Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GDPR compliance #1495

Closed
asadkn opened this issue Mar 18, 2018 · 173 comments
Closed

GDPR compliance #1495

asadkn opened this issue Mar 18, 2018 · 173 comments

Comments

@asadkn
Copy link

@asadkn asadkn commented Mar 18, 2018

Notice: Official Statement by Google Fonts made April 17, 2018

Google is working hard to prepare for the EU General Data Protection Regulation (GDPR), and is committed to helping our customers and partners succeed under the GDPR. Our existing Google Fonts FAQ provides information on how Google Fonts handles data about users.

Google Fonts acts as a "data controller" for any personal data that Google processes in connection with your use of Google Fonts web and Android APIs. For any personal data you process, we encourage you to familiarize yourself with the provisions of the GDPR, and check on your compliance plans.

Also, please note that Google LLC is certified under both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and our certifications can be viewed on the Privacy Shield list.

End Of Notice. Original question by @asadkn follows


There's a lot of misinformation being spread around the EU GDPR compliance when using Google Fonts. It would be great to start this discussions here to get an official response.

I looked around at https://privacy.google.com/businesses/compliance/ but I don't see a mention of google web fonts. There are a few concerns being cited by several users on the web: (NOTE: All of these are concerns and NOT substantiated facts.)

  • you may need to ask for a consent from a visitor if Google is logging personal data
  • you're sending personal data to the processor who's not in the EU
  • Google as a processor might be performing profiling

My knowledge of GDPR law is limited and I haven't personally evaluated the concerns thrown around. However, we definitely need to address it before the rumors get out of hand.

IMPORTANT Please refrain from adding opinions that may further add to the already spread misinformation. If you do, please mention they aren't facts. I started this topic mainly to get facts from people qualified with enough knowledge of GDPR law (preferably lawyers or in contact with lawyers). 👍are welcome.

@aristath
Copy link

@aristath aristath commented Mar 19, 2018

This is also a huge concern for us... We'd definitely be interested to know how google-fonts is planning to comply.
What kind of data is currently collected & stored?
What are the plans to make the service GDPR-compliant?
Surely asking for user-consent before rendering the fonts is not a viable solution, nor is downloading the fonts locally to then embed on a site using other methods.

@maximus80
Copy link

@maximus80 maximus80 commented Mar 19, 2018

The main issue seems to be, that a direct connection between a Google Inc. server and the client (browser of a website visitor) is established, which means the user's IP address is sent to Google. This obviously happens on page load, which means there is no time for the user to explicitly consent with it before the page loads.
Does this have to be considered a privacy issue with regards to the new GDPR?
If so, any integration of Google fonts directly via Google would render websites pretty hard to use and ugly on first load.
Any insight on this, is highly appreciated.

@davelab6
Copy link
Member

@davelab6 davelab6 commented Mar 19, 2018

Please be reassured that the Google Fonts team is working on GDPR compliance.

I can also point out an older FAQ entry, https://developers.google.com/fonts/faq#what_does_using_the_google_fonts_api_mean_for_the_privacy_of_my_users

@maximus80
Copy link

@maximus80 maximus80 commented Mar 20, 2018

Thanks for the reply @davelab6!
I've seen the FAQ entry, unfortunately it doesn't really provide a full answer to the main questions above.
From your reply I take that the team is still working on GDPR compliance, so that the details are not fully hashed out. Once they are, it would be awesome if you could let us know here, so that we can implement needed adjustments on our part.
Thanks!

@dontcallmemark
Copy link

@dontcallmemark dontcallmemark commented Mar 21, 2018

I'm currently investigating this for our company. I've found this (the section on international data transfers near the bottom) which suggests full compliance to me. Is that not the case?

https://privacy.google.com/businesses/compliance/#?modal_active=none

@aristath
Copy link

@aristath aristath commented Mar 21, 2018

@limegreenmatt all it says there is that data transfers are secure. However it still doesn't say what kind of data is collected... For example collecting and processing the user's IP without the user's consent is against the GDPR. If the user does not consent then it doesn't matter how the data is collected/processed/transferred, it's still against the law.
Plus, that page is for businesses so I'm not even sure it even applies to google-fonts. There's just not enough info anywhere about what happens.

