a font as part of a project.
But there is nothing that prevents anybody to build a similar product but charging a fee for it.
The payment being "user data" is the problem. Not the product in and of itself.
If you are in the EU such a platform would probably need to be GDPR compliant.
I'm sure there is a opportunity for a font market that fulfills your needs. It might not be easy but eventually studios like you will probably have to charge clients an ongoing fee for "premium assets".
The end user is paying for it and while you and your clients are probably fine with it, the lawmakers are obviously not.
With all due respect, your response doesn't make much sense.
Google fonts is primarily a github repo with specifically licenced fonts. Google paid a lot of the artists and foundries behind these fonts for an open licence.
Therefor there is no need to build a "similar product", when the existing one is alrady free as in free beer, without any hidden data-/ad-funding.
We are are primarily a PRINT-MEDIA shop. Non of GDPR applies to this, non of our customers or customer clients pay for anything with their data, because paper doesn't have an uplink.
Yet the google font project is as much key to our survival as sci-hub is for the scientific community.
I don't understand where you get this whole "service" idea from, but it clearly shows that you've never actually interacted with google fonts in any way.
Any different "service", would have the EXACT SAME ISSUE:
Hot-linking leaks user IP-Data to whoever hosts the hot-linked content.
If you use the google fonts home page _as designed by google_ it already makes you download the fonts to self-host them along with your own sources.
And as for their motivation, google fonts originated from android, because again licensing fonts plain sucks, and google has an incentive to make developing apps and websites as easy as possible in order to strengthen their ecosystems.
Given the ruling that's doubtful, as there is no reason why it should be outsourced. "Datensparsamkeit"/Data-frugality is also part of GDRP, and completely besides the point of google fonts not being a service, nor conspiracy.
On the one hand I don't want lawyers, government and politicians to shape cyberspace. But I also like this ruling it seems to set a precedent for users to be able to opt-in to APIs (and probably javascript the obvious next step if this goes on). Client-server interactions should be transparent, this will prevent allot of privacy related issues. It also makes the web more decentralized, getting developers back into a host your own stuff mentality.
On its face, this appears to be death of the third-party CDN. The largest issue is this means companies will no longer be able to use third-party hosting services like Squarespace which rely on shared (technically third-party) CDNs.
A secondary, but similar, issue, is that now all embeds are opt-in: streams, videos, everything must first be clicked on to even load the thumbnail.
A third, and less-important, issue is that advertising providers are basically over: the website, on load, can't query the third-party ad service to figure out what ad to display. Which I'm fine with, abstractly, but it's also a very large revenue issue.
Using a third party is not illegal in itself.
But you need an agreement with the third party as to how they will store/process any user data they collect.
This is fairly fundamental under GDPR. It's the 'data controller'/'data processor' split.
I suspect (but IANAL of course) that most CDNs would fail here, because the blanket agreements they offer are basically worthless.
But it's easy to imagine a CDN that has a different business model (charges a tiny amount pr. resource stored, for example), and is completely fine under the GDPR.
How can a CDN fail to retain an IP address, at least for the purposes of knowing where to send the response? The ruling doesn't say that Google stored the IP, causing the issue, but merely that the user's IP showed up in a packet sent to Google.
CDNs under the auspices of a non-GDPR government cannot offer any legally-binding assurances that they will comply with GDPR. Their government can legally compel them to lie about honoring the GDPR and secretly act otherwise. Since US courts and authorities are no longer bound by law to honor the GDPR, no service owned by, operated by, hosted within, or subsidiary to a United States entity can guarantee compliance with GDPR.
Any CDN that is owned/operated/subsidiary in full within countries that have legal GDPR protections in place, such as member states of the EU, would be fine to use — but that rules out Cloudflare, Akamai, etc.
This ruling has nothing to do with opt-in or consent. It has to do with the concept of data minimization. According to the GDPR you should only process as much data as necessary and this applies no matter what legal basis (eg consent) you have. So basically the point with GDPR is that you as a user should not even have to care, the company that processes your data is responsible to care for you. And it's actually cool that we see this enforced now.
It does not necessarily set a precedent: use of APIs hosted fully within GDPR countries would be unaffected by this Google Fonts judgment, which only concerns a GDPR site using non-GDPR resources without user consent.
Treating IP addresses as PII continues go be incredibly tedious and as far as I can tell, they are PII because providers are forced by law to keep those records. Is that correct?
