top | item 30135871

(no title)

rokizero | 4 years ago

As a Deutscher this sounds completely nuts. Correct me if I'm wrong but any not 100% technically necessary third party request is considered illegally leaking personal data?! Or do I 'just' have to inform the users that their fonts, images and other data that could be stored in source but is not? In the case of fonts I'm pretty sure they get cached in the browser, so bundling them with the source just doesn't make sense?

discuss

AndrewDucker|4 years ago

Yes. If it's not technically necessary then don't do it. Host the fonts yourself rather than letting Google track people to your site.

mawadev|4 years ago

Exactly. Why would you serve your own copy of the fonts if a previous request to that cdn may have cached them in your browser already? Opt-In goes against the architecture of websites. What's next? A popup for each third party request? It is not feasible and just another stumbling block - like Impressum for private persons and third party cookie consent to host websites in Germany. It makes more sense to fix the issue at the fundamental browser level by the vendor (natively, without the need for plugins) and explain the dangers to the users. Educated users block requests anyway for example.

I think hosting it by yourself is the solution here, but it's getting difficult to keep up with all the rules, especially when the fundamental design of the web moves in the opposite direction.

youngtaff|4 years ago

> a previous request to that cdn may have cached them in your browser already? Opt-In goes against the architecture of websites

Browsers partition their caches by origin and third-party origin (it's a bit more complex than that in reality) so common third-party resource e.g. fonts, used on one site won't be reused on another

Instead a fresh version of the font will will be fetched

Safari's done this since 2013 (?), and Chromium & Firefox adopting the same behaviour in 2020 (?)

isbvhodnvemrwvn|4 years ago

The browsers don't share third-party caches across domains, because it made it easier to leak information about which sites the user has visited.

akvadrako|4 years ago

Informing them is probably not enough – you would need explicit consent and a fallback option. The only reasonable option is not to do it or maybe it's possible to get a contract with google regarding processing of personal data.

fooblat|4 years ago

It seems pretty reasonable to me.

1. In Germany an IP address is considered PI under GDPR because it is easily associated to a natural person.

2. Google is open about the fact that they log IP address with Google Font request activity, which includes the page you are on.

3. GDPR requires justification by necessity to collect and/or send PI to a 3rd party without consent.

4. No consent was given.

5. It is not necessary in this case because it is possible to use Google Fonts in other ways that don't send PI to Google, without significant burden.

I'm not a lawyer but I am responsible for GDPR compliance at a German startup.

edit: typo

Jyaif|4 years ago

By that logic you must self-host any landing page, otherwise you are leaking IP addresses to whoever is hosting your website.

maxwell86|4 years ago

As a German citizen, this isn’t nuts.

Leaking extremely sensitive user data, like their IP addresses, to third parties, enable them to finger print users.

Leaking those to third parties outside the EU, and in particular to companies whose revenue depends on this finger printing, like Google, just to serve a font, it’s the dumbest thing I’ve heard all week.

The whole purpose of the GDPR is to discourage this behavior, requiring websites to inform users of all their crappy unnecessary things they want to do before they do it.

The only reason Google gives you hot loading for free is to get your users data. Trading your users personal data to serve a font is brain dead.

IMO this fine of 100€ is too small. They should have made it 10% of their revenue to send the clear message that this is not ok.

Vespasian|4 years ago

I agree with everything you said except the last paragraph.

100€ was fine in my opinion, because a) it isn't that big of an infraction b) it probably was their first offense and c) this legal ruling is indeed setting some kind of precedence and therefore was unexpected given industry practices. If the ruling stands and other courts follow a similar reasoning I would expect higher fines in the future.

dgb23|4 years ago

You have a point and I as a dev will ensure to follow this principle. The issue is that serving fonts and other assets from an external service is pretty much normal practice. This is new ground. The understanding so far was explicit tracking being the issue and not serving static assets. This ruling makes sense but goes way beyond what the consensus was so far.

izacus|4 years ago

IP Address is far from "extremely sensitive user data". Really.