@asadkn
Copy link
Author

@asadkn asadkn commented Mar 21, 2018

Technically speaking, logging of IP address is allowed for lawful basis without consent (note consent is only one of the lawful basis). But this is best left to Google lawyers if there's a "lawful basis" on how they're processing this data but I am guessing it will be point f.

In Recital 49 for Article 6, Point [f]:

“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”

This is what we need from Google. We need them to tell us they're using the data they log in a lawful basis - we need to know how they're using the data they log. Google's general privacy policy isn't enough in this case as it isn't specific to Google fonts.

@aristath
Copy link

@aristath aristath commented Mar 21, 2018

@asadkn I agree 100% with that... though lawful basis in the context of that excerpt basically means things like logging the IP address in an access log for a limited period of time in order to prevent and diagnose attacks, or as part of an authorization to enter my account.
However in the context of google fonts, the accumulation of IPs which are then processed for statistical purposes can only be considered legal if the IPs are partially anonymized.
If the IPs are not anonymized (usually by replacing their last part with a 0 digit) then there is no legal basis for collecting them.

@dontcallmemark
Copy link

@dontcallmemark dontcallmemark commented Mar 22, 2018

@davelab6 can you give us any kind of timeline as to when we can expect an update and/or resolution of this? As we provide our customers with access to Google Fonts as part of our WordPress themes, it's important for us to understand whether our customers are going to be impacted by this, and if we need to take any remedial action. Appreciate any insight you can give.

@david-uc
Copy link

@david-uc david-uc commented Mar 26, 2018

any updates yet?

@zartgesotten
Copy link

@zartgesotten zartgesotten commented Mar 27, 2018

Also waiting for info on this. I don't want to self-host fonts for about 70 sites I'm managing.... PLEASE, Google, help us poor Europeans!!!

@fritzmg
Copy link

@fritzmg fritzmg commented Mar 30, 2018

@clickwork-git those FAQ do not mention the GDPR at all. It does mention something about tracking though:

Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure. Aggregate usage numbers track how popular font families are, and are published on our analytics page. We use data from Google’s web crawler to detect which websites use Google fonts. This data is published and accessible in the Google Fonts BigQuery database. To learn more about the information Google collects and how it is used and secured, see Google's Privacy Policy.

@aristath
Copy link

@aristath aristath commented Mar 30, 2018

@clickwork-git according to numerous court decisions in the EU, an IP is considered identifiable user-data and should not be collected without the user's consent.
The only thing related to the GDPR on that page is this:

Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure.

No matter how secure the storage of such data is, the point of the law is that no data should be collected without the user's explicit consent. Data collecting is no longer opt-out, it's opt-in. So if the IPs collected by Google are not partially anonymized for example by replacing the last part of the IP with a 0, then we can't use Google fonts.
It's not panic, it's a legitimate request for information about what kind of Data Google collects from visitors to our own sites - or our client sites. Google's mantra may be "don't be evil", but at the same time it is a company that has based its whole business on data collecting.
We need to know what happens so that we know how to proceed. And we need to know now so that we can take the appropriate measures and implement whatever we need to implement. If a response comes from Google 2 days before the GDPR goes officially in effect, then we don't have time to do what needs to be done.
The alternative for us would of course be to start implementing everything: opt-in for fonts, automate locally downloading fonts on client sites to use them from there without pinging google's servers and so on. But that's just a huge waste of resources for hundreds of companies like ours, that can be avoided if we just have an answer of what happens now and what will happen after May.

@asadkn
Copy link
Author

@asadkn asadkn commented Mar 30, 2018

the point of the law is that no data should be collected without the user's explicit consent

IMHO, we should refrain from issuing this statement - there's enough FUD over the internet already. This statement is only partially true as I referred earlier to the other lawful basis. It gives the impression to novices that there won't be any basis of compliance at all, creating further panic. And since none of us are lawyers here, it'd best to not discuss it anyways. All we know is we need is an official reply from Google.

I agree with the urgency here. There are only 2 months left before this goes into effect. The least we need is an assurance there will be GDPR compliance.

To re-iterate, Google hasn't specified their privacy policy for Google Fonts on how they're using the data they log or if there's a lawful basis for it. We need this moving forward. Frankly, it doesn't really matter to us what legal basis their lawyers come up with, as long as they confirm GDPR compliance.

@kevingrabher
Copy link

@kevingrabher kevingrabher commented Apr 3, 2018

The FAQs do state

"The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently."

