Conversation

Notices

1. ▁jayrope (jayrope@mastodon.online)'s status on Saturday, 29-Jan-2022 22:17:03 UTC ▁jayrope

   Okay, so: German court decided on Jan. 20th 2022 that sites will need to host Google fonts locally.

   Visitors are otherwise entitled to receive 100€ in recompensation for Google fonts transferring IP numbers to Google servers.
   Google uses fonts to track users, especially if they are logged into only one other server, where stored personal data might identify them.

   Court decision text in German (Landgericht München)

   https://rewis.io/urteile/urteil/lhm-20-01-2022-3-o-1749320/

   #google #tracking #fonts #liability #germany #funny

   • Bernie (codewiz@mstdn.io)'s status on Sunday, 30-Jan-2022 07:22:04 UTC Bernie

     in reply to

     @jayrope How exactly is Google tracking users with fonts?

     I don't see any cookies on fonts.googleapis.com nor on fonts.gstatic.com.

   • Bernie (codewiz@mstdn.io)'s status on Sunday, 30-Jan-2022 21:47:25 UTC Bernie

     in reply to

     • Nanook

     @jayrope @nanook Well, if this is only about using the client IP to request a resource from another domain, then that's not what "tracking" normally means in the web.

   • ▁jayrope (jayrope@mastodon.online)'s status on Sunday, 30-Jan-2022 21:47:26 UTC ▁jayrope

     in reply to

     • Bernie
     • Nanook

     @nanook @codewiz fonts set no cookies and this case wasn't about cookies.

   • Nanook (nanook@friendica.eskimo.com)'s status on Sunday, 30-Jan-2022 21:47:30 UTC Nanook

     in reply to

     • Bernie
     @codewiz @jayrope They still get your IP address even if they don't store a cookie in it.
   • Bernie (codewiz@mstdn.io)'s status on Sunday, 30-Jan-2022 21:50:57 UTC Bernie

     in reply to

     • Nanook

     @jayrope @nanook It's also false that web pages loading fonts or other static resources from a third-party domains are sharing PII with that domain. If that's how German courts are interpreting the law, it would be the end of the web, right?

   • Bernie (codewiz@mstdn.io)'s status on Sunday, 30-Jan-2022 22:04:45 UTC Bernie

     in reply to

     • Piggo🐽

     @piggo @jayrope Oh, didn't think about that! But there have been mitigations for several years:
     https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

     Modern user agents default to strict-origin-when-cross-origin, which essentially means sending only the origin's hostname with no path when querying third-party domains.

     Sites requesting resources from third-party domains should set "Referrer-Policy: no-referrer" to prevent them from correlating the user's IP to all the domains they visit.

   • Piggo🐽 (piggo@piggo.space)'s status on Sunday, 30-Jan-2022 22:04:46 UTC Piggo🐽

     in reply to

     • Bernie
     @codewiz @jayrope it's possible the request contains a referrer header, maybe
   • Patrick Georgi (patrick@georgi.family)'s status on Sunday, 30-Jan-2022 22:42:00 UTC Patrick Georgi

     in reply to

     • Bernie
     • Patrick Georgi
     • Nanook
     @codewiz @jayrope @nanook See https://social.tchncs.de/@rufposten/107396066378971218 for IP-driven examples in this thread (with "consent"). It's a scummy industry but they're "not Google" and therefore flying under the radar.
   • Patrick Georgi (patrick@georgi.family)'s status on Sunday, 30-Jan-2022 22:42:03 UTC Patrick Georgi

     in reply to

     • Bernie
     • Nanook
     @codewiz @jayrope @nanook The client IP is considered PII by German data protection agencies and there are ad retargeting services (not Google AFAIK) that use it to probabilistically follow users around based on that and other signals without user consent.
   • Bernie (codewiz@mstdn.io)'s status on Sunday, 30-Jan-2022 22:42:51 UTC Bernie

     in reply to

     • Patrick Georgi
     • Nanook

     @patrick @jayrope @nanook Ok, I knew that the IP is considered PII, but the GDPR only disallows sharing PII directly with third-party.

     Linking resources hosted on third-party domains is still fine, because it's the user-agent sending the IP, and user agents can block or rewrite requests to specific domains. This is what ad-blockers do.

   • Bernie (codewiz@mstdn.io)'s status on Sunday, 30-Jan-2022 22:59:57 UTC Bernie

     in reply to

     • Patrick Georgi
     • Nanook

     @patrick @jayrope @nanook Then, where do they draw the line? Is it ok to link an image hosted on another domain? What about embedding videos?

   • Patrick Georgi (patrick@georgi.family)'s status on Sunday, 30-Jan-2022 23:00:00 UTC Patrick Georgi

     in reply to

     • Bernie
     • Nanook
     @codewiz @jayrope @nanook Apparently the German interpretation of the GDPR is tighter.
     
