A part of me cheers at the fact that a German court has ruled that #Google Fonts violate #GDPR.
There are too many websites out there that mindlessly embed in their HTML fonts in the format of URLs hosted on Google's systems.
It means that the simple act of reading a blog or a newsletter will cause your IP address (at the very least) to be logged on Google's systems, even if you didn't directly visit a website on a google.com domain.
Such a practice violates GDPR, which states that any storage of personal data points should come with the explicit consent of the person those data points belong to - and the company should also prove that it has legitimate interest in storing that piece of information.
However, this "logging IP addresses violates GDPR" thing is a dangerously slippery slope, and I'd like the EU to draw a clear line on what is tolerated and what isn't. The jurisprudence should also start take into account the concept of "relevance" and "context" of the collected data.
All web servers out there log IP addresses. As a Web admin, I have dozens of nginx and Apache instances, all diligently logging each single Web request that hits them.
The doctrine that logging IP addresses on a Web server is personal data collection that requires consent screens and legitimate interest goes against the way most of the Web has been running for the past three decades, and it requires GDPR-compliant versions of nginx, Apache, Tomcat, Django, Express and basically any Web framework out there. Plus, it greatly reduces the security of the Web - as a Web admin, if one of my sites gets targeted by a DDoS or gets breached, I need to have the minimum amount of data in my hands to identify who did it, and that includes at the very least IP addresses, requested URLs and timestamps.
That's why I think that the GDPR should be refined with the concepts of relevance and context of the collected data.
If I run my own blog and I log the IP addresses of my visitors, I usually can't do much with that information. It's like knowing that you are 32-year-old white dude with green eyes who just visited a Wallmart, without knowing anything else about you.
If however my name is Google, and besides that single Web server log trace I also happen to run a big search engine, a big Web browser, a big OS, a big cloud, a big advertisement network, a big mail server, a big video platform, a big voice assistant, a big provider of Web fonts, a big provider of mobile notifications and a big maps service, then most likely I know that, besides being a 32-year-old white dude with green eyes who just bought a Fanta at Wallmart, your name is John Doe, your favourite musician is Taylor Swift, you live with your girlfriend, you don't have kids, you've just walked out of your office and you've bought a Fanta at a Wallmart where you regularly buy a drink on your way to the gym, and I also know exactly where you drove to get there, what exercises you'll do at the gym, at what time you're back home, what show you'll watch and when you go to sleep.
Quite a big difference, isn't it? What is an isolated data point with nearly no value in the first case becomes an extra point in a business whose job is to paint the clearest picture of you in the latter.
The EU needs to draw a clear line here.
Saying that Google Fonts aren't GDPR compliant is a wise decision - one that will impact a lot of websites, but a wise decision nonethless.
But not because logging IP addresses without showing a data collection consent popup violates the GDRP.
Only because it violates it in cases like Google's - i.e. large businesses whose job is to collect as many data points as possible about you.
That's probably a sensible trade-off between defending privacy and making the Web run the way it's supposed to.
https://termageddon.com/google-fonts-violates-gdpr/
Fabio Manganiello /
npub1s9…jdnmu
2024-08-22 18:39:34
Author Public Key
npub1s9uc08n58mxqk5umvapqulwzng0sja635q86r36d8n4rr9r9ygaskjdnmuPublished at
2024-08-22 18:39:34Event JSON
{
"id": "f72b4388ab6250caff56b7d2c5ecf7eb0d3db074cc50e19551234753963ea32b",
"pubkey": "8179879e743ecc0b539b67420e7dc29a1f097751a00fa1c74d3cea319465223b",
"created_at": 1724351974,
"kind": 1,
"tags": [
[
"t",
"gdpr"
],
[
"t",
"google"
],
[
"proxy",
"https://manganiello.social/objects/995f1d97-4728-45b3-8535-329a0da8042f",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://manganiello.social/objects/995f1d97-4728-45b3-8535-329a0da8042f",
"pink.momostr"
],
[
"-"
]
],
"content": "A part of me cheers at the fact that a German court has ruled that #Google Fonts violate #GDPR.\n\nThere are too many websites out there that mindlessly embed in their HTML fonts in the format of URLs hosted on Google's systems.\n\nIt means that the simple act of reading a blog or a newsletter will cause your IP address (at the very least) to be logged on Google's systems, even if you didn't directly visit a website on a google.com domain.\n\nSuch a practice violates GDPR, which states that any storage of personal data points should come with the explicit consent of the person those data points belong to - and the company should also prove that it has legitimate interest in storing that piece of information.\n\nHowever, this \"logging IP addresses violates GDPR\" thing is a dangerously slippery slope, and I'd like the EU to draw a clear line on what is tolerated and what isn't. The jurisprudence should also start take into account the concept of \"relevance\" and \"context\" of the collected data.\n\nAll web servers out there log IP addresses. As a Web admin, I have dozens of nginx and Apache instances, all diligently logging each single Web request that hits them.\n\nThe doctrine that logging IP addresses on a Web server is personal data collection that requires consent screens and legitimate interest goes against the way most of the Web has been running for the past three decades, and it requires GDPR-compliant versions of nginx, Apache, Tomcat, Django, Express and basically any Web framework out there. Plus, it greatly reduces the security of the Web - as a Web admin, if one of my sites gets targeted by a DDoS or gets breached, I need to have the minimum amount of data in my hands to identify who did it, and that includes at the very least IP addresses, requested URLs and timestamps.\n\nThat's why I think that the GDPR should be refined with the concepts of relevance and context of the collected data.\n\nIf I run my own blog and I log the IP addresses of my visitors, I usually can't do much with that information. It's like knowing that you are 32-year-old white dude with green eyes who just visited a Wallmart, without knowing anything else about you.\n\nIf however my name is Google, and besides that single Web server log trace I also happen to run a big search engine, a big Web browser, a big OS, a big cloud, a big advertisement network, a big mail server, a big video platform, a big voice assistant, a big provider of Web fonts, a big provider of mobile notifications and a big maps service, then most likely I know that, besides being a 32-year-old white dude with green eyes who just bought a Fanta at Wallmart, your name is John Doe, your favourite musician is Taylor Swift, you live with your girlfriend, you don't have kids, you've just walked out of your office and you've bought a Fanta at a Wallmart where you regularly buy a drink on your way to the gym, and I also know exactly where you drove to get there, what exercises you'll do at the gym, at what time you're back home, what show you'll watch and when you go to sleep.\n\nQuite a big difference, isn't it? What is an isolated data point with nearly no value in the first case becomes an extra point in a business whose job is to paint the clearest picture of you in the latter.\n\nThe EU needs to draw a clear line here.\n\nSaying that Google Fonts aren't GDPR compliant is a wise decision - one that will impact a lot of websites, but a wise decision nonethless.\n\nBut not because logging IP addresses without showing a data collection consent popup violates the GDRP.\n\nOnly because it violates it in cases like Google's - i.e. large businesses whose job is to collect as many data points as possible about you.\n\nThat's probably a sensible trade-off between defending privacy and making the Web run the way it's supposed to.\n\nhttps://termageddon.com/google-fonts-violates-gdpr/",
"sig": "fe256c798f7c5b8b113ff0e2871d16c2d87fa1286ea01a2b147759e01716e5601e70f2f5cda0b6d7886290b1b645b0f0004cb240c81e790a802196651e4a9db0"
}