While that does leave a lot of room for speculation it does suggest compliance since it states that no data is recorded that is not needed for delivering the font (and I wouldn't see a reason for the IP being recorded to deliver the font..)

@maximus80
Copy link

@maximus80 maximus80 commented Apr 3, 2018

The problem is, you have to be very certain about this, so speculation or the assumption of something doesn't really help here. As the fines are high, and statements like "I assumed our customers have their privacy ensured" won't be a viable excuse. That is where I see the biggest problem. Explicit and dedicated information is needed here.

@githubhero
Copy link

@githubhero githubhero commented Apr 9, 2018

I have a basic Wordpress website where the font is loaded this way:

<link rel='stylesheet' id='options_typography_Abel-css' href='https://fonts.googleapis.com/css?family=Abel' type='text/css' media='all' />

By doing so, I'm communicating to Google the IP of the user.

What if I substitute this direct call with a call done using PHP+curl (or other APIs to get data from a server) from the website server? This way Google would only get the IP of my server, not the users'.

Something like this:

<link rel='stylesheet' id='options_typography_Abel-css' href='proxy.php' type='text/css' media='all' />

From proxy.php, I call Google server and I return the CSS to the client.

@psinger
Copy link

@psinger psinger commented Apr 11, 2018

Host the fonts locally, and the problem is gone.

@aristath
Copy link

@aristath aristath commented Apr 11, 2018

Host the fonts locally, and the problem is gone.

Not practical if what you're building is a WordPress theme for example - in which case users on their sites use whatever font they wish

@githubhero
Copy link

@githubhero githubhero commented Apr 11, 2018

@psinger You loose the benefits of the CDN (mainly performance), but of course another option is storing fonts locally (this is ok for the fonts, but non every single resource a website can link, anyway)

@psinger
Copy link

@psinger psinger commented Apr 11, 2018

I agree, it's certainly not as convenient, but it is an option. If you develop a wordpress theme, just add an option to disable google fonts for the user of the theme. I am actually struggling currently with disabling google fonts in several wordpress themes / plugins, mostly it is not even possible.

@maximus80
Copy link

@maximus80 maximus80 commented Apr 12, 2018

Well, the main purpose of Google fonts is, that they actually get used on websites. So, it is in the best interest of Google to do everything to make sure it will be possible in the future. Disabling them on a site or in a theme, or adding them locally, is only a work around, which might be ok for a single site, but not for WP themes with a larger user base. And it kinda also defeats the purpose of what Google offers.

@githubhero
Copy link

@githubhero githubhero commented Apr 12, 2018

Maybe we're going a little bit OT:

IMPORTANT Please refrain from adding opinions that may further add to the already spread misinformation. If you do, please mention they aren't facts. I started this topic mainly to get facts from people qualified with enough knowledge of GDPR law (preferably lawyers or in contact with lawyers). 👍are welcome.

@mikka23
Copy link

@mikka23 mikka23 commented Apr 13, 2018

@clickwork-git what an insightful post, thank you for sharing. It is much appreciated.

@dontcallmemark
Copy link

@dontcallmemark dontcallmemark commented Apr 17, 2018

@davelab6 @m4rc1e when are we going to get an official response on this?

@davelab6
Copy link
Member

@davelab6 davelab6 commented Apr 17, 2018

Here's an official statement:

Google is working hard to prepare for the EU General Data Protection Regulation (GDPR), and is committed to helping our customers and partners succeed under the GDPR. Our existing Google Fonts FAQ provides information on how Google Fonts handles data about users.

@aristath
Copy link

@aristath aristath commented Apr 17, 2018

@davelab6 we appreciate you taking the time to respond. However, please try to understand how this whole situation appears to everyone who doesn't work at Google, doesn't have any knowledge of how the company operates or what is going on behind a veil of complete silence.

Google is working hard to prepare for the EU General Data Protection Regulation (GDPR), and is committed to helping our customers and partners succeed under the GDPR

From our point of view it doesn't seem that Google is doing anything. There is no official announcement, no update, nothing. GDPR goes in effect in 37 days, which leaves 28 work days for all companies to implement whatever needs to be implemented.
Google-Fonts is an amazing service and none of us want to believe that something like not being 100% compliant with GDPR can even happen to it. But we can't be 100% certain, and without an official announcement from Google, we have been forced to start implementing all kinds of crazy stuff - just in case Google doesn't say anything before the deadline and we have to be covered.