It would be so much better to just reduce and safeguard that information instead of handing it out to any rando with a court order.
Sadly, the United States used to have a treaty law in place that delivered the easy solution you describe. In mid-2020, the treaty was found not to provide the necessary protections, and invalidated by EU courts; no replacement treaty was negotiated or signed by the US, and so here we are.
Reading our layman developer interpretations of the legalities here is very interesting, but that aside this really makes me rethink my own use of Google hosted fonts in my projects. Whether it is the browser responsible for making the request or my website being responsible for asking the browser to make the request, hosting the font myself is a readily available option. From the perspective of respecting users' data, why call out to Google at all when I don't really have to, for _any_ resource where there's a straightforward alternative?
I say this as someone who does use Google Analytics as well (which I am removing). But mostly for me it isn't a case of dropping all third party convenience services, but a case of remembering to be _mindful_ of what I'm doing.
Very good point, the courts in countries with common law work quite differently than where the courts are based on civil law. There is a quite large difference of the two systems.
This decision is incredibly coherent with the fact that tracking can be done in many ways other than with cookies. Your residential IP doesn't change that much and Google keeps track of it. Google can track your navigation through websites and associate it to your google account or shadow account just by seeing if you downloaded one of their fonts through said websites.
So bravo to the Munich court for actually upholding rules against opt-out third party tracking
Wait, what prevents the next court to say that the browser vendor is responsible for the leak ? Per default the browser is not asking the user if it's okay to download fonts from Google (or any resources from any another resources provider) after all.
Why is it not the author of your NIC driver who is responsible for the leak? Per default the driver isn't asking whether to send a packet to Google's IP address.
Here's why: the driver is just doing what it's told to do. The responsible falls on the party who does the telling. If a website tells my browser to load resources from Google, it's not on my cpu or my nic or its driver or kernel or firewall or the browser.
People who created the browser are not processing any data when you use the browser, so GDPR hardly applies. They need to be careful with bug reports, but that's it.
Of course, I am following the logic where it goes.
Now, why would website operators be considered data processors for providing a link to google fonts to website users ? The website is not leaking the IP, it doesn't need if to display fonts and it doesn't use visitor's IP to display fonts. Ultimately the user of the browser is using his IP to get the fonts and this user is the one responsible for leaking his IP.
The website has delivered an HTML document. It's up to the user to do what he wants with it and follow links or not.
I think this is actually a really interesting ruling because it's based on Article 6 and not Schrems II. The problem is that they are not taking enough steps to share as little data as possible which is a fair point, but it would also be interesting to see if Google Fonts actually is legal in the sense that personal data (IP, browser agent, timestamp) may end up in the US and used for other purposes (tracking) then just delivering a font.
I don't know why people use fonts served from Google on their websites. Just serve the fonts from the server the site is on. It's like having javascript libraries served by 3rd parties; it's less robust.
I think it allowed browsers to cache font files across websites. But that might not even work anymore as I understand many browser vendors are moving towards resource isolation.
There still is the fact that you're getting fonts that are automatically subset into partial font files per character set, so if your pages mostly only use one or two character sets (like Latin and possibly Latin-extended), the browser only needs to download the font files for those particular character sets – at the same time you still retain the flexibility of using the full range of characters supported by that font if the occasion demands it, though.
(With Latin plus Greek plus Cyrillic and possibly some OpenType features like proper small caps you can get into the hundres of k range, and support for East Asian languages easily gets you into the megabyte range.)
Plus in theory fonts optimised for the respective combination of browser and OS. The former probably isn't as critical any more, as almost everything should support WOFF2 (or at the very least WOFF) these days, as for the latter – I know OSs each have their own font rendering peculiarities, but no idea how much the difference might be in practice.
I guess one advantage could be to better use browser caches for these things? If you visit multiple websites that include the same fonts or javascript libraries, the browser can reuse the cache for them.
This isn't at all surprising but I still got scoffed at when I suggested that serving third party fonts, css, scripts, whatever without prior consent or contracts would be a violation. Tragically, I was just robbed of my told you so and was met with a mere well, this seems ok when I sent this to the very people who couple of years ago thought this would be nuts and that I was exaggerating. Part of the pathology of the kind of folk who like to cheer everything the EU does I guess.
