German Court Fines Site Owner For Sharing User Data With Google To Access Web Fonts
from the getting-fined-the-odd-way dept
The European Union’s data privacy law, the GDPR (General Data Protection Regulation), has caused all sorts of problems since its debut. Its debut was itself a mess, something that immediately resulted in a whole lot of websites simply refusing to allow European users to connect with them.
Since it was unclear how to avoid running afoul of the law, it was easier to avoid potential fines by simply cutting European users out of the equation. For everyone else, it was being greeted with a new warning about cookies at nearly every website they visited — a small hassle to be sure, but a hassle nonetheless.
Then there were the truly unexpected consequences of the new law that imposed data-gathering and data-sharing restrictions on any business, whether they were internet-based or not. In some areas, GDPR was read as requiring retailers to notify purchasers of items when the items were returned — something that would make the exchange of unwanted Christmas gifts extremely awkward.
In another weird case, post offices in Ireland removed waste bins from their facilities because customers were throwing out unwanted mail and receipts, resulting the offices’ unintentional collection of personal data. When the waste bins went missing, customers resorted to throwing their trash on post office counters and floors, leaving it even more unregulated than it was when the waste bins were still in place.
Yet another side effect no one saw coming: the use of Google’s Font API was enough to get a website fined by a German court. (via Slashdot)
Earlier this month, a German court fined an unidentified website €100 ($110, £84) for violating EU privacy law by importing a Google-hosted web font.
The decision, by Landgericht München’s third civil chamber in Munich, found that the website, by including Google-Fonts-hosted font on its pages, passed the unidentified plaintiff’s IP address to Google without authorization and without a legitimate reason for doing so. And that violates Europe’s General Data Protection Regulation (GDPR).
The court says whether or not Google did anything with the forwarded IP address is beside the point. The fact is the website engaged in the unauthorized transmission of this IP address to Google by using its font API to access a font to render the text on the site. The court’s decision points out this can be avoided by self-hosting the font and notes that the website operator has chosen to do this going forward. That being said, the court still feels a fine is the only way to ensure future compliance with GDPR.
Risk of repetition is to be affirmed. It is undisputed that the plaintiff’s IP address was forwarded to Google when the plaintiff visited the defendant’s website. Previous unlawful impairments justify an actual assumption of the risk of repetition, which was not refuted by the defendant. The risk of repetition is not eliminated by the fact that the defendant now uses Google Fonts in such a way that the IP address of the website visitor is no longer disclosed to Google. The risk of repetition can only be eliminated by a declaration of discontinuance with a penalty.
The fine here may have been minimal, but the law allows a penalty of €250,000 ($286,000) per violation, which the court warns the website operator is not only possible, but probable, if the problem doesn’t go away. There’s also the (very slim) chance the improper use of Google Fonts could result in prison time, because that’s also a potential GDPR violation penalty.
While the solution here appears to be simple enough — self-host fonts — the reality of the situation is that this decision will lead to yet another pop-up asking for consent that will stand between site users and the content they’re trying to access, and that no one will read before clicking “accept.” It won’t make the web a better place and it won’t do much to limit the sharing of personal data with off-site entities. It will just make everything a little more annoying.
Filed Under: data protection, fonts, gdpr, germany, ip addresses, privacy, sharing, web fonts
Comments on “German Court Fines Site Owner For Sharing User Data With Google To Access Web Fonts”
One of the many terrible things about this decision is that the website owner didn’t send the user’s IP address to Google; the user’s browser did.
The website developer wrote the script that told the browser to send the data. Just like any other data collection, the web site write the code that causes the data to be collected, and the browser in executing that script sends the data.
Re: Re: Re:
You’re assuming they designed the site from scratch and knew everything it was doing, but it’s more likely the website owner didn’t know this was happening. For example, if they were using WordPress to run their site they may have had no clue that the theme they picked used Google’s web fonts. (This isn’t something mentioned in theme descriptions, as it wasn’t an issue before.) They may have only discovered it was doing that, and was a problem, after being sued. Then they manually edited the theme so it used self-hosted fonts instead.