Our existing Google Fonts FAQ provides information on how Google Fonts handles data about users.

The problem we have is that no, there is not enough info on the FAQ page. If there was enough info on that page nobody would be asking for more info.
Here's what that page is telling us:

  • Requests are cookie-less
  • Fonts get cached
  • Google Fonts logs records of the CSS and the font file requests.

What that page is not telling us and is of concern for GDPR is this:

  • What data is contained in the font-file requests that get logged?
  • For how long is that data kept?
  • For what purpose is that data collected?

Without specific information we can't know if we need to ask for user consent, download the fonts server-side and not use the Google CDN, or just ignore everything and assume it's going to be alright. Which of course can't happen... we can't just assume that Google will be compliant in time.

I am sorry if this whole discussion seems a bit like over-reacting... We all have better things to do than post in this repository asking for info and discussing. But we've all come to depend on Google Fonts one way or the other and we don't have a lot of time left to do what needs to be done.

SISheogorath added a commit to SISheogorath/shields that referenced this issue Apr 3, 2020
This patch used `google-font-downloader`[1] to generate a fonts directory
that contains the used Google fonts for shields.io. There are bunch of
reasons for vendoring fonts in, but the first and most important one is
privacy.[2] Another is performance.[3] And the third one is reducing
external dependencies. Keeping those small helps to prevent unexpected
breaking of web interfaces just due to changes or failure of an external
service provider.

[1]: https://github.com/Bloggify/google-font-downloader
[2]: google/fonts#1495
[3]: https://csswizardry.com/2019/05/self-host-your-static-assets/
SISheogorath added a commit to SISheogorath/shields that referenced this issue Apr 3, 2020
This patch used `google-font-downloader`[1] to generate a fonts directory
that contains the used Google fonts for shields.io. There are bunch of
reasons for vendoring fonts in, but the first and most important one is
privacy.[2] Another is performance.[3] And the third one is reducing
external dependencies. Keeping those small helps to prevent unexpected
breaking of web interfaces just due to changes or failure of an external
service provider.

[1]: https://github.com/Bloggify/google-font-downloader
[2]: google/fonts#1495
[3]: https://csswizardry.com/2019/05/self-host-your-static-assets/
SISheogorath added a commit to SISheogorath/shields that referenced this issue Apr 3, 2020
This patch used `google-font-downloader`[1] to generate a fonts directory
that contains the used Google fonts for shields.io. There are bunch of
reasons for vendoring fonts in, but the first and most important one is
privacy.[2] Another is performance.[3] And the third one is reducing
external dependencies. Keeping those small helps to prevent unexpected
breaking of web interfaces just due to changes or failure of an external
service provider.

[1]: https://github.com/Bloggify/google-font-downloader
[2]: google/fonts#1495
[3]: https://csswizardry.com/2019/05/self-host-your-static-assets/
@adamreisnz
Copy link

@adamreisnz adamreisnz commented Jun 14, 2020

Does anyone know if there have been any meaningful updates since end of 2018 in regards to this issue?

@aristath
Copy link

@aristath aristath commented Jun 15, 2020

Nope, nothing meaningful.
Google is just as vague now as it was back then, so we were just forced to stop using it, or in the rare occasion where we do use it, we automate downloading the site-owner-selected fonts locally so visitors don't use the Google CDN.

@clickwork-git
Copy link

@clickwork-git clickwork-git commented Jun 15, 2020

Nobody is forced to stop using it. You can declare the use in the privacy policy as the use of other tools.

There is still no legal case. And the question is rather if the GDPR is meaningfull. Two years and still collecting of data as ever.

@aristath
Copy link

@aristath aristath commented Jun 15, 2020

You can declare the use in the privacy policy as the use of other tools

informing users is not the same as allowing users to choose if they want to or not. Informing them without asking permission is not OK. So yes, we are forced to stop using because we cannot - in good conscience - allow any company to collect our users data without their explicit consent.

There is still no legal case

That's only because as an individual none of us has the resources to go against a giant.

And the question is rather if the GDPR is meaningfull. Two years and still collecting of data as ever.