My question is, why aren't we worried about the hops between a website and a user? There's who knows how many networks and routers in between them, and the packets might even hop outside the EU momentarily (!!!!!). Surely this needs some attention as well? Should we maybe consider an internal EU-only network? Or maybe the Commission could come up with a whole new routing scheme? I'm sure Europol would have tons of very sane ideas for one.
> why aren't we worried about the hops between a website and a user
I asked about this below, apparently it's reasonable and strictly necessary. It's what the user expects. Even though it's technically possible for the infrastructure layer to provide full packet anonymity, until then it's the web developers responsibility. I do not agree with this, but that's my opinion.
I don't understand German but understand HTML/HTTP. Technically, you only get HTML from the website you visited. Then, YOUR browser, requests more data based on that HTML. So technically, it is your browser who requested the font and as a result leaked the IP address.
So would other Google resources like running Adsense ads also reveal IP addr or other private info? I think Google allows users to opt out of being tracked?
By default it should be <<opt-in>>, not <<opt-out>>.
You don't get to track me and then force me to tell you "don't track me", you should do nothing by default and ask me "may I track you?".
Companies don't do that because opt-out is sneaky and it means they can track, say, 95% of users.
With out-in, they get to track maybe 80% of users if they're allowed to use dark patterns (where they hide stuff or lie to the user what tracking actually does) and probably less than 10% if they're not allowed to do that.
I'm confused about the text. It is not obvious, what the defendant actually did.
The assumption from most people seem to be that they used a `<script>` tag or the like, with a Google URL. But the text does not imply that. On the contrary, it repeatedly uses the word "weitergabe" and "weiterleitung" ("forwarding"), which is just not accurate for this process - it seems to imply that the defendant actively made a connection to Google and sending the IP over it.
Of course, this might just be an artifact of the legalese and non-technical phrasing of the verdict. But does anyone know what actually happened, on a technical level?
I'm torn here. I can see it from both points of view.
As a user I don't want any of my data going to third parties at all.
As a website owner trying to provide a service to my users I want the best experience for them. This might be linking to third party services that are doing a better job than I could.
I only see this going one way. The user will have to agree to the sharing of their data with third parties if they want to view third party content, or want the fonts rendered in a better was. Link NPRs text version when you don't agree.
This is a serious question, I personally prefer to set my own font for web browsing so why do people feel the need to force fonts on me and load them from google of all places?
I agree! The problem is that most browsers have awful defaults. I'm not sure why this is but it does mean that people end up wanting to change them. However my browser uses beautiful fonts by default and if you specify just serif, sans-serif or monospace. I wish this would be the common case so that we can just respect users font settings instead of picking what we think is the best.
Note that GDPR talks about data minimisation - data you should not share more data then necessary. If there are no other way then linking to a third party then that would be just fine. But if there is another way to do it that don't requires you to share someone else data you should do that instead (in this case self host the fonts).
Also consent may not actually help here because the principle of data minimisation applies no matter what legal basis for the processing you use.
You could absolutely make that argument. That is why this particular case is so interesting. This is the first time I've seen a ruling regarding this and it may open up for more cases on where to draw the line on when processing is "necessary" and not.
Also it's worth noting that GDPR also puts other demands in place, for example that there be technical measures to protect the data from unauthorized access, or unintentional data loss. If you can argue that a cloud provider can handle those things better, then that may trump the data minimization argument.
It's always the Munich court making these stupid rulings. How long until they fine an ISP for forwarding my packets over a Google AS on the way to its destination.
What's next? Someone coming after you, because your have their IP in your server logs?
I understand the privacy sentiment, but I find this the opposite of how you beat a giant. The proper way for Germany and the rest of Europe should be the creation of a thriving environment of viable, privacy-aware FAANG competitors. Not putting barriers in every which way.
If this is specifically referencing that technically you could have served those google fonts without making the user go to Google (a proxy of your own and not a hyperlink) then yeah I'm all for it. Big if though, but to roll with it
1) finally webmasters can feel the absurd amount of data they push on us for goddamned shiny JS that barely runs on my phone. Maybe they'll cut back a little
2) Hopefully this incentivises a bit more clear border segregation. More technical effort? Yes. Better for my privacy? Hopefully.
I don't like the language here though, specifically the lack of anything directly supporting my stance. But I prefer optimism and then realism
I think the amount of information being leaked here is minimal. i.e. fonts are cached and thus Google only knows you visited health.com and not health.com/scarydisease. unless your landing page was health.com/scarydisease.