This is incredibly common with most content management software on the web. Websites aren’t coded from scratch much anymore, even very large companies use CMS software. (WordPress in particular is everywhere, lots of newspapers use it.) This is basically a ticking time-bomb for websites throughout Germany and the EU. I’m glad I’m no longer running that blog hosting site I used to.
Re: Re: Re: Re:
It is a case of "knew or should have known". Not knowing is negligence at best, recklessness at worst.
"I didn’t know your honor", i.e. incompetence, is not a defense. It is likely a mitigation, but not a defense.
Re: Re: Re:2 Re:
""I didn’t know your honor", i.e. incompetence, is not a defense"
No, I’m pretty such that "I didn’t know it would suddenly be illegal for a browser to send the same ID string that it has sent every time it has accessed something since the web was invented" should be defence.
I’t impossible for this content to be accessed without the provider knowing the IP address to send it to. There’s no indication that using a 3rd party API was made illegal. So, why would a developer conclude that using the API was illegal now?
Re: Re: Re:3 Re:
They have not made accessing 3rd party APIs illegal in general. If you want to use the service without having to get user consent, the service must meet the data protection standards mandated by the GDPR. Effectively this means EU hosted services only.
Re: Re: Re:4 Re:
Where in the GDPR is it stated that an IP address is personal information that must be protected?
Re: Re: Re:5 Re:
I’ll just add to that – by this measure, then surely it’s illegal for services like Datadog, Splunk and New Relic to offer services in the EU, which doesn’t appear to be the case. A lot of businesses would probably like to have information about how they’re operating illegally by parsing their web logs.
Re: Re: Re:6 Re:
These services are offering data processing agreements. It basically says "we are taking very good care of your data", though without Privacy Shield they’re pretty worthless. It’s just that there has been no court ruling forbidding it as of yet.
You are standing on shaky grounds if you’re not processing the logs on your own premises or with third party services which offer comparable privacy expectations that the GDPR mandates.
Re: Re: Re:5 Re:
From the UK ICO:
"Personal data only includes information relating to natural persons who:
can be identified or who are identifiable, directly from the information in question; or
who can be indirectly identified from that information in combination with other information."
It’s the indirectly clause that’s the killer – in this case google could use tie the address to information from other sources to derive the true personal data. Horribly messy, and not getting any earier to work with.
Re: Re: Re:6 Re:
Well, citing a UK interpretation of an EU law is obviously problematic at the best of times, and fairly irrelevant under current circumstances. Even if they mostly adhere to the same rules now, there’s plans to diverge from it and enforcement there is obviously going to be different from the EU.
But, if that’s a real interpretation then it’s even dumber than most things I’ve heard on the subject, and it likely to fall apart completely if it needs to be challenged. It’s simply not compatible with reality.
But, who knows at this point. On the one hand the GDPR contains many things that seem to suggest that the people who wrote it have a less than firm grasp on how certain things work in the real world and what it could even achieve in terms of protection, on the other hand even official sources have been very confused at points about what it actually says.
But, if they’re going to take a hard stance that processing a request from an IP address that might well be owned by someone with no relationship with the user is a violation of privacy, there’s many millions of businesses who need to be informed that they’re operating illegally, and that the reasons for that defy common sense.
Re: Re: Re:5 Re:
According to this post:
Re: Re: Re:6 Re:
Well that depends on whether a family or students in a shared flat are considered a person. In a fixed line system, an IP address only identifies a router that bridges the wan to lan, including the wifi network.
Re: Re: Re:7 Re:
The German courts have an answer for this and it’s called "sekundäre Darlegungslast". In a gist, the person holding the contract with the ISP will be held responsible if they can’t name the actual perpetrator of, say, copywrong infractions. See also grandma without PC.
Re: Re: Re:8 Re:
So, this confuses the issue even further. The objection to accessing 3rd party content is that the IP can be used to identify someone and is thus a violation of privacy. But, if it’s already written into law that it’s not always possible to do that and you have to blame an account owner instead of the user for wrongdoing, isn’t that proof that the user can’t be identified using the IP address, and thus a 3rd party seeing the publicly transmitted address is not violating any privacy?