That's only because some developers keep using services that violate their users' trust. The GDPR is 100% meaningful... IF you actually follow it. Otherwise you just have users like me who blacklist gfonts, analytics and others browser-side

@miclf
Copy link

@miclf miclf commented Jun 15, 2020

And the question is rather if the GDPR is meaningfull. Two years and still collecting of data as ever.

Using a lack of enforcement (of the law) as an argument to question the relevance of that law seems to be quite a questionable way of framing the issue. Especially when considering that, according to the separation of powers (which is still supposed to be a very central principle of democratic countries), the people writing the laws and the people doing the enforcement are supposed to be entirely different groups.

Traffic code is mostly not enforced in my city. Does that mean it’s OK for someone to pretend these rules do no exist, and then start to explicitly threaten or injure pedestrians/cyclists/motorcyclists with his shiny new car? I don’t think so.

I think @aristath is right. As long as you cannot ensure a service respects both the law and the trust of people, the best (and safest) thing to do is not to use it as all.

@garretthyder
Copy link

@garretthyder garretthyder commented Jun 15, 2020

Yes, @aristath's point on consent is very valid with any service collecting user information. Simply listing the tool doesn't suffice unless you have a site consent mechanism which takes the user through that policy to get their consent for sharing their data with that service.

Aside from abandoning the service, which is simplest, I've seen developers host the fonts locally to ensure there's no data sharing via the CDN or have a fallback webfont loaded that's replaced with gfont upon user consent via their consent mechanism (often a cookie popup).

@adamreisnz
Copy link

@adamreisnz adamreisnz commented Jun 15, 2020

Aside from abandoning the service, which is simplest, I've seen developers host the fonts locally to ensure there's no data sharing via the CDN or have a fallback webfont loaded that's replaced with gfont upon user consent via their consent mechanism (often a cookie popup).

I was wondering about this when I read through this thread. By fallback font would you just use on of the standard "every computer has them" fonts like Arial or Helvetica, and then load the gfont if the user gives consent? Because it seemed redundant to serve a local copy of the gfont only to replace it with the CDN version afterwards. Might as well just serve locally then.

@garretthyder
Copy link

@garretthyder garretthyder commented Jun 15, 2020

I was wondering about this when I read through this thread. By fallback font would you just use on of the standard "every computer has them" fonts like Arial or Helvetica, and then load the gfont if the user gives consent? Because it seemed redundant to serve a local copy of the gfont only to replace it with the CDN version afterwards. Might as well just serve locally then.

Yes exactly, you would use a web safe font that's similar enough to your gfont that upon consent the change isn't overly drastic.

@jasperf
Copy link

@jasperf jasperf commented Oct 15, 2020

Amazed there has been no updates on this EU GDPR compliance issue of Google Fonts since this thread started in March 2018. Partly anonymizing ip addresses and indicating in a statement or FAQ, including storage duration and what else is gathered that does not violate privacy, would solve the issue and should not be that big of a deal you would think.

Using a fallback font to show until consent is given spoils the whole looks of a website for which a specific Google Font or fonts were chosen. Better then to work with Google Fonts locally using Font Source or Google Web Font Helper.

@tbeloc
Copy link

@tbeloc tbeloc commented Jan 9, 2021

The CDN must not be used, iIt must be used locally.

The use of the CDN, puts you in violation of the GDPR.

On July 16, 2020, the EU Court of Justice (CJEU) ruled that protections provided by the EU-US Privacy Shield were invalid and that US law cannot adequately ensure protection of personal data of those in the European Economic Area (EEA).  Prior to this decision, the EU-US Privacy Shield was likely the most commonly used mechanism for US companies to lawfully receive, process, store and transfer personal information of people in the EEA.  The ruling was largely based on the finding that the US government does not limit surveillance of foreigners to that which is strictly necessary, and that US laws lack appropriate remedies for those in the EEA.

@teezeh
Copy link

@teezeh teezeh commented Jan 9, 2021

The CDN must not be used, iIt must be used locally.

The use of the CDN, puts you in violation of the GDPR.

I respectfully disagree. The EU-US Privacy Shield governed the transfer of PII to from Europe to the US. When using Google Fonts via the API, no PII is being transferred. “Use of Google Fonts is unauthenticated. No cookies are sent by website visitors to the Google Fonts API. Requests to the Google Fonts API are made to resource-specific domains, such as fonts.googleapis.com or fonts.gstatic.com” (Source: https://developers.google.com/fonts/faq?hl=en).