This is great point, BTW. I always did not have time to "clean up" fonts - now I finally got it done. :-)
In my opinion, this should be _welcomed_ by WebDev community - this does improve privacy. In theory, DE court is right - your website should force user to connect only to itself.
I clearly see 2 ways of making this even simpler: use Lynx :-) or Tor Browser. The importance of Tor in today's business should increase. Yes, there are "shady" things there - but there they were in "clearnet" back in 90x ...
In other news: ip packages hop from one host to another and a dozen hosts see the private ip and the websites IP. Certainly the website should have asked the user before exposing their ip on the route.
No, there are many ways around it (i.e. tor, vpn). The internet provider (or user) is just too lazy to provide proper privacy.
Just like the website owner is too lazy to self-host the fonts.
Edit: in fact PII should not pass unencrypted, so if you don’t protect the IP (classified as PII) then you‘re not compliant.
Personally, I can see only two parties benefiting from this: the plaintiff and lawyers in general.
Google will continue to be Google. Users will be faced with more annoying consent notices that they don't read. Website developers, of which I am one (bias disclosure), who are not very good lawyers will have more technical complexity in order to respect the law. Small companies who rely on services such as CDNs and font providers are now worried about having to host things themselves and the complexity that will ensue to be GDPR compliant (everyone's new least-favourite term). Hacker News gets a divisive flamewar over the subject and this will be yeeted from the front page.
This seems logical and reasonable to me, though it seems others are surprised/appalled.
What would a technical solution that respects privacy look like? The website making the call to Google in the background (minus user details) and forwarding the response onward? Why isn't it done that way, it feels like it's the more obvious solution if you're not trying to track users.
Early internet was very wary of 'hotlinking' because it costs money to serve things, people used to try to offload hosting costs to others. Now it seems people take that on willing with the expectation to make enough money to cover it.
Is it just scale, or is it the user info that makes these services viable?
Early Google used to use the argument that them making the web better was profitable, because more people using the web meant more money for them. Does that still apply? Would they still provide Google Fonts if they were legally bound to not use any user information they recieved?
Google Fonts actually provides a couple of extra services, which can't be replicated just by 'hosting' the files.
Not as relevant now, but in the past a big feature was serving the smallest font file to the user based on the browser version they had.
Nowadays, the ability to use a Unicode aware font without sending the whole thing to every user is another feature they offer.
Both feel like things that browser improvements could take care of themselves eventually though and in the meantime libraries running locally could handle.
(For similar services, licencing plays a part, as you may be paying for the font per view or something like that, but that Doesn't apply for Google Fonts)
A main selling point of using CDNs for commonly used assets (like Google fonts) is that lots of websites use the same URL, so the browser is likely to have the asset in cache already from a previous use on another site. Makes the site faster and uses less bandwidth.
I don't think there is a solution right now. Maybe browsers can stop sending these headers to well known CDN domains by default.
I think one of the main reasons it is done via hotlinking is that it is easier for the „webmaster“ to copy a JS snippet than to do something server side or self host. Most of these webmasters aren‘t developers.
This is particularly true for anything that comes as a „module“, like GDPR cookie notices (that are very frequently included via a JS snippet loaded from a third party site).
> The services (here: web fonts) could be supplied another way, so exposing the user's IP to google is not strictly necessary, from a technical POV.
Because an IP address needed to receive a download. This kind of decision means that any hot linking of static media assets is now in hot waters.
A sensible judge would say IP address is not PII but a prerequisite to use Internet in the first place. Like a license plate on car e.g. other broken analogue of tracking. Like a power socket. However the definition of PII in Europe is overly capturing (saying this as an European.)
I agree that license plates make an apt comparison. How would you feel if private companies set up plate readers at just about every parking area everywhere?
Like with IPs, they wouldn't be able to identify unique individuals with 100% certainty (as both IPs and cars may be shared), but they'd get pretty close. Certainly when it can be combined with other data.
So yeah, to me it makes sense that IPs are personal data.
The problem of course is that IP addresses can totally be used by Google to build up a profile of your browsing behaviour across the whole web. Even if typical end User ip4 addresses change quite a lot due to ISP NATs I imagine it's still very valuable information. Obv with ipV6 and static IPs for everyone it becomes a privacy nightmare
> The services (here: web fonts) could be supplied another way
The problem here is that every service could be provided another way. It seems that the only actual hosting option that doesn't leak a user's IP to a thrird-party is first-party only over Tor. Do we demand that every website is built that way? It turns out that outsourcing actually has a lot of value.
