Website Fined By German Court For Leaking Visitor's IP Address Via Google Fonts (theregister.com) 210
Earlier this month, a German court fined an unidentified website $110 for violating EU privacy law by importing a Google-hosted web font. The Register reports: The decision, by Landgericht Munchen's third civil chamber in Munich, found that the website, by including Google-Fonts-hosted font on its pages, passed the unidentified plaintiff's IP address to Google without authorization and without a legitimate reason for doing so. And that violates Europe's General Data Protection Regulation (GDPR). That is to say, when the plaintiff visited the website, the page made the user's browser fetch a font from Google Fonts to use for some text, and this disclosed the netizen's IP address to the US internet giant. This kind of hot-linking is normal with Google Fonts; the issue here is that the visitor apparently didn't give permission for their IP address to be shared. The website could have avoided this drama by self-hosting the font, if possible.
The decision says IP addresses represent personal data because it's theoretically possible to identify the person associated with an IP address, and that it's irrelevant whether the website or Google has actually done so. The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of 250,000 euros for each violation, or up to six months in prison, for continued improper use of Google Fonts. Google Fonts is widely deployed -- the Google Fonts API is used by about 50m websites. The API allows websites to style text with Google Fonts stored on remote servers -- Google's or a CDN's -- that get fetched as the page loads. Google Fonts can be self-hosted to avoid running afoul of EU rules and the ruling explicitly cites this possibility to assert that relying on Google-hosted Google Fonts is not defensible under the law.
The decision says IP addresses represent personal data because it's theoretically possible to identify the person associated with an IP address, and that it's irrelevant whether the website or Google has actually done so. The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of 250,000 euros for each violation, or up to six months in prison, for continued improper use of Google Fonts. Google Fonts is widely deployed -- the Google Fonts API is used by about 50m websites. The API allows websites to style text with Google Fonts stored on remote servers -- Google's or a CDN's -- that get fetched as the page loads. Google Fonts can be self-hosted to avoid running afoul of EU rules and the ruling explicitly cites this possibility to assert that relying on Google-hosted Google Fonts is not defensible under the law.
Insanity (Score:3, Insightful)
This is what happens when regulators have far too much taxpayer-funded time, cake and coffee at their disposal.
They come up with lunatic laws that cause huge levels of unintended consequences.
Re:Insanity (Score:5, Informative)
Re:Insanity (Score:4, Insightful)
No, but the data being sent to an IP address being associated with another web site was intended to be secret. You have disclosed to Google that site X is visited by IP address Y. That's not allowed.
Re: (Score:3)
No, but the data being sent to an IP address being associated with another web site was intended to be secret.
Intended by whom? Not the creators of HTML, I think. Even the earliest versions of HTML had IMG links with no restriction that they be hosted on the same server as the html page which links them. This would also "leak" the IP address to another site when the browser fetched the images. This would generally happen without any intervention by the user and was never considered a security risk. Sounds like Germany is trying to legislate that HTML be designed differently than it is. I hope this ruling is o
Re: (Score:3, Insightful)
... the earliest versions of HTML had IMG links with no restriction that they be hosted on the same server as the html page which links them. This would also "leak" the IP address to another site when the browser fetched the images. This would generally happen without any intervention by the user and was never considered a security risk.
It was not then considered a security risk because in the early days, the Internet had not yet been turned into a surveillance platform for the purpose of tracking everyone's activities and targeting advertising at them.
Now get off my lawn.
Re: (Score:2)
Not the creators of HTML, I think.
I doubt any of the people responsible for HTML thought they were constraining German privacy laws at the time.
Re: Insanity (Score:3)
Neither did they imagine that the IMG tag would be abused in to being a tracking pixel. Those were innocent days.
Re:Insanity (Score:5, Interesting)
In this case, this is very much the intended consequence, with a lot of analysis going into this regulation. Forcing sites to stop transferring data in any way shape or form to Google/Apple/Microsoft/FaceBook/etc, even if that means redesigning foundations of the network, is exactly the goal, repeatedly validated by polls of EU citizens.
Re: (Score:3)
The site didn't transfer any data to Google. The site specified a URL to a font that was hosted at Google, and the end user's browser fetched the font as part of rendering the page.
Re: (Score:3, Insightful)
The site didn't transfer any data to Google.
Word games are really popular with armchair lawyers, but not so popular with actual judges.
Re: (Score:2)
The site didn't transfer any data to Google.