@tbeloc
Copy link

@tbeloc tbeloc commented Jan 9, 2021

The CDN must not be used, iIt must be used locally.
The use of the CDN, puts you in violation of the GDPR.

I respectfully disagree. The EU-US Privacy Shield governed the transfer of PII to from Europe to the US. When using Google Fonts via the API, no PII is being transferred. “Use of Google Fonts is unauthenticated. No cookies are sent by website visitors to the Google Fonts API. Requests to the Google Fonts API are made to resource-specific domains, such as fonts.googleapis.com or fonts.gstatic.com” (Source: https://developers.google.com/fonts/faq?hl=en).

Before 16/07/2020,

When the visitor of, for example fonts.com, has not yet cached the required fonts to display the page correctly a request to Google’s server will be made to acquire the correct assets and files to store in the browser and load the Google Fonts required.

And this is where it get’s tricky; does the API request send anything that relates to personal data, according to the GDPR? What questions should we ask to see if we need to take action?

The personal data that is stored is at least an IP-address from the website visitor. And yes, this is personal data according to the GDPR, as it is an unique personal identifier.

As the website owner who implemented the Google API: Do you need to ask permission or consent from the website visitor before the request to the Google server is made?

This vague statement suggests storage of personal data (IP Address) after the request has been made, whether it is limited or not. So consent is required! This means the website cannot load Google Fonts from the Google servers without getting consent first: the website needs to block Google Fonts, then request consent, and finally, after consent is given, load the fonts.

After 16/07/2020,

Case-law

Even with consent, it's no longer legal.

@adamreisnz
Copy link

@adamreisnz adamreisnz commented Feb 12, 2021

To be honest, this whole discussion is a bit ridiculous. IP addresses are needed to transfer files effectively between computers and to view webpages. If you use the internet, you are going to expose your IP address to at least some services, with or without your consent – it's as simple as that.

Google Fonts is not the only service that will be storing your IP address when you visit a website. An average website or app will be loading anywhere between 5-20 external resources or scripts which are often all needed for the webpage to function as intended and to make the life of the visitor easier. It's not practical to go back to the stone ages and move all of these services to be fully self hosted again, avoiding all CDNs and external services.

And even with self hosting you have no control over what nodes or proxies a request from browser A to server B travels through. Along the way, no doubt countless of logs will be generated on various systems and computers capturing the IP address and other details about the request. This is unavoidable. It's literally impossible to serve a webpage to a visitor without transmitting the IP address of the visitor to a single external service before they give consent.

Treating IP addresses as private data seems inherently flawed, at least within the framework of how the internet currently works. What would be more practical and sensible instead of avoiding IP addresses are sent to 3rd party services, is ensuring that those IP addresses cannot be linked to other personal data of the visitor. That way it becomes nothing more than a random number which cannot be tracked back to a specific person.

@ocdtrekkie
Copy link

@ocdtrekkie ocdtrekkie commented Feb 12, 2021

@adamreisnz Your attitude is very dismissive and defeatist. "Privacy is hard, so we just should not do it." Bear in mind, any benefits to CDNs have been fully rendered irrelevant by browser security measures. Not only is Google Fonts embedding an actively hostile party into a website, it doesn't even serve any benefit to the website owner to do so. It is arguable that Google Fonts should not exist, except as a convenient portal to download and preview fonts. There's nothing "stone age" about fully self-hosting: It's what everyone should be doing, especially if they care about their users or their privacy. If I were looking for services like yours, I would be very concerned that the founder has an attitude such as yours.

And frankly, the point of this thread is legal compliance, and IP addresses are, in fact, considered private data by GDPR. So you might want to check your legal exposure. Many lawsuits have been filed on the basis that an IP can be reasonably mapped to a user or household, so your opinion that it shouldn't be... isn't going to help you much.

@adamreisnz
Copy link

@adamreisnz adamreisnz commented Feb 12, 2021

I disagree with your interpretation of my statement. I am very pro privacy and we are doing our very best to ensure that our users privacy is respected and that all relevant regulations are followed. The very fact that I have been following this discussion here for the past years should reflect that I care about these issues.

I am merely expressing the opinion that there are limits, and that it seems that with this particular rule, regulation crosses over from practical and helpful to simply detached from reality and quite frankly outside of the realm of technical possibility.