Agreed that the website owner is being punished for linking and that this court’s interpretation the GDPR is bad.
OTOH, having one’s IP address, browser footprint, etc. sent to dozens of affiliates, CDNs, ad servers and tracking companies without being provided with any understanding of how they are being used gives me the heebie jeebies too.
Re: Re: Re:
I’m conflicted on this one. On the one hand, linking should not be penalized.
On the other hand, I’ve had webfonts blocked for years precisely because they’re the ultimate tracking cookie, and there’s no legitimate reason to not host your fonts locally — it’s not like they’re going to suddenly update (if they did, that’d be a bug, not a feature).
Most website operators are totally unaware of the security implications of externally hosted webfonts. Maybe this case will help everyone become a bit more aware.
Will they now also start punishing all the sites sending our data to a bazillion ad trackers, data brokers and other spies? I’m thinking probably not.
That’s what the cookie consent labyrinths are for. This ruling goes much further in that simply referencing externally hosted resources is now considered a violation. If websites can no longer link to each other, well, then it’s not a web any more.
Re: Re: Re:
The World Wide String? Or Thread? World Wide Thread?
Re: Re: Re: Re:
More like World Wide Threat, should you dare allow Germans to access your site. A few more of these decisions, and we’ll be looking at a "euronet" with no connections to the rest of the world.
Re: Re: Re:
You can easily link to Wikipedia and allow the user to decide if they want to click on it with no risk of running afoul of the GDPR. This is not threatening the webinees of the web.
Re: Re: Re: Re:
If you think that making it illegal for 3rd parties to know your IP address doesn’t affect things, you may be underestimating how many websites access 3rd party content – and no, not just for tracking purposes.
Re: Re: Re:
There is a difference between HTML automatically linking to another site for some resource, and the user clicking a link to some other site. The first is not under the users control, the second is.
Wow, this is a special kind of dumb.
Slashdot is a source, so of course it is, but that’s just one reason why.
Sounds in large part like a lack of understanding/experience on the part of the defendant’s attorney. They should have pointed out to the court that the web site didn’t send the IP address, nor any data in fact, to Google. The user themselves, or rather their browser, did that when informed it needed a Web font to render the page while it was configured by the user to retrieve Web fonts from where they were hosted. If the user didn’t wish to have the font host know about them they should have configured their browser to not retrieve Web fonts, in which case the browser would have used the best font it could find installed as a substitute (at a cost in appearance of the rendered page).
I think there’s better defaults than "read everything from everywhere", but it should be the case that the web site says where things need fetched from and it’s the user who’s considered responsible for the browser following those instructions. And the user should be able to tell the browser how to follow them, eg. "Fetch resources from the same domain as the web site, refuse to fetch resources from anywhere else except places I’ve explicitly white-listed.".
$100 fine vs $250/hr lawyer for 2 weeks of billed hours
Sorry, but you´re wrong. It´s the code of the website that forces the user´s browser to concact google servers, and for that under GDPR the website owner is the only one who´s responsible.
The court pointed out, that in this specific case, the website owner had a very easy alternative (hosting GoogleFonts local) to not foul the rules of GDPR and with that argument they denied the legitimate interest, that the website owner claimed for using google Fonts via the api to google itself.
I don´t think that this decision kills all 3rd party links or CDN´s – it was a specific case, and the court´s decision followed the common EU law.
OTOH: It´s not "that´s how internet or real world is designed" and that´s it. It´s just common right now but who says this situation has to last forever? There are enough solutions in web design that don´t have to use 3rd party stuff from Google, Amazon and some other Big Tech players. And there´s also the possibility to host CDN´s in the EU – I can´t see the need for data crossing the atlantic just to show some Fonts on Website in the EU. That´s silly and stupid imho.
Re: Re: Re:
"Instruct" would be a better word. While most people don’t know how to do it, it is possible to have the browser refuse to follow those instructions, thus it is not being forced to do anything.
