back to article Website fined by German court for leaking visitor's IP address via Google Fonts

Earlier this month, a German court fined an unidentified website €100 ($110, £84) for violating EU privacy law by importing a Google-hosted web font. The decision, by Landgericht München's third civil chamber in Munich, found that the website, by including Google-Fonts-hosted font on its pages, passed the unidentified …

  1. VoiceOfTruth

    I am hardly surprised

    So many web sites these days include heaps of javascript, trackers, adverts, etc, which are hosted elsewhere. All of these collect information. One of the worst web sites I have found for this is W3 Schools. I understand that web sites want to track readers or viewers or participants. I understand the 'need' for adverts for otherwise free web sites in quite a few (most?) cases. But just how many of these things does a single web site need? Why does a web site need multiple traffic analysis scripts? Before anyone answers, I already know the answer. My question is based on actual 'need' not 'sometimes it is better'.

    The mantra 'be careful where you browse to' has become meaningless, when apparently 'safe' web sites are full of information gathering code hosted on sites that I have never directly visited.

    The tentacles of Google are everywhere, and it would be extremely naive to think or suggest that all this information is not collated. We probably all have a Google ID somewhere.

    1. ecofeco Silver badge

      Re: I am hardly surprised

      Modern website design is utter, utter shite. Insane amounts of bloat and garbage. Just insane.

      1. jake Silver badge

        Re: I am hardly surprised

        "Modern website design is utter, utter shite. Insane amounts of bloat and garbage. Just insane."

        It's not even that good, IMO.

      2. Anonymous Coward
        Anonymous Coward

        Re: I am hardly surprised

        Using and assuming the word "design".

        Modern web, ahem "design"...bolted together from code scrapped off StackOverflow and underside of shoe, slather tons of React code all over it in a nice gloppy icing type mess, slapped into Github/Azure pipelines and move on to next contract.

    2. jake Silver badge

      Re: I am hardly surprised

      Take a look at IBM's very own weather.com sometime. What a clusterfuck. I counted 7 layers of redirection once. For a fucking local weather report. This is progress?

      The equestrian websites, designed to keep teenage girls happily occupied, clicking away, dreaming of getting a full time paying job playing with horses are worse.

    3. NATTtrash

      Re: I am hardly surprised

      We probably all have a Google ID somewhere.

      Indeed. Just have a look at the code of your Firefox for example.

      Then again, who needs to surf the interwebz for her/ his IP going places? Your OS helps helps you out there, even if U(SER) never touch one website...

    4. jimmy-o

      Re: I am hardly surprised

      I just finished reading Surveillance Capitalism; which I imagine was on some internal EU reading list, and was partly responsible for triggering the EU's crackdown on personal data collection. I'm minimising the contact with Google/FB in all my software - that book convinced me that the problem is way worse than I could have imagined initially.

  2. cornetman Silver badge

    In fairness, the way that websites particularly e-commerce websites are enormously wasteful on bandwidth and the sheer breadth of internet-wide resources that they require. So much website flab.

    There are rarely situations where a website needs to use a "specific" font and could rely on the ones that are guaranteed to be supported by the browser instead.

    1. ShadowSystems Silver badge

      At Cornetman...

      If your browser will let you, toggle the accessibility options to ignore the site-specified fonts/colours & only use the system defaults. This should speed up the page load times by skipping all the attempts to load any fonts, leaving it to the browser to use the ones you're already using.

      I also refuse to run JavaScript, auto-refuse 3rd party cookies, & rarely allow even 1st party cookies unless I need to create an account I'll revisit later. All those 3rd party JS calls to load some random unknown bit of crap code, all those analytics trying to set their tracking cookie, all those blocked tracking single pixel images (I'm totally blind & can't see the pretty pictures, so I don't let them download in the first place; the sighted may find this a bit frustrating for some reason), it all combines to force faster page load times.

      "You don't use the web, do you?" Yes I do. My bank doesn't require JS, my email provider doesn't require it, my favorite news sites don't require it, and the shopping sites tend to have telephone sales lines to finish the shopping trip. The web is useable without JS, you just need to be willing to force the issue.

      *Hands you a pint*

      Cheers. =-)

      1. werdsmith Silver badge

        Re: At Cornetman...

        My car is usable without a steering wheel if I only want to go in a roughly straight line.

        1. Greybearded old scrote Silver badge

          Re: At Cornetman...

          I don't want a steering wheel with somebody else's hands on it.

          1. eldakka Silver badge
            Pint

            Re: At Cornetman...

            > I don't want a steering wheel with somebody else's hands on it.

            But how else can I drink my beer and send an SMS at the same time if the passenger doesn't steer for me?

            1. jake Silver badge

              Re: At Cornetman...

              Use your knee to steer, of course, just like everybody else.

              There was one gal I used to see on a regular basis on the North bound 101 on-ramp from East bound San Antonio in Palo Alto ... Almost every morning, she'd be drinking coffee, eating a bagel, reading the WSJ, putting on her makeup, and cranking KOME[0] ... steering with her knee, One morning when I was running a trifle late I watched a tow service winching her car out of Adobe Creek.