Word games are really popular with armchair lawyers, but not so popular with actual judges.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:3, Insightful)
The site did not do any of this. The site sent a text file to the user. That's all it did, no more, no less. A web browser running on user's computer parsed that file and sent user's data to Google, referer and all.
Opt-in vs opt-out (Score:2)
As I mentionned elsewhere in these discussion, they key difference is what a user can opt.
A web browser running on user's computer parsed that file and sent user's data to Google, referer and all.
The default behaviour encountered by the average user is to always fetch (or at least always ping the server and fetch if the cached copy is out of date), you need to be technically inclined to know your options to opt out.
Re:Insanity (Score:4, Insightful)
And that's supposed to be the point of representative Democracy versus direct Democracy. The masses don't understand every single detail of every single thing. Direct Democracy leads to stupid, unworkable regulations. We're supposed to be electing officials whose policy ideology we agree with, but whom should be consulting with experts to craft legislation, and not just reading polls/doing what the loudest on Twitter want.
Re:Insanity (Score:4, Informative)
I theory yes, but in practice the rulers don't seem to what they are doing either and are manipulated by the people that fund their campaign. You also end up getting a choice between someone you don't want and someone you really don't want.
Germany != Switzerland (Score:2)
And that's supposed to be the point of representative Democracy versus direct Democracy. The masses don't understand every single detail of every single thing. Direct Democracy leads to stupid, unworkable regulations.
I think that you're confusing the ("somewhat germanic"-speaking) countries:
Germany isn't the one with direct (aka true) democracy (though it has over time collected elements thereof).
Re: Insanity (Score:4, Informative)
I don't think you - nor the judge - understand how CDNs nor the internet operates. 1/2 the internet sits behind Cloudflare and the other half sits behind Akamai. Google Fonts is just the tip of the iceberg.
Wait until this judge learns about BGP!
Re: (Score:2, Insightful)
"for some reason" you skipped over the part about them not having a valid technical reason to have done it. They could have just hosted the font themselves. Yes, if they were hosting it themselves, they might not have owned an internet backbone, they might have used a hosting provider. Or even two hosting providers.
That is not an actual problem here. This is not a threat to cloudflare unless they're transferring your data to a third party.
Re: Insanity (Score:3)
What you just described is LITERALLY why CDNs exist. They exist to speed things up and distribute load across the internet. And every single website you visit every single day uses them.
Re: (Score:3)
Re: Insanity (Score:2)
CDNs are not hosting providers.
Re: (Score:2)
Re: (Score:3)
Re: Insanity (Score:3)
You realize this ring makes all CDNs illegal right? This goes way beyond Google. This upends the entire idea of half the internet.
Re: (Score:2)
I was thinking that, "How am I going to use AWS, or Cloudflare, or almost anything?" Then I realized that the problem isn't that they are logging the IP address, but rather that they are associating it with a particular person. Google is likely getting sent a bunch of cookies from the browser, too.
Re: Insanity (Score:4, Informative)
Take one second to google that before posting it. "No cookies are sent by website visitors to the Google Fonts API. Requests to the Google Fonts API are made to resource-specific domains, such as fonts.googleapis.com or fonts.gstatic.com."
Re: (Score:2)
Yeap, I should have searched first.
Re: (Score:2)
Unless you think that the entire idea of half the internet is tracking people, in which case I take everything back.
Re: Insanity (Score:2)
I don't think you have any clue how much of the internet sits behind Akamai and Cloudflare.
1/2 is likely an underestimation.
Re: Insanity (Score:2)
More than half of the traffic, sure. Half of the Internet, no.
I'd washer that not much of actual value would be lost if the half that's behind CDNs were to suddenly disappear.
Re: (Score:3)
I don't think its dramatic at all. Why was the last time you saw a site that hosted its own video content - right they ALL embed youtube or similar.
The idea that a logical 'page' can consist only of documents hosted on the same origin as the root document you are viewer is actually completely antithetical to what the WWW designers intended - we had a system that worked like what you describe - Gopher.
Re: (Score:2)
Read the summary again, it explains everything quite well.
CDNs now illegal? (Score:5, Insightful)
Does this mean that all CDNs are illegal in the EU? Seems like the internet is going to get a lot slower
Re: (Score:2)
Re: (Score:2)
It kind of is if like most websites, you use a CDN to serve content. How can you ask for permission before the user visits the webpage?
Re: (Score:2)
Overlay, like paywalls.
"Click OK to consent to blah bah blah"
Re:CDNs now illegal? (Score:4, Interesting)
Re: (Score:3)
The ruling may single out google, but the ruling seems to applicable any time you set a html src attribute to a URL you don't control, or use javascript to access a site you don't control. Slashdot does this over 200 times when you visit the site, "sending my IP address" all over the place.