So where do we draw the line? Google Fonts apparently needs to be reimplemented first-party. What about Google Cloud CDN? What about an ISP that sees the user's IP in the packets?
After translating - the violation here is a website included third-party fonts from Google, and the fact that Google would be able to see their IP from the request violates GDPR?
Seems as though anybody who uses a CDN or third-party to load _any_ resources will violate GDPR by this measure? Seems like a pretty wide interpretation of this law.
* the court explicitly stated that this case was about transferring personal data (the IP) without prior consent. If the user had consented, there would have been no case.
* the court explicitly criticized using google, because google a) is known to collect user information and b) google is a US company and the European courts have found the US is lacking in privacy laws. So my reading is that the judgement would not apply if you transferred such data in certain circumstances, e.g. if you transferred such data to provide "essential services" and you have contracts with the data processor about how they can use and store the data that are in accordance with German privacy laws.
* the court further stated that it sees no reason to transfer such personal data, as the website could have easily provided the fonts itself. This seems to be a crucial part of the courts reasoning, as it is a ruling on the plaintiff's claim that this use of google was exempt because it was "necessary" to provide the service.
So, soon on top of all the cookie notices that are already there, we are also going to have to consent initially before anything loads to downloading the javascript from 3rd party to manage all the consents? Lol.... Just what the internet needs...
There is also the option of not messing around with personal data. It would get rid of all the cookie notices that are there, as well as not adding new ones.
The point is that if you go by the logic of this court decision, you need a consent also for js libraries, images, etc. and their primary purpose isn't to gather data. So, to get rid of all notices, you would have to host absolutely everything yourself.
IANAL, but it sounds to me like a very important part of the story is that Google was not listed to end user as entity that would treat their data. Another way to read this could be: failure to inform users that their IP addresses were sent to Google resulted in a 100 € fine.
Sure, but this also seems bad for the small web. Imagine for example some small blog embeds a Youtube video into their static page - suddenly they are getting 100 euro fines all over the place.
Also this entire case overlooks the point that this user was tech aware enough that they knew their IP was getting sent to Google, was deeply upset by this, but didn't get an ad blocker? This feels like a contrived use of GDPR.
> Seems like a pretty wide interpretation of this law.
That was my initial reaction, but I must admit I have since decided that was because it's an inconvenient truth to me. No one visiting mydomain.com should have to assume google.com is going to receive information about them without their prior consent, and there's usually no mechanism for consent prior to loading webfonts or CDN assets.
It is very much in the spirit of the GDPR that all knowledge sharing should have prior consent, and this follows with that.
You can see the industry flailing to compensate for the sudden increase in responsibilities it has been getting recently. It's not a wild west anymore, we should be a mature industry, and mature industries have regulations earned from previous failures to be ethical or safe. That's what I see happening, the industry is getting harder to operate in, but it's just reaping what it sowed.
The court explicitly noted that the IP was exfilled to the United States where adequate data protection measures do not exist and that Google in particular is well known for invasive data collection
The court also noted that there was an alternative in the form of embedding the fonts directly into the website.
I'm not a lawyer, but the reasoning doesn't sound like CDNs are a problem in General, but that one should be very careful before connecting to US servers (which was always one of the goals of the GDPR)
That has interesting implications for anycast CDNs. In fact do you now need a separate DNS name for europe to be sure that the DNS query doesn't get anycasted to another country ever?
This is regulated in the GDPR, article 28. You may have an external "processor" of your data (which is almost always the case, because few people have full responsibility over their hosting setup), but this processor is bound to abide the rules of the GDPR, and you need some sort of contract with the processor.
Since you have no control over what Google does with the data of visitors when you embed Google Fonts, it is not compatible with the GDPR (just like Google Analytics).
Honestly, it's not that big a leap to reach this interpretation.
1) Your IP address is considered personal data, as it can be used to identify you. In general, everyone can see and agree with this.
2) In the absence of additional protections and/or contract terms[1], the transfer of personal data out of the EU is an offense under the GDPR (well, technically it's not out of EU, but transfer to a country without GDPR equivalence).