     The argument "the client could have hidden the IP address (through VPN, I suppose?) or filter out accesses" was explicitly rejected in that court decision, by the way.
   • Bernie (codewiz@mstdn.io)'s status on Sunday, 30-Jan-2022 23:04:56 UTC Bernie

     in reply to

     • Patrick Georgi
     • Nanook

     @patrick @jayrope @nanook I hope it doesn't end up adding an unsustainable legal cost to small websites like mine, where I freely link resources from other domains because that's always been a natural part of html.

   • Patrick Georgi (patrick@georgi.family)'s status on Sunday, 30-Jan-2022 23:04:59 UTC Patrick Georgi

     in reply to

     • Bernie
     • Patrick Georgi
     • Nanook
     @codewiz @jayrope @nanook Correction: the decision doesn't talk about filtering out accesses, so I suppose nobody brought it up. The explicit part is about "encrypting" the IP, whatever they mean by that. In any case, it kinda follows that this court doesn't look kindly on "the client didn't sufficiently defend itself" style arguments.
     
     The defendant is that particular website, so the damages part of the decision doesn't immediately apply to all users of Google Fonts (or even any other instance of third party site links), just this one site.
     
     Still, the outcome isn't _that_ surprising, and I'd expect that topic to become a profitable field for lawyers specializing in cease & desist letters (of which we have too many) and a minefield for everybody else.
     (opening the door to that might well be the real point of this lawsuit)
   • Bernie (codewiz@mstdn.io)'s status on Sunday, 30-Jan-2022 23:07:32 UTC Bernie

     in reply to

     • Patrick Georgi
     • Nanook

     A good privacy law, imho, would look at the intent and not the mechanism: cross-site linking is the very foundation of the web, but obviously the sole purpose of those 1x1 pixel gifs is tracking users, while serving fonts from googleapis.com is mostly done to save bandwidth and speedup page loads by sharing common resources.

     I honestly don't believe Google is trying to use this service to track users, because they can already track users in better ways.

     @patrick @jayrope @nanook

   • Bernie (codewiz@mstdn.io)'s status on Sunday, 30-Jan-2022 23:29:04 UTC Bernie

     in reply to

     • Patrick Georgi
     • Nanook

     @patrick @jayrope @nanook Oh, you're right. I remember reading that Chrome / Chromium was going to do partition the local cache by domain for this exact reason.

     Then, I guess, the only reason a website would want to do this is for reducing their serving costs... and maybe use Google's edge caches to reduce latency.

     But then there's an extra domain lookup, an extra TLS + HTTPS or QUIC handshake... so probably not worth it.

   • Patrick Georgi (patrick@georgi.family)'s status on Sunday, 30-Jan-2022 23:29:07 UTC Patrick Georgi

     in reply to

     • Bernie
     • Nanook
     @codewiz @jayrope @nanook Google Fonts has a surprisingly complete set of "what we collect and what we do with that data" statements in their FAQ, and nothing in there points at collecting user data (they run statistics on the fonts), but the idea that it's used to collect user behavior has stuck.
     
     Regarding "sharing common resources", that used to be true but isn't anymore: It allowed for cross-site tracking (is a resource cached or not) so third party resources are now cached per host context. That makes the Google Fonts offering less useful (besides the convenience) and just mirroring what you need on your own site is a lot less of a penalty than it used to be.
   • Bernie (codewiz@mstdn.io)'s status on Sunday, 30-Jan-2022 23:29:42 UTC Bernie

     in reply to

     • Patrick Georgi
     • Nanook

     @patrick @jayrope @nanook Oh, you're right. I remember reading that Chrome / Chromium was going to partition the http cache by domain for this exact reason.

     Then, I guess, the only reason a website would want to do this is for reducing their serving costs... and maybe use Google's edge caches to reduce latency.

     But then there's an extra domain lookup, an extra TLS + HTTPS or QUIC handshake... so probably not worth it.

   • Patrick Georgi (patrick@georgi.family)'s status on Wednesday, 02-Feb-2022 09:28:13 UTC Patrick Georgi

     in reply to

     • Bernie
     • Nanook
     @codewiz @jayrope @nanook You can do whatever you want as long as:
     1. You ask data subjects for consent first before loading such embeddings (there are some fine tools built to help with that, such as https://github.com/heiseonline/shariff or https://wordpress.org/plugins/real-cookie-banner/), or
     2. you have a data processing agreement in place with the embedded sites and it appears enforceable. There have been some doubts if US based companies can do that at all, but the extent to that is unclear to me (it just seems that the "Privacy Shield" scheme wasn't accepted).
   • Bernie (codewiz@mstdn.io)'s status on Wednesday, 02-Feb-2022 09:28:25 UTC Bernie

     in reply to

     • Patrick Georgi
     • Nanook

     @patrick @jayrope @nanook Comments on Reddit are objecting that this ruling essentially makes any CDN illegal unless your website starts with a landing page asking for permission to "transmit" your IP to the CDN operator.