Re: (Score:2)
Sounds like to me the Site that lost the case could go after Google. Wouldn't Google have to ask for permission from the site owner ?
But not being a WEB developer or anything close to that, I really do not know if that is possible.
Re: (Score:2)
No. It's entirely the web developer's choice whether or not to link to Google's font offerings. Google had no say in it at all, other than making its fonts available as per their policy [google.com], which discloses what is and isn't collected.
Re: (Score:2)
Oh, that's a good link.
Re: (Score:2)
that would be nice
Re: (Score:2)
Re: (Score:2)
Or just ditch the referer header...
Having commonly reused content like fonts in one place makes sense, since your browser can cache it. Then it only gets loaded once, despite visiting 100 sites that use it. If all google got was a GET request for the font without any other information it wouldn't be terribly useful to them.
Re: CDNs now illegal? (Score:3, Interesting)
Re: (Score:2)
It's tricky because an IP address could be used to identify someone, but it's also necessary to use the Internet (at least the way it works today) and there are already privacy solutions for hiding an IP address that users can choose.
Anyway, when doing business in Europe, a website that wants to include a font, stylesheet, or script from another site can use one of these two legal approaches:
1. Include a new category in the consent prompt, such as "Optional fonts" and disclose that if user enables that opti
Re: (Score:2)
No, because
1) CDNs are essential for providing the service.
2) Most CDNs don't profile visitors like Google does.
Re:CDNs now illegal? (Score:5, Informative)
Re: (Score:3)
It seems very far overboard to say that when the user's computer connects to a server, that is a different party "sharing" the user's personal information.
Re: (Score:2)
Re: (Score:3, Insightful)
What is so hard? The web site owner needs to audit every single link or resource that might be served from their server, figure out whether it goes to a "too greedy" service, and find a reasonable substitute if the user has not consented to that link. And then repeat that process every time some court adds a new company to the list of "too greedy" companies.
On the other hand, users who care should be able to tell their own computer to not make requests to whatever set of servers they are worried about. T
Re:CDNs now illegal? (Score:4, Insightful)
It is very, very easy for a Web site not to run afoul of this sort of restriction.
Just stop embedding random crap from all over the fucking place. Don't "audit" it. Just don't do it, period.
Want a font? Serve it yourself. Want an ad? Serve it yourself. Want a script or library? Serve it yourself. Want an image? Serve it yourself. Want "analytics"? Do them yourself, and don't share them with anybody.
It's not hard at all. It's just hard to do it while being lazy and/or amoral.
The normal, usual case should be that visiting web site X does not cause the user's browser to communicate with any server other than that of Web site X, does not cause the user's browser to download any content from anywhere other than Web site X, and does not "suggest" that the user's browser do so.
Re:CDNs now illegal? (Score:4, Insightful)
That becomes very expensive to implement. It's not being lazy, it's trying to be profitable. Users also expect free web pages and don't want to be bothered with a bunch of ads either.
Re: (Score:2)
Re: (Score:3)
And in the real world, companies use lots of different 3rd-party services to aid their sites/services: they load fonts from Google or Typekit, they load JS libraries off of CDNs, they use marketing scripts from Marketo, adroll, 6sense, terminus, etc., etc., etc.
But if only they would listen to you and your simple-minded ideals.
Re: (Score:2)
If only those companies would check the laws of one of the major economic blocks in the world and try to abide by those laws.
Re: (Score:2)
Even the court realized that your suggestion is unreasonable, which is why it singled out Google as a special case for this rule to apply.
Re: (Score:3)
So don't link to anything else? You know a lot of modern browsers to pre-fetching right - that is no less automatic then downloading fonts and external images is for most users and frankly just as unlikely for them to be aware they need to opt out.
No this is dumb, paternalism on the part of the state. This fundamentally how the WWW has ALWAYS worked, even in the very begging even if the use of third party resources was less aggressive.
Re: (Score:2)
You can however doing so breaks many web sites. Messages come up like you are blocking ads, no I'm blocking other sites tracking me. If its too expensive for you to host the ad yourself then its to expensive for me to waste my bandwidth on downloading it. It needs to be standard.
Re: (Score:2)
And that's why I run a pihole in between my network and the internet.
Doesn't block ads, just stops DNS resolution of ad domains.
Websites that do the right thing (hosting/serving ads from their own domain) benefit because I see those ads. Requests to ad-serving domains simply aren't resolved.
I get a smug little thrill every time I see "Hmm, we're having trouble reaching that website"
Re: (Score:2)
Summary: "It's too much work, so the user should do it."
Re: (Score:3)
That right there is a problem. You've basically created an impossible-to-complete task for the website owner. Because the people supporting this ruling aren't gonna be satisfied with the website owner deciding which services are "too greedy". They're gonna insist that they be
Re: (Score:3)
The court's decision stated that [slashdot.org] damages were only allowed because Google gathers so much information.
Please check the facts before you spout disinformation.
Re: (Score:2)
What you are ignoring is the information passed in the "Referer" header.
Re: (Score:2)
So did this court, according to TFS. Yet if that is supposedly a problem, the user's browser should have a way to disable that.
It's not very reasonable to say that web sites should figure out what the least competent, most sensitive person might object to and coddle that person. The user should have some responsibility for the information their computer is sending around.
Re: (Score:2)
It's not the least competent user its a typical non technical user will have know idea that visiting is disclosing information to a third party.
Re: (Score:2)
Lots of websites don't work if the browser doesn't send the referer header.
Re: (Score:2)
If that was the case, they would have written the law such that they could fine the browser vendor for the browser taking actions without user consent.
Re: CDNs now illegal? (Score:3)
Re: (Score:2)
The internet existed before surveillance advertising was even a thing.
Re: (Score:3)
"the page made the user's browser fetch a font" (Score:2)
MADE?!
Right there. Why does it not stop there?
alternatives including declared substitution methods for fonts exist.
Why is this the sites fault, and not the browser's or users settings of the browsers fault?
Re: "the page made the user's browser fetch a font (Score:2)
Because it's a consent thing.
You shall not expect all users to understand those settings.
Web page creators also must be aware that some clients cant use custom fonts for various reasons.
Re: (Score:2)
You shall not expect all users to understand those settings.
Exactly. But web page authors are users too. What next, relatives suing an HTML-coding grandma out of house and hearth because she made a mistake with a WYSIWYG HTML editor setting?
This should be a browser burden. If you browse http://grandma.me/ [grandma.me] and your browser pulls a resource from example.com, it should warn you (if you configured or it defaulted to a high-privacy setting)
On a side note, the GDPR popup warnings are getting ridiculous. Most sites I've seen are now using 'dark patterns' to fool users into
Re: (Score:3)
What next, relatives suing an HTML-coding grandma out of house and hearth because she made a mistake with a WYSIWYG HTML editor setting?
Calm down, Chicken Little.
fined a... website $110
Re: (Score:2)
Thank you for using Chrome, please read this notification carefully as it constitutes a written agreement
between us as a webbrowser and you as a user regarding consent.
The usage of a web browser means that your IP address will be transmitted and shared with the intended
and third parties, who may track you for nefarious purposes. By clicking "I accept" below you consent that
this will happen.
This includes a website including resources from third party websites.
If you wish to limit the inclusion of third party
Good. Can't Avoid google for Shit (Score:5, Insightful)
Just! Fuck! Off! google and all you teat-suckers that lazily nurse at its poisoned milk. I liked you once, Google!, you gave search so good. So much better than Yahoo, lycos, altavista. Then you got needy. The confident google disappeared and forgot its vows. May your filthy excretion become even more bitter.
You google, you click all the things to prove yourself! Dirty whore. Die in a corporate Dumpster fire.
Well it's obvious (Score:2)
If you load external resources from an external website you essentially allow that website to track your user.
Now the obvious question is, how can we prevent that problem, while still being able to enjoy the advantages of caching.
One solution would be to augment those references by a hash of the file they refer to. This way your browser could recognize the file as a "common" file, and see if it already has that file (from another location) in its cache. That way you could have location independent files.
Ano
What if you're hosting with Google Sites? (Score:2)
Or hosting with any other "evil" corporation.
You can have your own domain too. Someone can claim "I went to example.com (let's say a local business or something) and ended up giving my IP to Google, pay up 250kEUR" or whatever the fine is!
Ok, let's say that's the "primary" site and the user intended to go there and that's allowed; what if it goes there not through a normal A-record but through a http redirect (you can simply set it up in GoDaddy for example, it's pretty standard)?
There are of course CDNs, p
Lots of objections... (Score:2)
Re: Lots of objections... (Score:2)
The end of the Internet (Score:2)
This court decision basically overturns the Internet completely as we know it. This makes linking to *any* resource file outside of the current domain illegal, which means everybody that is relient on CDN or any other third party resource illegal.