So - embedding code / data from a 3rd party into your website results in a transfer of personal data.
[1] The idea of additional protections/contract terms is even questionable, but that's a whole other thing...
It is enough to identify whoever is paying for the internet access, which is enough, in itself. And it might be enough to identify the actual user with "reasonable" certainty, e.g. if the user was home alone at the time the IP was used.
Courts found that it doesn't have to be demonstrated that a user can be identified, the abstract reasonable risk that a user could be identified is enough to turn an IP address into PII (and this ruling explicitly mentions this).
In reality, as a service provider, you have no ability to determine if the client IP belongs to an individual or not - so you have no choice but to assume it does identify an individual.
You're not sending your nginx logs to Google, a well known advertiser, do you?
In this case you can store IP addresses if you have a legitimate reason (e.g. you can show you need it for troubleshooting etc), as long as it's reasonable and doesn't infringe on the rights of the user, and you have documented it along with the retention strategy.
They say that GDPR Art. 6 Par. 1, (f) (see [1]) is not applicable, so using a webfont from google is not "necessary for the purposes of the legitimate interests pursued by the controller". They explicitly say this is because you could host the font yourself.
In my interpretation, another way could be to use Art. 6 Par. 1 (a), namely ask the user for permission before loading a Google font.
"Virtually every business relies on third parties to process personal data. Whether it’s an email client, a cloud storage service, or website analytics software, you must have a data processing agreement with each of these services to achieve GDPR compliance."
This is idiotic. A website links to a resource somewhere on the Internet, the user decides to visit the website with their browser, and their browser fetches the linked resource.. This is literally the fucking point of the fucking Internet.
This is exactly what stops me from hosting websites. I simply have given up trying to keep up with the rules. It is a massive burden if you are not a corporation trying to extract information and just want to host a simple blog from a german server. At some point, private persons and maybe small businesses won't be able to keep up and the web becomes even more centralized.
It is possible to host a blog wihout third party services.
Maybe small businesses should focus on minimal websites and build from that.
As you grow, you can more easily affort the costs for lawyers to check if the features you want to build are GDPR compliant.
It always puzzles me how people making six figures a year for translating real-life requirements to technical ones suddenly throw a tantrum when said requirements involve law.
Disagree. The key information is no longer than an average privacy policy (and frankly, less complex) and whereas there are millions of privacy policies (which no one ever reads), there is only one GDPR. Give it one hour of close reading and you'll see just how important and useful it is. It's worth the effort because you only need to do it once.
This is exactly the entitlement your comment parent was on about. A third party should not have active insight into the first party's business like that - or their customers'. GDPR is a very welcome step forward in this regard, and I hope that more of such will come.
The sort of logic imputed by the GPDR would put an end to mailing parcels too. You could drive across town to deliver the package, you didn't need it delivered via the post. After all, every package shipped in the mail involves a third party who knows the sender and recipient's address and name. Best get to banning that sort of potential skulduggery ASAP!
This is really an idiotic law in that it punishes the symptom (a third-party web request), but ignores the underlying problem (data strip mining by Google, Facebook, Twitter, etc.). Punishing the data strip mining, but leave the third-party web requests (which is an intrinsic feature of the web) would at least make some logical sense.
No, the mailing parcels are fine. As long as they have proper employees that deliver the packages, and not a third party that does deliver, but also collects everyone's name, address, package sizes and estimated values, and projects household income, advertising cohort and then sells this to yet another third party. See the difference?
Regarding the instrinic part of the internet argument, that's just an appeal to nature. Naturally the internet is such and such, and therefore it's good (and also currently widespread). That's not a reason why that should be. We forbid plenty of such intrinsicly human things by law, because that's how ~the ruling class can stay in power~ lots of people can live together in relative safety. For example hurting someone else is perfectly natural, I think. I think it happened lots of times before it became a sort of law to not do that. And of course it happens now in many direct and indirect ways, because people want to express, for example, just how angry they are at another. Yet I don't see how we shouldn't restrict this very intrinsic thing.
Also, but this is just conjecture, I think this application of GDPR would allow third party requests IF they are not logged for example. Because then the data collection doesn't happen. In TFA, the third party is Google, and that might be the thing that makes the difference.
I'd say for requests that return dynamic data, a case could be made that there is technical merit for the client doing the request instead of the server proxying the request.