              When you are driving, drive. It's kind of important.

              [0] Dating myself ... this was around 30 years ago.

        2. bombastic bob Silver badge
          Trollface

          Re: At Cornetman...

          or you can use a set of vice grips clamped onto the spinny steering rod thingy instead.

          "not a wheel"

        3. mpi

          And my car...

          ...is usable without getting in, starting the motor, turning it off again, go to my mailbox, wait for the steering wheel to arrive, then go to the corner store, get the paint-package, painting the car, geting in the car, fixing the steering wheel, trying to start the car...

          ...only to discover that someone last-second-replaced the car keys in my hand with a hot-dog in an attempt to sell me more of them, and now I got mustard all over my Dashboard, because I squelched it against the keyhole accidentially.

      2. Anonymous Coward
        Anonymous Coward

        Re: My bank doesn't require JS

        mine does :(

        1. Mishak Silver badge

          Re: My bank doesn't require JS

          A few years ago, I was shown a First Direct investment platform that would only work with Internet Explorer, and then only in IE6 compatibility mode. You just can't make it up...

        2. Anonymous Coward
          Anonymous Coward

          Re: My bank doesn't require JS

          A UK bank I use appears to have made a change to the code/behaviour of their Online Banking in the past month or so. I only noticed when I tried to download the latest monthly statement and nothing happened when I clicked on it - apart from that issue I see no other functionality problems.

          As I have a very locked-down browser I checked and noticed 2 new bank subdomains being blocked that wanted to load some JavaScript. Not entirely unusual - websites are changed all the time. So I permitted those 2 subdomains and then noticed my browser making requests to 3 "obscure" domains of the form "1.<very long seemingly random name>.com. A "whois" showed the 3 registered at the time date/time about 4 years and the domain owner's name is hidden behind a proxy domain registration company.

          These strange web requests are *definately* triggered by enabling the 2 new bank subdomains - if I disable them again then no traffic to the strange domains occurs, re-enable them and it starts again immediately etc

          I suspect this traffic is not due to a hack but rather is a new analytics company that the bank has started using in the past month (analytic companies like to use "obscure" domains). However the traffic is suspicious - not the sort of thing I would expect a "secure" online banking system to do.

          I've phoned the bank and as expected got nowhere with that approach. I've opened a "help" ticket in online banked and provided "developer mode" screenshots of my brower's requests when this happened.

          I suspect it will be a long slow effort to get the bank to comment on this.

    2. dl1jph

      Unfortunately, that's only half true - the only icon font that's reasonably widely available is practically useless, so the choice comes down to using either images or a remote icon font. The font is significantly more compact. However, hotlinking from google fonts (or similar) is inexcusable - if your own webserver is set up properly, it's a minimal overhead to deliver the font (ideally stripped down to the parts you actually use) once, with a long cache timeout. The chances of needing to change it more than once every few years are slim to none.

      Either way, if your site breaks without javascript and external resources, you're definitely doing something wrong, big time. If it's just a bit of design and a few nice to have details not working, that's how it should be.

      1. Anonymous Coward
        Anonymous Coward

        icon font

        But nobody needs an icon font.

      2. bombastic bob Silver badge
        Facepalm

        who needs an icon font. I just make one as a PNG or JPG - probably takes less time than searching a stupid font for ":just the right thing". Use an 'img' tag with some style things and it lines up just fine. And you can make it look like whatever YOU want (and not some 2D FLATTY google chrome thing with poor color contrast that lets them track your IP address).

        I mean how hard IS it to use gimp to make something like that? Oh wait, that's not "modern" enough...

        icon, because, FACEPALM

    3. myhandler

      You're clearly not a typographer or graphic designer. A type face says so much more than just the semantics. You really want to return to every site being in Times, Arial or Verdana?

      1. Cuddles Silver badge

        Personally I'd prefer they all be in Comic Sans.

        1. BobTheIntern

          Calm down, Satan.

      2. Anonymous Coward
        Anonymous Coward

        *ponders*

        Yes, yes I do.

      3. cornetman Silver badge

        > You really want to return to every site being in Times, Arial or Verdana?

        For the vast, vast majority of websites out there, then yes actually I do. I would go further: serif or sans serif will do just fine.

      4. jake Silver badge

        I'm a printer. I own a Heidelburg Windmill, and use it quite regularly. I used to collect typefaces, and own many, many trays, some quite esoteric and rare.

        But I quit collecting. Do you know why? Because I found myself only using three or four on a regular basis. In addition, I almost never change the matricies on my linotype machine.

        Why? Because the three or four are all that are needed to get the point across. Sure, I can use a zillion different typefaces if I choose. Yes, it says "more than just the semantics" ... it says "The looks are far more important (to me) than the actual content I am trying to convey! I'm here for art's sake, not information transfer! Need info? Look elsewhere!".

        The WWW is a billion monkeys with a billion typefaces producing cut & paste copy from the Ransom Note School of Design.

        Sometimes less is more.

        1. Denarius Silver badge

          variation on million monkeys typing

          Jake,

          brilliant allusion.

        2. Ken Moorhouse Silver badge

          Re: ...to get the point across

          That requires a hefty magnifying glass.

          1. jake Silver badge
            Pint

            Re: ...to get the point across

            ::snort::

            Have a beer or I'll beat on you with my composing stick :-)

      5. Duncan Macdonald Silver badge

        Yes

        Arial, Times New Roman and Courier are sufficient for 80%+ of pages on the Web - of course it would upset some of the "designers" but it would make a lot of the pages more readable.

        Some of the web pages that "designers" have produced are about as readable as a legal contract displayed in Wingdings font.

        Please only use non-standard fonts where really required. (If a page has more than three non-standard fonts then it is normally time to sack the page designer.)

        1. jake Silver badge

          Re: Yes

          Short and to the point. I like it.

          One suggestion ... change this line:

          "it would make a lot of the pages more readable."

          to

          "it would make the pages a lot more readable."

        2. JassMan Silver badge

          Re: Yes @Duncan Macdonald

          Being a bit of a pedant, but I think "sufficient for 80%+ of pages on the Web" is a bit of a fake-fact. Pretty sure that the billions of pages in Asiatic and African fonts make up considerably more than the remaining 20%. Mind you I can't read them on the occasions when I accidentally fall into them which is why I have suppressed 90% of the default fonts installed by Linux.

          Why the f**k don't Linux distributions ask if you want 200+ non-western fonts installed. I'm sure loads of people would appreciate the reduction in install time. [Maybe windoze installs equivalent fonts as well - I wouldn't know since I haven't used it for 15+ years]

      6. Denarius Silver badge

        @myhandler

        yes.

      7. ecofeco Silver badge

        I upvoted because you obviously forgot the /s tag.

      8. mpi

        At present count, my system makes a bit over 200 fonts available for use. Font-Families exist, as does font-stacking. This should be more than enough for most use cases.

        And if a design absolutely, positively, entirely, cannot exist without that one particular font, then whoever runs the website, then whoever runs the site can host it himself.

      9. hnwombat
        Stop

        No chrome wings, please

        You really want to return to every site being in Times, Arial or Verdana?

        Yes.

        Actually, no. Just Times, no Arial or Verdana.

        Thank you.

        Now, if you don't get off my lawn, I'll shake my stick at you again.

    4. bombastic bob Silver badge
      Devil

      Hosting your own copy of a free font is NOT that hard.

      However, if you MUST (for some copyright reason) ALWAYS get the font from the owner's server, you can most likely have some server-side code fetch and cache it on behalf of the web page that uses it... (then the IP address of your web server would be recorded, and not that of the guest visiting your web site)

      Other than that, if you must do a cross-site load of a font, consider using a DIFFERENT font instead (and host it yourself). Many such freebie fonts exist.

  3. b0llchit Silver badge
    Mushroom

    Fine them all, every single one

    Finally!

    The hot linking of websites to third parties is an absolute pain. Even EU government sites have embedded stuff that leak data to non-EU hosters. Unfortunate that the penalty was so small. The website does not give you a choice and that is the problem. Therefore, correct decision.

    CDNs are not necessary almost all of the time and are lazy programmer/designer problems. And, some (like google and other advert slingers) are real data-leak catchers. Even when some now say not to use the data... wait until management changes and be utterly unsurprised about the change of heart. And then there are those CDNs, who have no (clear) policy published.

    Maybe this fine will start a trend.

    1. Anonymous Coward
      Anonymous Coward

      Re: Maybe this fine will start a trend.

      €100? It might be an irritant in case of my hobby site, but this is not the internets of 2021. Perhaps if they increase the fine, for non-compliance, to €100 per day, then per hour, then per minute, this might force some to notice and fix this. SOME.

      1. eldakka Silver badge

        Re: Maybe this fine will start a trend.

        > €100? It might be an irritant in case of my hobby site, but this is not the internets of 2021. Perhaps if they increase the fine, for non-compliance, to €100 per day, then per hour, then per minute, this might force some to notice and fix this. SOME.

        As per the article this was just a warning (emphasis mine):

        The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of €250,000 for each violation, or up to six months in prison, for continued improper use of Google Fonts.

      2. Pseu Donyme

        Re: Maybe this fine will start a trend.

        From the link to the court decision It seems the 100 € was actually compensation to the plaintiff, not a fine.

  4. marcellothearcane
    Coat

    Only one site?

    I cannot believe only one site has done this - why pick on that one? When are the other fines/lawsuits?

    Off to check I'm not doing the same thing --->

    1. b0llchit Silver badge
      Holmes

      Re: Only one site?

      Well, you did comment in this forum and that means you may have sent(*) info to "doubleclick.net" and "googletagmanager.com". Both domains are present on this page and are directly or script-activated.

      I suggest you use your coat to slap El Reg for €100 for embedding and "forcing" you to send data the third party way.