     And this, ironically, makes even websites operated by the EU illegal 😂

     https://www.reddit.com/r/programming/comments/si4qnh/german_court_rules_websites_embedding_google/

   • Bernie (codewiz@mstdn.io)'s status on Wednesday, 02-Feb-2022 09:28:41 UTC Bernie

     in reply to

     • Patrick Georgi
     • Nanook

     @patrick @jayrope @nanook Comments on Reddit are objecting that this ruling essentially makes any CDN illegal unless your website starts with a landing page asking for permission to "transmit" your IP to the CDN operator.

     And this, ironically, makes even websites operated by the EU illegal 😂

   • ▁jayrope (jayrope@mastodon.online)'s status on Wednesday, 02-Feb-2022 22:27:02 UTC ▁jayrope

     in reply to

     • Bernie
     • Patrick Georgi
     • Nanook

     @patrick @codewiz @nanook You are right in terms of the Bandcamp shared players, supplied _as is_ by Bandcamp. You can see how the awarness of this in in my thread here https://mastodon.online/@jayrope/107549861263082833
     from a few weeks ago. In fact three people and me are in the process of collecting arguments to send to Bandcamp and askign them to take GA down from their external players.

     If i could technically understand, how to replace the Bandcamp players with a version thereof, that blocks GA -> /2

   • Patrick Georgi (patrick@georgi.family)'s status on Wednesday, 02-Feb-2022 22:27:03 UTC Patrick Georgi

     in reply to

     • Bernie
     • Nanook
     @jayrope @codewiz @nanook
     Your profile links to bandcamp sites which import the facebook SDK (e.g. on https://jayrope.bandcamp.com/releases) by loading it from connect.facebook.net.
     
     https://www.jayrope.com/music/ at some point tries to load some google analytics bits, through the embedded bandcamp players, probably. (I don't know where bandcamp is located so no idea if embedding them is by itself a problem or not)
     
     No consent dialog anywhere to be seen, and the notion of "Learn, how to deal with that yourself." as found on your imprint page was quite specifically shot down by that court when they remarked that visitors can't be expected to "encrypt their IP addresses" (they probably meant using a VPN?)
     
     So, good luck, but I don't see how you "serve faster & more efficiently locally" when you don't seem to serve locally in the first place.
   • ▁jayrope (jayrope@mastodon.online)'s status on Wednesday, 02-Feb-2022 22:27:04 UTC ▁jayrope

     in reply to

     • Bernie
     • Patrick Georgi
     • Nanook

     @patrick @codewiz @nanook Consequences of this ruling currently seem limited to the remote use of Google Fonts on German websites. How this might extend to the scope of the whole European Community and/or the general use of CDNs remains to be seen. A small CMS-driven artist website (like my own) doesn't benefit from hosting stuff externally. I serve faster & more efficiently locally & i haven't any problems with rulings, that are protecting my visitors. I want them to surf free and unexploited.

   • Patrick Georgi (patrick@georgi.family)'s status on Wednesday, 02-Feb-2022 22:27:06 UTC Patrick Georgi

     in reply to

     • Bernie
     • Nanook
     @codewiz @jayrope @nanook As already argued in that thread, CDNs typically provide data processing agreements in which they agree to abide by GDPR rules. As soon as it's a paid service, expect such an agreement to be part of the paperwork.
     
     There's some uncertainty about US companies being able to give such guarantees given that US feds consider non-US-resident non-US-citizens to be fair game with no legal recourse, why is how the US/EU Privacy Shield was shot down, but I didn't see the court discuss that situation because there is no Google Fonts data processing agreement and so the defense didn't bring up the matter.
     
     There _are_ tons of services that are non-compliant and are flying under the radar (unlike Google Fonts which simply by being Google, has a huge target on the back, but CDNs are the wrong place to look for examples simply because they work under contracts.
   • Patrick Georgi (patrick@georgi.family)'s status on Wednesday, 02-Feb-2022 22:28:27 UTC Patrick Georgi

     in reply to

     • Bernie
     • Nanook
     @jayrope @codewiz @nanook Bandcamp seems to be incorporated in Oakland, CA, USA.
     
     What makes you send your visitors to that service (same "IP address is being transferred by default" situation as with Google Fonts, and obviously Bandcamp is tracking users or they wouldn't add telemetry service code to their widget) without getting consent first?