There is a serious problem with the ongoing balkanization of the internet. EU nations are almost at the point where they rule that european corporations must provide pages in a way that respects european citizen rights and follows european laws.
Outrageous!
And yes that means they can not integrate services from surveillance states like the USA or China without asking the user first, as the EU government thinks only their agencies should be allowed to run mass surveillance against their citizens without consent.
And the EU is not the only one who thinks like that. Pretty soon services controlled by foreign powers will be unacceptable in most of the world. Currently in the USA this is limited to hosting government and military secrets on foreign systems, but i bet if some chinese network would start to creep all over the civilian american web, reporting back to their ministry of national security, the rules would change quickly. For now the USA uses its position to spy on everyone, and i don't mean "nations" or "governments", i mean everyone. American patriots don't see a problem with that, but we know what you do in Utah, and it's a crime against humanity.
For the multinational corporations this whole situation of GDPR-vs-CloudAct means massive restructuring, splitting into smaller entities that service regional markets and moving the top level corporate group somewhere with minimal regulation to minimize conflicts. And such legal splits rupture their core business, at some point they can't have chinese hardware in us datacenters being administrated by indian technicians providing services to russian tourists in brazil anymore.
Maybe this is the last battle the nation states fight with the global corporations and it instead breaks nationalism in favor of streamlining compliance and getting shit done. I can only hope that the global rules emerging say no to mass surveillance and yes to data privacy, but abusing human rights has always meant power and profits, and so i fear the future is dystopian.
So what happens if you include e.g. a Wikipedia image or a youtube video? Is that a GDPR violation too? These scenarios also lead to making the users IP available to a third party.
If so, how do we avoid breaking the web while keeping privacy needs in balance?
> how do we avoid breaking the web while keeping privacy needs in balance?
One thing that I feel would help: Massive decentralization. Self-hosting of content and regular synching of the hosted content on the server sides; or tunneling, think duckduckgo.
Self-hosting would make knowledge storage more redundant which protects against (also partial) network blackouts.
On the other hand this knowledge is then harder to control. Removing or redacting content would have to rely on the particular sites to "pull the updates" from the upstream. Copyright will also be problematic: each site would have to make copies of content with the (probably commercial) intent of serving it to consumers.
Still I can't help to think we need more decentralization and self-hosting.
People don't just use third-parties because it is fun. They do it because it reduces cost. If we have to build every service from the ground up as first party is that good economically. Does every website need to build its own CDN now?
The paper-pushing world created by GDPR and these non-technical bureaucrats is just absurd and only a burden for smaller companies trying to get things done.
This is a good judgment and less onerous than people are worried about here: there's not going to be a need for a raft of pop-ups.
GDPR is clear about processing personal data. If you're a website, you're a data controller, and you are responsible for the security/confidentiality/etc. of that data. If you want to use external services that's cool, but you need a formal data processor agreement in place that maintains your control of the data, and you need to list that in your privacy policy.
So, can you embed fonts? Yes, it's not a problem: either they should have directly embedded self-hosted stuff and not used the supplier, or ensured a proper data processor agreement was in place. Post-Schrems II, the latter becomes more difficult if the supplier you're contracting with cannot promise the level of control over privacy/etc. that you need as a data controller, however.
The alternative position is to say that it's OK to embed resources that basically allow large corporates like Google to track your activity across the web without an agreement in place. That's obviously not OK under GDPR.
District courts are notoriously terrible. Judges are overworked. They are incentivized for dealing with cases as quickly as possible. As a judge, you actually get penalized for handling cases diligently. Many judges can’t even touch type, so even when they do go through the motions of doing legal research, they type in a few crude keywords, skim the first results presented by the algorithm, and then call it a day.
I try to block web fonts using Pihole. This makes me want to add an overly-broad rule blocking any occurrence of the word “font” in a domain. It’s yet another web technology that really has no need to exist. My computer already has multiple fonts. There’s way that I benefit by downloading them from a remote site.
Google Translate: https://rewis-io.translate.goog/urteile/urteil/lhm-20-01-202...
> The defendant is sentenced to pay the plaintiff €100.00
> The plaintiff has a claim against the defendant to refrain from passing on the plaintiff's IP addresses to Google under Section 823 (1) in conjunction with Section 1004 of the German Civil Code.
> It is undisputed that the plaintiff's IP address was forwarded to Google when the plaintiff visited the defendant's website.