      (*) install an adblocker, NoScript and Privacy Badger. Then use a bit of time to block anything remotely dangerous for your privacy. Maybe add Greasemonkey to mold your own site alterations.

      1. Death Boffin
        Happy

        Re: Only one site?

        Both those sites are blocked by NoScript. Comments work fine without them.

        1. b0llchit Silver badge
          Thumb Up

          Re: Only one site?

          They indeed work and look good. That is the reason why I'm still on this forum. By default, I block all scripts, ads and many cross-site links. If El Reg stops functioning in that setting, then I'll stop being here.

          So far, El Reg has been very good at resisting script bloat and are able to have a functional site without it. Hope it stays like that for a very long time.

      2. julian.smith
        Happy

        Re: Only one site?

        Both those sites are also blocked by default by uMatrix.

        Comments work fine without them.

      3. Plest Silver badge

        Re: Only one site?

        Or pull the plug on your router and go for a walk in the local park, likely to get less shit on your shoes wandering around the local dog walking patch, then traipsing through Google's quagmire of JS.

    2. localzuk Silver badge

      Re: Only one site?

      If they did that, the courts would do literally nothing except fine website operators. You could run the country off the fines generated.

      1. khjohansen
        Coat

        Re: Only one site?

        ... One can only dream ..!

  5. jake Silver badge

    "The website could have avoided this drama by self-hosting the font, if possible."

    The user could have avoided the drama by telling the web site to fuck off, I have plenty of perfectly good fonts locally.

  6. Anonymous Coward
    Anonymous Coward

    So if

    my website accesses any URL on another site then I'm f***ed them am I

    1. esque

      Re: So if

      Well, maybe you should think about the consequences before using any resources from third parties.

      Nobody forces you to use Google analytics of fonts or anything.

      1. werdsmith Silver badge

        Re: So if

        Well, maybe you should think about the consequences before using any resources from third parties.

        Well I guess I better stop reading Register comments and get on with creating my own version of OpenStreetMaps.

        I’m going to be busy for a while.

        1. Ben Tasker Silver badge

          Re: So if

          That's not what you need to do though - all you need to do is to have the user consent to it/give them the choice to object.

          Your example of open street maps isn't the same either - fonts can quite trivially be self-hosted, it's not nearly so simple to self host Open Street Maps (there's stuff like OpenMapTiles, but it's still more involved than downloading a font).

          1. Hans Neeson-Bumpsadese Silver badge

            Re: So if

            That's not what you need to do though - all you need to do is to have the user consent to it/give them the choice to object.

            That makes sense when you put it to the sort of audience that you have here on El Reg. However, I wonder how well it would work for less technically-included people, many of whom may not even understand what an IP address is.

            Putting yourself in the position of let's say a more mature user who has done a Google search and found the website for a shop. They click on the 'how to find us' link and instead of seeing a helpful map, they get a pop-up with words to the effect of "to proceed beyond this point and see the map, your IP address needs to be shared with a 3rd party" Would they click on that...or would they not understand what it means, get put off and just go elsewhere?

            I know at least one person who would read that as "if I click that link then you will tell people where I live" (I know because they got a pop-up like that once, and phoned me in a state of mild agitation)

            1. Anonymous Coward
              Anonymous Coward

              Re: So if

              "instead of seeing a helpful map, they get a pop-up with words to the effect of "to proceed beyond this point and see the map, your IP address needs to be shared with a 3rd party""

              The website simply need to self-host an image of the area around their location (like people used to do before the likes of Google Maps) and have that image clickable with the "if you proceed..." message display to obtain informed consent before loading a "proper" map from Google and that's then compliant with GDPR.

              With the current situation of directly loading Google Maps on the website the user's browser talks to Google immediately on pageload whether or not the user intends to use Google Maps and that's where the legal problem lies.

      2. veti Silver badge

        Re: So if

        I thought the web was meant to be about sharing. If a resource is hosted publicly, what kind of sense does it make for everyone who wants to use it to have to create, host and maintain their own copies?

        Yes, yes, I know the answer, and I understand the ruling. I even agree with it. But it's with a heavy heart that I do so. This is not the web I was promised.

        1. Greybearded old scrote Silver badge

          Re: So if

          Corporate mass surveillance is not the web I was promised.

          1. Plest Silver badge
            Facepalm

            Re: So if

            Sadly Mr and Mrs SixPack wanted FaceCrap and Twatter on every device within arm's reach, all that network kit and hosting needs to be paid for if people want "free" services.

        2. Anonymous Coward
          Anonymous Coward

          Re: So if

          I thought the web was meant to be about sharing. If a resource is hosted publicly, what kind of sense does it make for everyone who wants to use it to have to create, host and maintain their own copies?

          Share and Enjoy get prosecuted

        3. codejunky Silver badge

          Re: So if

          @veti

          "I thought the web was meant to be about sharing"

          Its a brave new world. Sharing doesnt work with the me,me,me people. Everyone wants something for free but dont want to pay a price. While not the approach I take (I dont trust others to go offline) it seems reasonable we should be able to point to the provider for the feature we want. But that goes against privacy for the people who spaff their info all over the interwebs.

    2. Graham Cobb Silver badge

      Re: So if

      Yes.

      If you want to use a javascript framework that is your choice. But host it on your own website instead of making my browser access someone else's site without my explicit permission.

    3. localzuk Silver badge

      Re: So if

      Relying on a third party site for a library or font is risky as well. Especially when its a "free" service. Why would the company be doing this for free? It costs them money to host it for you...

      What happens when they randomly decide to change the files for something else? Or it gets compromised and 50 million sites all use it?

      Host yourself, MUCH better all round.

      1. Anonymous Coward Silver badge
        Big Brother

        Re: So if

        You can specify a checksum in the script tag, so a changed file won't get processed.

        By having every website refer to a single host, that will save millions of downloads as the browser can cache that resource.

        If you don't specify the checksum, you can point to the latest version which means that any fixes applied to the library will be deployed to your site automatically, without having to remember to check and update your source.

        There are arguments both ways. The bigger problem is the EU deciding that an IP address alone constitutes PII

        Naturally this will just lead to more CGNAT deployments, so we will all suffer.

        1. Christoph

          Re: So if

          There have been recent cases where open source code used by thousands of sites has been found to have a security hole. If you self-host such code you will not automatically get updated when the code is fixed.

          You may never even hear about the problem - you might be running code that is years out of date because you forgot to check for updates.

          1. Phil O'Sophical Silver badge

            Re: So if

            If you're copying and hosting code you should have a process in place to track reported security issues.

            If you pull it dynamically and unchecked from a 3rd party site you're invisibly exposed to any future bugs that get introduced, accidentally or deliberately.

            If you're providing code that will be executed by your users or customers there's simply no excuse for not validating and hosting it yourself.

        2. localzuk Silver badge

          Re: So if

          Outsourcing your update process to a third party you don't have any form of legal contract with is a recipe for disaster.

          Simply leaving it to them is abdicating your own legal responsibilities too.

          Also, an IP address can very much be PII. You can find out exactly who someone is with only the IP address and a date and time to start with...

          1. Blitheringeejit

            Re: So if

            You can find out exactly whose router/wifi someone is using with only the IP address and a date and time to start with...

            FTFY - though we should also consider VPNs, which are now being marketed to the paranoid masses...

        3. Anonymous Coward
          Anonymous Coward

          Re: So if

          "The bigger problem is the EU deciding that an IP address alone constitutes PII"

          You mean the EU deciding that an IP address alone constitutes Personal Data? "PII" is a term that appears to have originates from USA with their far narrower Data Protection laws. "Personal Data" is the correct GDPR term, the 2 terms are not interchangable and mixing them up only confuses any discussions.

          Also whilst it may be a problem for some/many organisations (especially USA-based ones like Google & Facebook) that the EU decided this, it is actually a good thing from the perspective of individuals' own privacy.

        4. Necrohamster
          WTF?

          Re: So if

          "...The bigger problem is the EU deciding that an IP address alone constitutes PII..."

          If you can be identified from your IP address, then yes, an IP address truly is PII.

          Post an anonymous death threat to BoJo or Joe Biden on Facebook or Twitter and see how long it takes to get a knock on your door ;)

          The fact that the *EU* is saying an IP is PII doesn't somehow make it any less true...

  7. Anonymous Coward
    Anonymous Coward

    Google Fonts and privacy?

    There is something weird with Google Fonts that I don’t particularly trust.

    A few weeks ago I was working on a completely new site on a completely new domain. And not an easy to guess domain name either.

    I never let my own sites download fonts from other places as I don’t like my sites to be dependent on strangers. In this case, however, I used a template generator for a specific part and that generator produced CSS that got the active font from Google. I knew this but the site wasn’t live and nobody was using it or even knew of its existence. For days my visits were the only entries in the server access log. I was going to get to changing the font to a download from my server nearer the publication date.

    And then a Google bot visited the site.

    I don’t know how it knew of the site’s existence. I hadn’t disclosed the URL to anyone yet. Hadn’t posted it anywhere. Wasn’t using Chrome (or any other Google tools that could inform the mothership).

    The only thing I can think of is that Google Font script. It uses some odd techniques in that Google Fonts are not just links to some .WOFF2 file on Google’s servers but you actually need to include a CSS that resides on Google’s servers, which in turn executes the downloading of the fonts. I wonder if that CSS also triggers some process on Google’s servers to check where it’s hosted or referred from.

    Anyway, an interesting experiment for a privacy researcher. Set up a new page on an unguessable domain. Only link to Google Fonts and see how long it takes for Google to show up in your server logs.

    1. b0llchit Silver badge

      Re: Google Fonts and privacy?

      Because your browser leaks data. Via scripts directly and in embedding through f.ex. the referrer data. Also beware of cookies that get sent because of embedding.

    2. MatthewSt

      Re: Google Fonts and privacy?

      I wouldn't be surprised if it's possible to get the list of registered domains for a TLD (eg the root servers for your TLD must know them at least) and they just trawl that

    3. Anonymous Coward
      Anonymous Coward

      Re: Google Fonts and privacy?

      You've basically followed the same process that made German developers discover that Microsoft was listening in to Skype messages, I think it was in 2004 or so. At the time it was reported on Heise Online.

      There too, a totally random newly set up page URL was shared and because they were testing they were monitoring their logs. Within a second of mentioning the URL they got a hit from a Microsoft IP address.

      Nowadays, Microsoft as well as everyone else camouflages this surveillance by showing you a preview, but when I saw this reported I started tracking where the ping came from, and over the years it moved from Redmond to Azure, then to Azure in Europe until I lost interest some years ago :). In all that time, it has never taken more than 3 seconds to get a hit - most of the time it was instantaneous.

    4. Charlie Clark Silver badge

      Re: Google Fonts and privacy?

      Google could and should be clearer about what Google Fonts is, how it works, and whether any data is collected and if so what happens with it. But basically, the world doesn't really need web fonts. If you do want them, then host them yourself.

      1. Anonymous Coward
        Anonymous Coward

        Re: Google Fonts and privacy?

        It also dramatically speeds up your site. Anything that has to be pulled in from elsewhere creates dependencies and delay - and now, legal exposure.

        Just don't.

    5. This post has been deleted by its author

    6. Anonymous Coward
      Anonymous Coward

      Re: Google Fonts and privacy?

      "The only thing I can think of is that Google Font script. It uses some odd techniques in that Google Fonts are not just links to some .WOFF2 file on Google’s servers but you actually need to include a CSS that resides on Google’s servers, which in turn executes the downloading of the fonts."

      I believe this is because the original link ultimately can redirect to the font in one of several file formats depending on your browser - from memory there are 3 different file formats varyingly supported in the mainstream browsers and even where more than 1 format is supported the "best" supported format may vary.

  8. Anonymous Coward
    Anonymous Coward

    Well, that's what I said a while back..

    .. but to be honest, I wasn't expecting a court to deem what I referred to as sufficient to declare it illegal because there's a sort of haze around its collection stats due to caching.

    However, if Google Fonts are out then I would estimate around 99% of all EU Wordpress sites are toast because ALL WP themes seem to be based on Google fonts, but far, FAR more interesting is that this also declares EU use of Adobe Typekit fonts illegal. That one, I reckon, may prove far more entertaining, because Adobe is one of the less recognised data gatherers out there.

    As for stats, we've switched to Matomo ages ago..

  9. Anonymous Coward
    Anonymous Coward

    So, when will El Reg lose its Google dependency then?

    According to uBlock Origin, El Reg uses a number of Googly things.

    Maybe time to fix?

    1. Tim99 Silver badge
      Big Brother

      Re: So, when will El Reg lose its Google dependency then?

      According to my browser, it is blocking google-analytics.com; googletagmanager.com; and doubleclick.net .

  10. parityerror

    YouTube

    Can EU sites no longer embed a YouTube video using the same rationale? It has be downloaded and self-hosted?

    1. Anonymous Coward
      Anonymous Coward

      Re: YouTube

      Don't be silly, you do know better. Of course it can, but, as required by GDPR, you have to ask your visitor if they are OK with "it". Yes, I know, start crying that it's a PITA, not "enhancing the experience", but that is what is all boils down to, right?

      To use a appropriate film quote: "Ignorance is bliss". Or to translate it to a remark frequently heard on the other side of the (commercial) pond: Free choice is a PITA...

      1. Ian Johnston Silver badge

        Re: YouTube

        I don't think I have ever been asked if I am happy for a YouTube video to be embedded.

        1. Draco
          Windows

          duckduckgo will ask

          Clicking on a YT video on the Videos tab, it presents me this message:

          YouTube Privacy Warning

          YouTube (owned by Google) does not let you watch videos anonymously. As such, watching YouTube videos here will be tracked by YouTube/Google.

          Before offering me the "Watch Here" or "Watch on YouTube" buttons (unless you've been silly enough accept the "Remember my choice" option)

    2. Brewster's Angle Grinder Silver badge

      Re: YouTube

      Google Fonts can be self-hosted to avoid running afoul of EU rules and the ruling explicitly cites this possibility to assert that relying on Google-hosted Google Fonts is not defensible under the law.

      (My emphasis.)

      I didn't read the judgement. But that's hinting the problem only occurs where there is a choice to self host and you don't. If the data MUST be served from a third party, then that might be a reasonable defence. (Especially as a video is obvious in the way a font isn't.)

    3. Anonymous Coward
      Anonymous Coward

      Re: YouTube

      "Can EU sites no longer embed a YouTube video using the same rationale?"

      Yes the legal "exposure" is the same.

      The solution, which I've seen quite a few website do to address this, is that the "video" on the webpage is actually a locally-hosted image and then when you click on it you are told that clicking again to view the video will use an external 3rd party (i.e. YouTube or Vimeo).

      So if when to go to the original webpage nothing is send to YouTube/Vimeo whereas in the more typical situation these days of embedding a YouTube video then Google "know" that you've gone to that webpage whether or not you've viewed the video.

      The same issue applies when having Google Maps embedded in one of your webpages.

      This is all obvious to anyone who has fully considered the GDPR - I talked about this locally in May 2018 shortly before GDPR came into effect.

  11. alain williams Silver badge

    Faster web sites

    will be a beneficial result of stopping all of this linking, little of which is really noticeable to the user.

    1. really_adf

      Re: Faster web sites

      Yes and no. A site hosting its own fonts, JS libraries, etc means no need to connect to other servers, But you'll download common resources once for each site, instead of just once.

      I'm not sure I understand the basis of the fine. If I host a site, visitors must reveal their IP address to those operating intermediate routers. The visitor has no control over this. That's OK, because there's no alternative? I can reference remote resources but only if hosted by a provider that assures me it won't use the IP addresses it sees, beyond what is necessary?

      1. Richard 12 Silver badge
        Headmaster

        Re: Faster web sites

        You can do such data collection and processing as is required to perform the service the resident requested.

        No more.

        It's very simple.

        Giving your IP address to Google is not necessary. For example, the font is demonstrably not required at all - the browser has its own font store.

        Heck, the user may be using a screen reader and not rendering fonts at all.

      2. Anonymous Coward
        Anonymous Coward

        Re: Faster web sites

        > But you'll download common resources once for each site, instead of just once.

        That is FUD from Google and its ilk.

        In practice, how likely are you to come across two sites both using the same oh I'm so unique font?

        Also, it's often defeated by the browser adding a "no-cache" directive to the request headers.

        And in any case, it is a brave man he who doesn't clean all his navigation history upon closing his browser.

  12. localzuk Silver badge

    UK rules

    I wonder what the UK rules, once they've been overhauled, will say about this sort of thing? I suspect it may end up on Boris' bonfire of "red tape".

    1. Mishak Silver badge

      The way things are going...

      He may "accidentally" get pushed on top...

    2. Fred Daggy Bronze badge

      Re: UK rules

      It will put British firms at a disadvantage, mostly.

      In any event, the new UK non-GDPR can only add to the red tape. With a small savings, possibly, only for UK firms selling inland only. Take on the world, including Europe? Then it will be necessary to STILL comply with GDPR. But now, with an extra layer of UK non-GDPR.

    3. Phil O'Sophical Silver badge

      Re: UK rules

      UK data protection rules have historically always been tougher than EU ones.

      1. Graham Cobb Silver badge

        Re: UK rules

        That may be true in some ways and not in others. But, in any case, as the earlier post pointed out:

        Just making them different increases red tape!

        No Tory donor (sorry, I mean "no global UK business") wants different rules for their worldwide web site from those for their UK site.

  13. alain williams Silver badge

    Will google have to remove

    the information that we now learn it obtained illegally ?

    It does not matter if it was google's fault, it has personal information obtained without consent.

    Even if google says that it has removed the information, do we trust them to be truthful ?

    1. Phones Sheridan Bronze badge

      Re: Will google have to remove

      "Will google have to remove the information that we now learn it obtained illegally ?"

      Until a plaintiff obtains a legally enforceable judgement or court order against Google, the answer is no, it just wont.

      And even then, Google is probably big enough to stall the process indefinitely, and even then once that's exhausted, they probably still wouldn't.

    2. jake Silver badge

      Re: Will google have to remove

      Of course! When the Court demands it, alphagoo will quite happily remove all the gathered information from every single production and development system! And they will be equally happy for the court-appointed auditors to verify the removal!

      During the meanwhile, at the carefully curated off-site backup location ...

      1. Anonymous Coward
        Anonymous Coward

        Re: Will google have to remove

        But they would then need to track you to ensure they correctly not tracking you

  14. Plest Silver badge
    Unhappy

    Least worst option

    Hmmm, lots of people proclaiming the self hosting ideal, nice idea until a serious flaw is found, compromised and next thing the scuzzbag crews have a nice set of compromisible websites to spew more shite to hook the innocent. How long do you work on a website project contract, 3 or 4 years? Ha, more like 2 months max and then gone leaving something behind that would be left to age disgracefully and unpatched. I don't like pulling resources from CDNs and i do it with a heavy heart, only hooking what I need but I know that if something went wrong patches may not appear there instantly but as soon as they were applied my sites are then patched by dint of being hooked into a common set of libraries.

    CDN hosted is the "least worst of" compromise to a terrible state of affairs.

    1. Graham Cobb Silver badge

      Re: Least worst option

      Its really not hard. If you really want to abdicate your responsibilities for managing the code you download to people's browsers to third parties there are many ways to make the code available without allowing the third party to see the user's own IP address.

      Two immediately obvious, old-skool approaches are (i) to host the code yourself and have a regular, or even (if you insist) automated update process to fetch new code, (ii) just reverse-proxy the download from your web server so the 3rd party sees only your IP address. These can be trivially enhanced with a caching web server, or can be out-sourced to a third party (such as a CDN) as long as you have appropriate commercial agreements in place to mean you are the data processor and they cannot make their own use of the data they get.

      Better still, keep the code simple and employ appropriate programmers (such as through a 3rd party website creation company) to make sure it is professionally maintained. Treat it exactly as you treat your ERP system and your outsourced HR.

  15. Draco
    Windows

    This is quite chilling

    Lot's of websites pull resources from other places - in fact, it's often encouraged. Want to display mathematical equations on your site: link to the - external - officially hosted version of MathJax - means you also get updates without having to manage it on your end. Want to use Bootstrap: link to the - external - officially hosted version. This is true for so many (most?) web frameworks, libraries, fonts, and other resources.

    If every site has to maintain their own local copy of jQuery, what is their liability for not keeping it up to date? Because we've just been told they're liable for using external 3rd party resources (which silently roll out updates when needed - which is another thorny issue).

    I am not trivializing privacy concerns. I prefer to be as untracked as possible, but every single connection on the Internet requires knowledge of the endpoint (yes, you can obscure it through a VPN or proxy, but you're not "anonymous" to them). You can't simply have a policy of not logging or tracking IP addresses, because that information is useful for blocking "hostile" actors (you know, the ones who keep trying to hack your site). On the other hand, it is really, really creepy if an actor - like Google - is taking access to a "public" resource and then trying to use it to build an identifiable profile.

    Does the onus belong on a website using a 3rd party resource in good faith, or does it belong on the 3rd party providing a public resource in bad faith. Never mind all the thorny issues of what is appropriate due diligence on a website's part.

    Security and privacy on the Internet are very difficult things.

    1. llaryllama

      Re: This is quite chilling

      This nuanced reply is what I was hoping to see. I understand both sides of the argument but I think criminal penalties against a site for fetching third party resources is out of line.

      I manage a few complex sites for our company that use external resources such as jQuery and commonly used Google fonts. We use only two typefaces across the whole site and they don't just make the design more attractive, the sans serif font we chose is very clean and readable when presenting large amounts of data on screen. Nothing breaks in formatting or function if a user wants to disable the custom fonts for any reason.

      Google and other search engines penalize slower sites heavily in search rankings so it's considered good practice to use known safe public repositories for commonly used libraries. This way instead of fetching a fresh copy of jQuery or common Google fonts the client can use their cached copy.

      I would really like more context about this story to find out how big the site is, what the complainant's motivations are, whether the site was warned in advance etc. but unfortunately I don't speak German.

  16. Anonymous Coward
    Anonymous Coward

    Please do Gravatar next

    About 40% of web sites run WordPress, and Automattic adds Gravatar to them for tracking purposes.

  17. Pseu Donyme

    Having waded trough the decision via the link provided I was surprised to see that it did not rely on the Schrems decsions. Instead, since there wasn't consent the defendant tried to rely on legitimate interest but the court ruled that it doesn't apply as the font could have been self-hosted and therefore there was no need to Google to get the IP-address; Google being well-known data hoarder was also mentioned. I'd think the use 3rd party resources might still be legal on legitimate interest grounds if there isn't a straightforward alternative and if the 3rd party could be trusted not to use the IP-address for its own purposes; a contract preventing such use or the 3rd party merely being in the EU or another jurisdiction with sufficient data protection legislation making such use illegal could suffice (in any case 3rd parties located in the US are out though because of the Schrems decisions).

  18. Anonymous Coward
    Anonymous Coward

    Good to see this finally clarified

    I remember questioning the GDPR impact of the use of Google Fonts (or indeed other 3rd party hosted fonts, videos, maps, etc) back in May 2018 when discussing the introduction of GDPR with a local group of IT people.

    Good to see some clarity finally.

    It has been a while since I dug through Google's GDPR-related docs for their services but wasn't Google Fonts one of the services where Google claim to be just a Data Processor acting on behalf of the website and that, as part of the website's agreement with Google for use Google Fonts, Google *requires* the website to draw individuals' attention to the use of this Google service *in advance*? How do you inform someone in advance if any page on the website to inform them makes use of Google fonts in the 1st place?

    I see the same sort of "sillyness" with many companies' Privacy Notices where I cannot actually read them, so that they can inform me of 3rd party stuff, as I don't have 3rd party fonts/javascript/trackers/other content enabled - in many case I just see a blank page.

    BTW Google's anonymisation of IP addresses for their services is not actually valid for IPv6, they truncate on a /48 when a /48 is a valid prefix to allocation to a *single* customer and some ISPs do actually allocate /48 to domestic customers. They should be truncating on something like a /40 to have any sort of credible anonymisation..

  19. Anonymous Coward
    Anonymous Coward

    Is this the end of the road for CDNs then?

    Where does it stop?

    TheReg has google stuff embeddeed in it's main page, so does pretty much every site I've ever seen. This is completely commonplace normal practice. CDNs are there for plenty good reasons. They save time and bandwidth both for site owners and end users. Will this ruling kill them all off and make everyone go back to the old ways?

    So much for progress, everything that's useful is gradually being killed off by people who don't understand the question

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022