For example if you check the source for Slashdot itself, it's linking to fsdn.com and cloudfront.net, and le'ts not talk about all the ads and analytics links. Slashdot itself is according to this is breaking GDPR and is therefore illegal in Europe.
The only way to
Re: (Score:2)
Calm down, Chicken Little, The sky isn't falling.
1. This is a german jurisdiction. You might extend that to the rest of the EU
2. But not the rest of the world.
This is a first? (Score:2)
The GDPR and its rules are quite clear: This sort of thing is not allowed unless the permission is explicitly given by the user. Cross-loading fonts and stuff is stated as prime example how *not* to do things if you want to be GDPR compliant, in just about every article covering GDPR compliant websites and what to do and look out for.
This isn't news.
The 100 Euros is a very fair modest fine but should be enough to teach any small entity or private person to watch out what they do.
The solution to this sort of
Re: (Score:3)
Basically it's a prime example of the flaws of the GDPR and how it just ends up hurting the little guy.
Re:wow (Score:5, Informative)
Re: (Score:2)
You can't host files with urls in them. You never know if a user might try to access the urls causing you to disclose their IP.
Re:wow (Score:5, Informative)
That's not what the ruling says at all. If the user clicks on a link, that's the user choosing to access that other site. That's called "getting consent", which the current setup did not do.
That's *precisely* what they did (Score:4, Insightful)
Serving a file which contained information about another URL is *exactly* what they got fined for.
They had a text file named whatever.html.
In that text file, it said essentially "if you want this font, you can get it from https://fonts.google.com/curvy [google.com] font.
We think this would be a good font to use for viewing this page."
The government went after then because when you tell users where a font can be found, some users will download that font.
If users wanted to only get the index.html file and not any related resources hosted on any other servers, they would use a browser that does precisely that. Nobody uses such a browser because nobody wants that.
Re: (Score:3)
Nobody uses such a browser because nobody wants that.
Incorrect. Better: Few people use such a browser because most people are not aware that their browser might download fonts from Google if so directed by a webpage.
Re: (Score:2)
you can host files just fine. The issue was they DIDN'T host the files, they let the users browser retrieve them from google and hence google could track them.
I'm not sure how google can extract much useful information from this* but if anybody doesn't think google made a "fonts" system so they could track people then they need a good slap.
Luckily the fine was only 100 Euros not some ridiculous amount. Let's hope more people start hosting the fonts themselves.
(*) at least, not not from a single font download, maybe if you use multiple fonts on the same page they might be able to figure out the page...
Caching (Score:2)
(*) at least, not not from a single font download, maybe if you use multiple fonts on the same page they might be able to figure out the page...
- Some browser still leak the referer: in that case Google knows exactly where you've been. /fonts.googleapis.com/css?family=Balthazar%7CEB+Garamond:400,400i,700,700i,700%7CMontserrat:400,700&display=swap [slashdot.org] that narrows down a bit more.
- You don't directly download the font file. The normal behavirous is that you make a request for a CSS file that is generated by a script, and you give extra parameters that precisely request certain fonts, weights, properties, etc:
On the other hand:
- Browser do caching. I
Re: (Score:2, Insightful)
Re: Shouldn't this be on the user? (Score:2)
Many of the fonts linked are also hard to read. So that's reason for me to block them.
Re: (Score:3, Interesting)
>You gonna shut down Facebook so stupid people can't screw themselves over?
Sounds like a great idea!
Any excuse to get rid of that cancer is good with me.
Re: (Score:2)
I think you just provided the reason for why it is good that these laws exist. Obviously, if people never screwed up and always behaved in a safe, pro-social way, we wouldn't need laws. We need them precisely because "dumb people do shit all the time."
Fined $110? (Score:2)
Nobody would defend such a small fine. And it is probably issued as a warning.
But I presume that they need to fix it or else.
Re: This is a floodgate (Score:2)
It could start an interesting wave. Add to it that javascript is remote code execution and if there's a ruling requiring consent of active code execution on your computer things will start to get interesting.
Also consider that with client side execution that many web pages uses the total power consumption goes up compared to serving static web pages.
Re: (Score:2)
Well there's a bit difference. Routers typically don't log requests. Webservers do. Plus Google is known for storing essentially every bit of information they can get.
BTW it would actually be illegal for any network operator to store the traffic going through its routers, at least in Europe.
Re: (Score:2)
As the goverment would gladly force upon us, "storing metadata is not the same as storing the content". So I can't see how they could fine network operators for doing the same.
Oh, suddenly the goverment is worried about surveillance? Then fuck off! You don't get to store our metadata.