No, it’s a small hassle if you encountered it once, but it’s a big collective hassle when you add up all the time it takes to click okay (or another option) on multiple websites throughout multiple years. There’s also a cognitive cost in scrolling a page looking for something only to realize it looks weird because the designer dimmed everything and there was a box at the top that didn’t scroll with the page asking you to consent. We’re requiring visitors to waste time and effort and mental effort because the EU couldn’t think of a better way to implement this.
I just ran into this beauty from Adobe:
When you go to the website it asks you to "Manage options" or "Enable all".
So far, pretty standard.
When you click "Manage options" though, you get the 4 kinds of cookies you can (de)select and then you have 2 options "Don’t enable" or "Enable all"…
"Confirm selection" was too straightforward? This seems skirt dangerously close to tricking you into inadvertently allowing all cookies.
That’s what happens when you let morons dictate the internet law.
On the same logic, allowing me to connect to your website shares my IP with your hosting provider. I’ve never given my consent for my IP to be given to your hosting provider, his upstream provider etc.
Your hosting provider is not a 3rd party, that´s the difference to the case the court decided.
So maybe browsers should come with NoScript built in, on default settings, with no way to remove it. Then everyone would have to knowing allow a domain. Then nothing is "unauthorized". @@ "Do i want Google Fonts? Sure." Of course, it would be best if there was an API for domains to explain both their general business, and scripts/content to explain their specific use in that case. (Actually, that part wouldn’t be such a bad thing in general.)
And yeah, self-hosting and not adding scripts and services from like 50 other domains (looking at you, traditional and semi-traditional media) might not only be a way around "authorization", but also be generally better for the ecosystem.
Whatever, there must be better ways to address problems, and ways to avoid creating more problems with poorly-written laws.
Companies that track you will go to extreme measures to uniquely identify you, and then harvest as much data about you as possible. It is not unreasonable to think that Google (a well known tracker) would leverage this data about you – especially as other sources of data start to go away thanks to the GDPR.
This does not need to take us into the hell that we currently have of constantly asking if you are ok with cookies. That is what web developers have chosen to do because they do not want to give up on their tracking lifestyle. They can easily note that I do not want any tracking and never ask me again. But by asking again (and again, and again,….) they expect that the average user will break and just say "ok already". If you don’t like the harassment of "can we track you please" dialogs, stop visiting that site. Bonus points for telling them why. This is not the only way we have to satisfy the privacy concerns, in fact it is a clear indication that the site does not want to respect your privacy at all.
They can easily note that I do not want any tracking and never ask me again.
That would require that they track you, which you have just said you don’t want them to do.
It’s likely not even technically feasible for them to do anyway, short of a universal implementation of Verizon’s packet modification tracking system.
Re: Re: Re:
A cookie that is storing cookie preferences with the domain set to the main site and secure and samesite attribute, and which the site operator does not use for anything else, doesn’t track you. It sure is a hassle to set up, so some web applications have started to integrate cookie permissions into their plugin management. In the IAB ruling the other week, labyrinthian consent popups were criticized harshly. They are indeed a product of established players in the ad space seeking to keep up the status quo and they need to go. Best would be a unified consent system in the browser, that web developers can interface with. I vaguely remember a plan about this, need to dig deeper…
Re: Re: Re: Re:
It was PIMS, but it seems ham fisted at best.
That seems entirely predictable to me. Setting things up such that the computers of people browsing your website send their data to some third party is exactly what the law was meant to prevent. Google probably find out what page the person is looking at too, not just the IP address. All so the user will see a font other than their preferred font, and the site operator doesn’t have to pay to host it.
pretty sure we warned them about it, pretty sure we told them they needed to make the rules really clear…
Imagine that humans managing to repeat the exact same screwups thinking this time it will be different when they refuse to address any of the issues exposed by previous failures.
Worried about what data brokers might do?
Perhaps maybe pass laws targeting them rather than the middlemen, make it less profitable to gather & exploit the information and suddenly they are less interest in the data.
The current system does nothing but require a couple popups where people still sign their privacy away without reading, its not working.
Stop beating up the little guys who just want to link a set of webfonts & other cool toys out there. Pass laws controlling what the company gathering the data can & can’t get & do.
You have a shark off the coast eating swimmers on July 4 weekend… the answer isn’t to dynamite all the little fish it might eat you kill the fscking shark.
It’s not surprising at all. As far back as 2018 the writing was on the wall, as shown by this German webhoster post. It even links to a dedicated Google fonts downloader page.
Since Schrems II ruling in the CJEU striking down Privacy Shield (which replaced the struck down Safe Harbor), the consequences of GDPR cannot be ignored anymore, and the rulings are coming accordingly. I for one am cutting ties with US services on my public facing websites now.
"passed the unidentified plaintiff’s IP address to Google without authorization and without a legitimate reason for doing so"
Erm, what? An IP address is not private or confidential information, and if there’s no local cache of the fonts, exactly how do you expect a font to be sent to the user if you don’t know their IP?
I find it a bit far fetched too, but it is argued that IP address + time of connection makes it possible to request precise subscriber data from ISPs. Since the US is not considered privacy respecting enough, coercing a connection to US servers (CLOUD act making it more complicated than that) without consent is considered no good.
They expect to host it yourself or use EU hoster. It’s one more step to the Great European Firewall. See also DNS4EU.
Re: Re: Re:
"I find it a bit far fetched too, but it is argued that IP address + time of connection makes it possible to request precise subscriber data from ISPs"
That’s possible, but ISPs generally don’t give out private account information willy nilly, and doing so without a court order would likely be an actual violation of privacy laws, even in the US, from my understanding. IIRC, one of the things that the RIAA was whining about years ago was that they had to make individual subpoenas to ISPs to work out who they were suing rather than just being given carte blanche to access all their logs whenever they wanted.
I understand that having a strong case and understanding how the internet actually operates is not a prerequisite for some of these demands, but this is weak even by their normal standard. This is another case where placing the onus on a user taking action (if you’re concerned about your IP being tracked, use a VPN to protect yourself or your browser’s privacy capabilities) rather than breaking fundamental aspects of the internet (making 3rd party content effectively illegal) is the actual way forward.
Re: Re: Re: Re:
It’s more of an issue with the overreach of the US government in terms of surveillance. Intelligence services have direct lines to ISP infrastructure. FISA court has been rubber stamping every order since its inception. CLOUD act only makes the overreach worse. In US eyes, foreigners can be surveilled without limitations. Privacy Shield and its predecessors have been no deterrent.
Re: Re: Re:2 Re:
Be that as it may, you can’t directly associate an IP with a person without consulting the ISP logs, so surely if there’s a privacy issue it’s when the interaction where the ISP confirms the association takes place, not when a 3rd party has been given the information required for it to deliver a packet that’s been requested?
You could potentially make a case that collection of metadata and other types of tracking introduces a
Re: Re: Re:3 Re:
Oops, hit submit too early.
I was saying you could make a case that an individual can be identified using metadata without needing to poll the ISP; but that has nothing to do with the record request you mentioned.
Re: Re: Re:3 Re:
"Be that as it may, you can’t directly associate an IP with a person without consulting the ISP logs…"
Is that statement still true in an IPv6 world? In IPv6 it’s certainly possible to give every computer on the planet a unique IP address for the foreseeable future.
And even if DHCP is still in play, it sure hasn’t stopped a lot of people from trying to tie individuals to IP addresses, from copyright trolls to law enforcement.
Re: Re: Re:4 Re:
With IPv6 it is of course more possible to identify a specific device and therefore the individual using it, but that’s still assuming that people are directly connecting with that device and not via a router, etc. But, it still takes work to get the information to tie it to a person, and that typically requires a court order.
Copyright trolls don’t actually care about identifying a specific user, they just want to know who to name in the lawsuit, who may or may not have any relationship to the person they’re accusing of infringement.
With law enforcement, they have to do a lot more work to prove who did what if they’re trying to pin something on an individual. For example, if you’re doing something illegal from your phone via 4G then they might be able to tie you directly just by querying your provider, although even then simply identifying the device used does not necessarily translate to identifying an individual without further investigation.
But, if you’re using free wifi from outside a coffee shop nowhere near when you live while using a VPN that doesn’t store access logs, it’s going to take a lot more work to tie you to the activity. Not impossible, but the work required would seem to suggest that it’s not relevant to the things that GDPR is intended to protect against, and not without going through other legal processes that already have other types of protection.
This is a complete nightmare for any site owner nowadays. I’m just thinking about the thousands of online 3rd-party objects most systems and sites use to streamline all sorts of stuff. If this decision holds and becomes precedent there will be… a lot of innocent blood spilled.
This is going to eventually lead to a version of a porn storm, where instead of un-tasteful ads, it will be a flurry of consent declarations.
“The Wheel of Time turns, and Ages come and pass, leaving memories that become legend. Legend fades to myth, and even myth is long forgotten when the Age that gave it birth comes again.”
― Robert Jordan
A lot of the discussion here revolves around the notion of IP addresses as personal information. However, even when a user can be identified through their IP address, this misses a crucial point, namely whether this particular piece of personal information can reasonably be considered private. I contend that it cannot. In order to make any use whatsoever of the internet, one’s IP address must necessarily be shared with a number of actors other than the owner of the resource actually being requested. These might be hosting providers, DNS providers, core network operators, etc. That is simply how the internet works. Moreover, websites referencing content hosted elsewhere is and has always been commonplace. The expectation that websites be entirely self-contained is frankly absurd.
A separate issue is what someone might be able to do with your IP address. Feeding it into a larger data set to be used for ad targeting is certainly a possibility, one that doesn’t even require identification of the user/account the address belongs to. A curtailing of such activities is something most people would likely welcome.
What this court decision, in my opinion, gets horribly wrong is the attribution of blame. A website operator is being held responsible for the potentially unwanted actions of a third party with whom they had no direct interaction. After all, it was the user’s browser that initiated the connection to Google, not the defendant’s server.
This whole thing has a strong whiff of the anti-Google (or is it anti-American) sentiment that has become fashionable among self-styled privacy activists, especially in Europe. In their view, it would seem, when they can’t get to their designated Big Bad directly, the next best thing is to punish anyone who goes near it, consequences be damned. The phrase cutting off one’s nose to spite one’s face comes to mind.
Like I´ve said: As a website owner you´re responsible for the content, if it´s code that sends users data to a 3rd party without permission or legitimate interest, then you´re busted.
That´s what the GDPR says and imho, that´s correct. The website owner had the opportunity to host the Fonts local, but he didn´t.
For the fine, it doesn´t matter if he didn´t knew or did it with knowing about the risks. It´s like you´re crossing a red traffic light and when you get a fine, you´ll argue "i didn´t knew that I´m not allowed to cross a red traffic light".
I don´t understand the upcoming discussions right now. Sending personal data to a third party without permission and/or legitimate interest was already forbidden before GDPR (in Germany there´s the "Bundesdatenschutzgesetz") which pointed that out clearly.
What happens now is that some of the lousy wannabe web designers start crying because their cheap coding is no longer tolerated by law and courts. And most of the generation word press are not able coding local hosting. Everyone wants to shout out the own opinions on a blog, twitter etc. but no one wants to be responsible if something bad happens from that.
Or – with some of the other comments here: It doesn´t matter what a website contains, responsible for everything are always the users not the website owners? Seriously? Sorry, but NO – this is what some of you might want to but actually this is not the real world, so you´ll better wake up.
This is the worst decision by an incompetent court ruling I have ever seen in my life. An IKP address is not personal data. A person CANNOT be identified by an IP address. The person doesn’t own the IP address. An IP address is dynamic meaning that every time the WiFi router is switched off and on, it gets a different IP address. Mobiles link to different IP addresses all the time. Not allowing Google fonts on a website is ludicrous and this is going too far. Also with regards to adverts seen by you, why wouldn’t you want relevant adverts rather than adverts that are meaningless to you? Your gonna get the adverts anyway!