Can you explain to me how you can ensure that the IP address of a visitor to your website is not shared with any other 3rd party whatsoever without their prior consent?

This cannot be accomplished with our current technology, unless you hand them a USB stick with your website on it.

Maybe regulatory efforts should be aimed at ISP's instead, ensuring that IP addresses are randomised and not traceable to specific devices or households.

it doesn't even serve any benefit to the website owner to do so

You're right, I love having to update our static asset files every time a new version of the Material icons font comes out with new icons, and converting TTF files to WOFF and WOFF2. No benefit to having this conveniently hosted and maintained by a 3rd party at all.

@ocdtrekkie
Copy link

@ocdtrekkie ocdtrekkie commented Feb 12, 2021

@adamreisnz You aren't doing your very best if you're making an unnecessary callout to an adtech company just to save yourself having to update a font.

Can you explain to me how you can ensure that the IP address of a visitor to your website is not shared with any other 3rd party whatsoever without their prior consent?

This is what I mean by defeatist. No, you can't avoid talking out to any third party whatsoever, but you should be doing your best to minimize it.

And in the case here, failing to do so may make your service fail to be GDPR compliant, as Google has failed to address this issue over the past three years.

@adamreisnz
Copy link

@adamreisnz adamreisnz commented Feb 12, 2021

Yes, and that is the reason why we are moving to self hosted Google Fonts. But I can still express frustration and annoyance about it and the fact that in the end, it's pointless as anyone's IP address will end up in a plethora of logs and databases regardless. There's nothing defeatist about that, it's just reality.

@ceejayoz
Copy link

@ceejayoz ceejayoz commented Feb 13, 2021

@adamreisnz

Can you explain to me how you can ensure that the IP address of a visitor to your website is not shared with any other 3rd party whatsoever without their prior consent?

I cannot guarantee no one will murder my customers, but I can still not be the one to do it. The same is true for their privacy.

@horninc
Copy link

@horninc horninc commented Feb 13, 2021

@miclf
Copy link

@miclf miclf commented Feb 13, 2021

It is one thing to say that any person’s IP will be exposed when using the Web (well, except in the many different scenarios where they could use Tor, a VPN, etc.).

It is another thing to consider that, given that, it’s OK to use any ‘service’ that is actively recording those IP addresses (and, in Google’s case, even mining them like precious gold).

I used to tell lawmakers a lot that, from a technical perspective, the Web works in a very different way than what they think of when creating rules. As a result, some specifics of those rules might look quite bizarre or hard to implement.
Nevertheless, when Lawrence Lessig wrote Code is Law more than twenty years ago, he didn’t mean that actual rules made by human should surrender to the (current) technical aspects of the (current) state of the world. Quite the opposite.

Human-made laws are about goals and objectives, not specific details. And it is a matter of deciding what kind of world we want to live in. Technical aspects then might have to be adapted or reshaped in some cases.

The goal of the GDPR is to protect people’s privacy (and also try to hinder spying crimes committed by the USA against the rest of the planet, but that’s another story). That’s the objective to keep in mind, that is the goal. It is a matter of not considering that, since IPs are exposed by default, it is OK to use whatever third party we like. Google is actively and knowingly violating the law, and fully intends to continue doing so, so I think it is both our legal and professional duty not to use their ‘services’ (Google Fonts in this case, but this applies to others as well) and to even strongly discourage other developers from using them as well, in order to protect both their users and their company.

@aristath
Copy link

@aristath aristath commented Feb 13, 2021

Google Fonts is not the only service that will be storing your IP address when you visit a website.

The fact that many people are doing something wrong doesn't mean it's the right thing to do.

An average website or app will be loading anywhere between 5-20 external resources or scripts which are often all needed for the webpage to function as intended and to make the life of the visitor easier

Not entirely true... It makes the web developer's life easier, not the user's. No web page "needs" to load resources from 3rd-party websites. Doing it saves time to developers and is a convenience, but comes at a cost and that cost is transfered to users by exposing their data to companies they have not agreed to share their data with.

The fact that we've been using the web wrong for a decade is no excuse to keep perpetuating the same bad practices. A few years ago it was a matter of ethics, now it's a matter of law.

@adamreisnz
Copy link

@adamreisnz adamreisnz commented Feb 14, 2021

Thanks for your constructive comments @aristath @miclf @horninc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet