Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Google The Courts The Internet

Website Fined By German Court For Leaking Visitor's IP Address Via Google Fonts (theregister.com) 210

Earlier this month, a German court fined an unidentified website $110 for violating EU privacy law by importing a Google-hosted web font. The Register reports: The decision, by Landgericht Munchen's third civil chamber in Munich, found that the website, by including Google-Fonts-hosted font on its pages, passed the unidentified plaintiff's IP address to Google without authorization and without a legitimate reason for doing so. And that violates Europe's General Data Protection Regulation (GDPR). That is to say, when the plaintiff visited the website, the page made the user's browser fetch a font from Google Fonts to use for some text, and this disclosed the netizen's IP address to the US internet giant. This kind of hot-linking is normal with Google Fonts; the issue here is that the visitor apparently didn't give permission for their IP address to be shared. The website could have avoided this drama by self-hosting the font, if possible.

The decision says IP addresses represent personal data because it's theoretically possible to identify the person associated with an IP address, and that it's irrelevant whether the website or Google has actually done so. The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of 250,000 euros for each violation, or up to six months in prison, for continued improper use of Google Fonts. Google Fonts is widely deployed -- the Google Fonts API is used by about 50m websites. The API allows websites to style text with Google Fonts stored on remote servers -- Google's or a CDN's -- that get fetched as the page loads. Google Fonts can be self-hosted to avoid running afoul of EU rules and the ruling explicitly cites this possibility to assert that relying on Google-hosted Google Fonts is not defensible under the law.

This discussion has been archived. No new comments can be posted.

Website Fined By German Court For Leaking Visitor's IP Address Via Google Fonts

Comments Filter:
  • Insanity (Score:3, Insightful)

    by NewtonsLaw ( 409638 ) on Monday January 31, 2022 @08:01PM (#62225471)

    This is what happens when regulators have far too much taxpayer-funded time, cake and coffee at their disposal.

    They come up with lunatic laws that cause huge levels of unintended consequences.

    • Re:Insanity (Score:5, Informative)

      by NateFromMich ( 6359610 ) on Monday January 31, 2022 @08:07PM (#62225497)
      Right. An IP address was never something that was intended to be a secret.
      • Re:Insanity (Score:4, Insightful)

        by Aristos Mazer ( 181252 ) on Monday January 31, 2022 @08:36PM (#62225599)

        No, but the data being sent to an IP address being associated with another web site was intended to be secret. You have disclosed to Google that site X is visited by IP address Y. That's not allowed.

        • No, but the data being sent to an IP address being associated with another web site was intended to be secret.

          Intended by whom? Not the creators of HTML, I think. Even the earliest versions of HTML had IMG links with no restriction that they be hosted on the same server as the html page which links them. This would also "leak" the IP address to another site when the browser fetched the images. This would generally happen without any intervention by the user and was never considered a security risk. Sounds like Germany is trying to legislate that HTML be designed differently than it is. I hope this ruling is o

          • Re: (Score:3, Insightful)

            by nuckfuts ( 690967 )

            ... the earliest versions of HTML had IMG links with no restriction that they be hosted on the same server as the html page which links them. This would also "leak" the IP address to another site when the browser fetched the images. This would generally happen without any intervention by the user and was never considered a security risk.

            It was not then considered a security risk because in the early days, the Internet had not yet been turned into a surveillance platform for the purpose of tracking everyone's activities and targeting advertising at them.

            Now get off my lawn.

          • Not the creators of HTML, I think.

            I doubt any of the people responsible for HTML thought they were constraining German privacy laws at the time.

          • Neither did they imagine that the IMG tag would be abused in to being a tracking pixel. Those were innocent days.

    • Re:Insanity (Score:5, Interesting)

      by Aristos Mazer ( 181252 ) on Monday January 31, 2022 @08:35PM (#62225591)

      In this case, this is very much the intended consequence, with a lot of analysis going into this regulation. Forcing sites to stop transferring data in any way shape or form to Google/Apple/Microsoft/FaceBook/etc, even if that means redesigning foundations of the network, is exactly the goal, repeatedly validated by polls of EU citizens.

      • by Burdell ( 228580 )

        The site didn't transfer any data to Google. The site specified a URL to a font that was hosted at Google, and the end user's browser fetched the font as part of rendering the page.

        • Re: (Score:3, Insightful)

          by Aighearach ( 97333 )

          The site didn't transfer any data to Google.

          Word games are really popular with armchair lawyers, but not so popular with actual judges.

      • Re:Insanity (Score:4, Insightful)

        by BoB235423424 ( 6928344 ) on Monday January 31, 2022 @09:42PM (#62225761)

        And that's supposed to be the point of representative Democracy versus direct Democracy. The masses don't understand every single detail of every single thing. Direct Democracy leads to stupid, unworkable regulations. We're supposed to be electing officials whose policy ideology we agree with, but whom should be consulting with experts to craft legislation, and not just reading polls/doing what the loudest on Twitter want.

        • Re:Insanity (Score:4, Informative)

          by ewibble ( 1655195 ) on Monday January 31, 2022 @10:52PM (#62225885)

          I theory yes, but in practice the rulers don't seem to what they are doing either and are manipulated by the people that fund their campaign. You also end up getting a choice between someone you don't want and someone you really don't want.

        • And that's supposed to be the point of representative Democracy versus direct Democracy. The masses don't understand every single detail of every single thing. Direct Democracy leads to stupid, unworkable regulations.

          I think that you're confusing the ("somewhat germanic"-speaking) countries:
          Germany isn't the one with direct (aka true) democracy (though it has over time collected elements thereof).

      • Re: Insanity (Score:4, Informative)

        by brunes69 ( 86786 ) <slashdot@nOSpam.keirstead.org> on Monday January 31, 2022 @09:43PM (#62225763)

        I don't think you - nor the judge - understand how CDNs nor the internet operates. 1/2 the internet sits behind Cloudflare and the other half sits behind Akamai. Google Fonts is just the tip of the iceberg.

        Wait until this judge learns about BGP!

        • Re: (Score:2, Insightful)

          by Aighearach ( 97333 )

          "for some reason" you skipped over the part about them not having a valid technical reason to have done it. They could have just hosted the font themselves. Yes, if they were hosting it themselves, they might not have owned an internet backbone, they might have used a hosting provider. Or even two hosting providers.

          That is not an actual problem here. This is not a threat to cloudflare unless they're transferring your data to a third party.

          • What you just described is LITERALLY why CDNs exist. They exist to speed things up and distribute load across the internet. And every single website you visit every single day uses them.

          • by chefren ( 17219 )
            Cloudflare *is* the third party in this scenario.
      • The real question is why the google CDN is not hosting the font in the EU.  May be their privacy policy conflicts w/ EU law?
    • {{{ -- This is what happens when regulators have far too much taxpayer-funded time, cake and coffee at their disposal. -- }}} --- No, this is apparently what happens when a website buys into google's ownerships of the web.
      • You realize this ring makes all CDNs illegal right? This goes way beyond Google. This upends the entire idea of half the internet.

        • I was thinking that, "How am I going to use AWS, or Cloudflare, or almost anything?" Then I realized that the problem isn't that they are logging the IP address, but rather that they are associating it with a particular person. Google is likely getting sent a bunch of cookies from the browser, too.

        • "Upends the entire idea of half the internet"? That seems overly dramatic. The internet can exist just fine without CDNs. Sites are just going to get a tad slower on first load, or they'll have to optimize their shit better, or a browser extension like Decentraleyes can take care of the most common JS libraries.

          Unless you think that the entire idea of half the internet is tracking people, in which case I take everything back.
          • I don't think you have any clue how much of the internet sits behind Akamai and Cloudflare.

            1/2 is likely an underestimation.

            • More than half of the traffic, sure. Half of the Internet, no.

              I'd washer that not much of actual value would be lost if the half that's behind CDNs were to suddenly disappear.

          • by DarkOx ( 621550 )

            I don't think its dramatic at all. Why was the last time you saw a site that hosted its own video content - right they ALL embed youtube or similar.

            The idea that a logical 'page' can consist only of documents hosted on the same origin as the root document you are viewer is actually completely antithetical to what the WWW designers intended - we had a system that worked like what you describe - Gopher.

    • This is not example of unintended consequences, even a little bit.
      Read the summary again, it explains everything quite well.
  • CDNs now illegal? (Score:5, Insightful)

    by Ksevio ( 865461 ) on Monday January 31, 2022 @08:02PM (#62225473) Homepage

    Does this mean that all CDNs are illegal in the EU? Seems like the internet is going to get a lot slower

    • Not at all, it just means you need to ask for permission first, you will find a lot of EU sites have a popup question asking you to consent to cookies or 3rd party sites before access. It isn't hard or particularly onerous to do correctly.
      • by Ksevio ( 865461 )

        It kind of is if like most websites, you use a CDN to serve content. How can you ask for permission before the user visits the webpage?

    • Re:CDNs now illegal? (Score:4, Interesting)

      by truedfx ( 802492 ) on Monday January 31, 2022 @08:07PM (#62225503)
      It does not. The ruling singles Google out: "Google, ein Unternehmen, das bekanntermaßen Daten über seine Nutzer sammelt und das damit vom Nutzer empfundene individuelle Unwohlsein so erheblich, dass ein Schadensersatzanspruch gerechtfertigt ist". Translation by Google: "Google, a company that is known to collect data about its users and the individual discomfort felt by the user is so significant that a claim for damages is justified". This would not apply to CDNs in general.
      • The ruling may single out google, but the ruling seems to applicable any time you set a html src attribute to a URL you don't control, or use javascript to access a site you don't control. Slashdot does this over 200 times when you visit the site, "sending my IP address" all over the place.

      • by jmccue ( 834797 )

        Sounds like to me the Site that lost the case could go after Google. Wouldn't Google have to ask for permission from the site owner ?

        But not being a WEB developer or anything close to that, I really do not know if that is possible.

        • No. It's entirely the web developer's choice whether or not to link to Google's font offerings. Google had no say in it at all, other than making its fonts available as per their policy [google.com], which discloses what is and isn't collected.

    • that would be nice

    • Just ditch the direct loading of 3rd party scripts. Have a parent script that abstracts their script and lets you play VPN for requests to the CDN. Then, have a popup that says "If you don't want to wait on us playing VPN for you, click here to connect directly to the content host." As a bonus, your parent script will get the CDN scripts past the 3rd party script blocking.
      • by Bert64 ( 520050 )

        Or just ditch the referer header...
        Having commonly reused content like fonts in one place makes sense, since your browser can cache it. Then it only gets loaded once, despite visiting 100 sites that use it. If all google got was a GET request for the font without any other information it wouldn't be terribly useful to them.

    • Nope. According to GDPR you (the website operator) need an agreement with the CDN about data processing that is compliant to the rules. Hard problem for free/anonymous CDNs.
    • by xalqor ( 6762950 )

      It's tricky because an IP address could be used to identify someone, but it's also necessary to use the Internet (at least the way it works today) and there are already privacy solutions for hiding an IP address that users can choose.

      Anyway, when doing business in Europe, a website that wants to include a font, stylesheet, or script from another site can use one of these two legal approaches:

      1. Include a new category in the consent prompt, such as "Optional fonts" and disclose that if user enables that opti

    • by AmiMoJo ( 196126 )

      No, because

      1) CDNs are essential for providing the service.

      2) Most CDNs don't profile visitors like Google does.

  • MADE?!
    Right there. Why does it not stop there?

    alternatives including declared substitution methods for fonts exist.

    Why is this the sites fault, and not the browser's or users settings of the browsers fault?

    • Because it's a consent thing.

      You shall not expect all users to understand those settings.

      Web page creators also must be aware that some clients cant use custom fonts for various reasons.

      • You shall not expect all users to understand those settings.

        Exactly. But web page authors are users too. What next, relatives suing an HTML-coding grandma out of house and hearth because she made a mistake with a WYSIWYG HTML editor setting?

        This should be a browser burden. If you browse http://grandma.me/ [grandma.me] and your browser pulls a resource from example.com, it should warn you (if you configured or it defaulted to a high-privacy setting)

        On a side note, the GDPR popup warnings are getting ridiculous. Most sites I've seen are now using 'dark patterns' to fool users into

        • What next, relatives suing an HTML-coding grandma out of house and hearth because she made a mistake with a WYSIWYG HTML editor setting?

          Calm down, Chicken Little.

          fined a... website $110

      • Thank you for using Chrome, please read this notification carefully as it constitutes a written agreement
        between us as a webbrowser and you as a user regarding consent.

        The usage of a web browser means that your IP address will be transmitted and shared with the intended
        and third parties, who may track you for nefarious purposes. By clicking "I accept" below you consent that
        this will happen.

        This includes a website including resources from third party websites.

        If you wish to limit the inclusion of third party

  • by byronivs ( 1626319 ) on Monday January 31, 2022 @11:11PM (#62225919) Journal
    I block the scripts automatically, but nearly every website I go to reports back to fucking google. Wanna log in as google? Are you a human? google. Fonts? google. Ajax APIs? google. Tags. google. CDN? google. Call someone? google. Add value to your phone-computer. More fucking google. Email and office productivity suite? google. Lubeless analsex? google! Teethy fellatio? google. STDs? Thanks google, and more please!

    Just! Fuck! Off! google and all you teat-suckers that lazily nurse at its poisoned milk. I liked you once, Google!, you gave search so good. So much better than Yahoo, lycos, altavista. Then you got needy. The confident google disappeared and forgot its vows. May your filthy excretion become even more bitter.

    You google, you click all the things to prove yourself! Dirty whore. Die in a corporate Dumpster fire.
  • If you load external resources from an external website you essentially allow that website to track your user.
    Now the obvious question is, how can we prevent that problem, while still being able to enjoy the advantages of caching.

    One solution would be to augment those references by a hash of the file they refer to. This way your browser could recognize the file as a "common" file, and see if it already has that file (from another location) in its cache. That way you could have location independent files.

    Ano

  • Or hosting with any other "evil" corporation.
    You can have your own domain too. Someone can claim "I went to example.com (let's say a local business or something) and ended up giving my IP to Google, pay up 250kEUR" or whatever the fine is!

    Ok, let's say that's the "primary" site and the user intended to go there and that's allowed; what if it goes there not through a normal A-record but through a http redirect (you can simply set it up in GoDaddy for example, it's pretty standard)?

    There are of course CDNs, p

  • ...to the principle of this ruling so let's play with the parameters a bit. Say the fonts aren't hosted by Google but by a company with known ties to Chinese state security agencies. Now suppose that the user is a trade negotiator or a govt employee with high-level security clearance & they're using their personal smartphone & all the tracking data to 'sell advertising' that it entails. How to you feel about this kind of surveillance now?
  • This court decision basically overturns the Internet completely as we know it. This makes linking to *any* resource file outside of the current domain illegal, which means everybody that is relient on CDN or any other third party resource illegal.

    For example if you check the source for Slashdot itself, it's linking to fsdn.com and cloudfront.net, and le'ts not talk about all the ads and analytics links. Slashdot itself is according to this is breaking GDPR and is therefore illegal in Europe.

    The only way to

    • by dwywit ( 1109409 )

      Calm down, Chicken Little, The sky isn't falling.

      1. This is a german jurisdiction. You might extend that to the rest of the EU
      2. But not the rest of the world.

  • The GDPR and its rules are quite clear: This sort of thing is not allowed unless the permission is explicitly given by the user. Cross-loading fonts and stuff is stated as prime example how *not* to do things if you want to be GDPR compliant, in just about every article covering GDPR compliant websites and what to do and look out for.

    This isn't news.

    The 100 Euros is a very fair modest fine but should be enough to teach any small entity or private person to watch out what they do.

    The solution to this sort of

    • by Ksevio ( 865461 )

      Basically it's a prime example of the flaws of the GDPR and how it just ends up hurting the little guy.

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...