Okay, so: German court decided on Jan. 20th 2022 that sites will need to host Google fonts locally.
Visitors are otherwise entitled to receive 100€ in recompensation for Google fonts transferring IP numbers to Google servers.
Google uses fonts to track users, especially if they are logged into only one other server, where stored personal data might identify them.
Court decision text in German (Landgericht München)
N Hunni dafür, dass ich mir überflüssige Schriften anguck und Kuckl mir dabei über die Schulter guckt?
Hmm. Ich schaff, say, 1 nutzlose Webseite pro Minute, dann der Schreibkram..hmmm...
@wuffel Genau so dachte ich mir das auch. Doch im "echten Lebn" muß man Websitenbetreiber wahrscheinlich erst verwarnen, ihnen dann Zeit zum Reagieren geben und dann erst kann man nach Moneten fragen. Blöderweise riecht das Ganze nach Überbusiness für Abmahnanwälte, kein schöner Nebeneffekt.
@wuffel Auf jeden Fall einen herzlichen Gruß an Grochnargh und auch die Schwester Grochnarghlö! Ich hörte, daß sie ihren Bruder noch übertrifft, wenn es gegen monetäre Absahner geht ;)🔪
@sl007 Sweet, but i do this hand, need no (more) app for that :) Google fonts let's one download, the rest is ftp and css. Super quick, no problem.
One important point in this court decision is that there had been no consent of the website visitor that his IP address might be transferred.
While I agree that the better options are to not use remote fonts at all or at least to store them on the own server (1st party), another option would be just to get the visitor to agree that his IP address will be transferred, before it is.
Actually, the court decision does not mention anything about storing fonts locally.
@Porfirio See image for the paragraph about local hosting, from the link i posted, paragraph 8 there.
Also, ergonomically, any more pop-up dialogue boxes & consent declarations are widely _unappreciated_ ;)
It takes me max. five minutes to host any fonts (even Googl efonts) locally.
Nothing speaks against that.
Thanks! In so far I stand corrected. There is a mentioning of hosting the fonts locally.
But as I ponted out there is also the other "option" on asking for consent. And yes, I am glad that all this "give us your consent to f*ck your rights"-shit is quite unpopular.
> another option would be just to get the visitor to agree that his IP address will be transferred, before it is.
No, that is not really "another option", you don't "get the user to" do whatever suits you.
The GDPR requires you to ask for their consent and comply with their choices. Not to « get them to accept so you can you whatever you like".
It means asking for consent without trying to influence their answers, or @jayrope - 1/3
blackmail them in the typical “You either accept or you can't use the site because the code is written in a way that you'll be tracked anyway, if you" manner.
If you ask for consent ONLY to avoid probably less than 5-min of "work" to put fonts locally, then you're basically giving users choice to either accept google's (or whoever) tracking or go to fuck off. That is NOT Legal. To be valid, the consent should be informed, unambiguous, @Porfirio @jayrope - 2/3
@jayrope nice. A good practice I am following since becoming a part of the WirSpeichernNicht movement. If I'm not doing logs why would I give someone else the opportunity?
@SolSoCoG Bin da ganz bei dir. Alleine, daß Google Services (muß nochmal schauen wo ich die Zahl her habe) in der Lage sein sollen, 80% aller Webseitenbesucher auf dem Planeten hinterherzulaufen, scheint Grund genug, diese Services in der eigenen Arbeit abzuschalten bzw. durch lokale oder Google-ungebundene Services zu ersetzen.
Is this real? We are not at a browser.
We boosted but the CloudFlare alarm went off so we had to unboost, thanks for understanding.
🔔 CloudFlared Domain:
🙆 An alternate link:
@mario Gern, das hilft allen. Google Fonts herunterzuladen und lokal zu hosten ist ebenfalls sehr einfach. Am Ende siehts dann genauso aus, jedoch ohne Verbindung nach draussen.
@jayrope never understood why people wouldn't just do that
five minutes of work, and your cookie consent looks much shorter
@meena Totally agreed. Conciousness of web devs today towards what they do to the visitors of sites they admin is yet minimal. To me that is just sloppy - and there is zillions of examples for this lack of work ethics...
@meena Oh, pardon me, getting it. Yes, burger menu was a bit of a css-only problem here - but i've managed:
@meena And to be mor specifically answering: A cookie conent in't even neceary, if you don't have any cookis happening. On a wider note Google fonts don't use any cookies. They are part of Google's (and other's) future tracking universe, which doesn't need any cookies. It needs users to be logged into sites, while the fonts just track their IP number elsewhere. You match these two things and you have a personalized connection. So we all should remember to log out of sites we don't use right now.
@kuba same as fakebook with 1 pixel beacon. the power of big data and good algorithm. So they have hits from time to time from person X on different sites because of that pixel or fonts, but somewhere on server now records exist. At some point person will open site where they are logged in, so now ALL these records have name on it. I'll admit, just recording an IP with request for font/beacon is not so powerful as tracking, but this is not only thing to fingerprint someone. @meena @jayrope
@meena @kuba @jayrope They discovered these simple tricks in the mid 2000s, and it's largely how Google got to be what it is now. Data mining the logs.
For a long time naive techies also gave them cover, with the mantra of "I trust Google with X". Sponsorship has also helped to ensure that nobody gives a tech talk about this. But I notice that the EU is now starting to get interested in self-hosted fonts, and so the classic grift might not be able to continue much longer.
Don't get me wrong, I hate Google with a passion and always self-host my fonts. I've tried reporting sites for using Google Fonts and it rarely worked, I just want to know what exact angle can be used for it to trigger a fine
@kuba @fabiscafe @meena The angle is, that Google real time cross-references collected ip numbers, browser types and access times from access logs, data that is generated by numerous websites accessing Google fonts. Why collecting meta data leads to personalized tracking is shown by David Kriesel in this #33c3 speech https://media.ccc.de/v/33c3-7912-spiegelmining_reverse_engineering_von_spiegel-online#l=deu&t=23
@kuba and an IP address. Thats something you push to a server just by connecting directly. So by this + your browsers identity string you can pretty much create a profile that is trackable across sites. If you then have also access to something like cookies or abuse cache data, geolocations and whatsoever, you can also track users across IP changes.
@kuba oh I see your point now. but google already knows that site Y used their "free" fonts. They want information that some particular person has visited this site, and if you open site in one tab and google search/email/other in another tab, that gives them 99,9% assurance that that person was you, now they can add more info about you into huge database, to sort you into categories and then sell data to literally anyone interested. @fabiscafe @meena @jayrope
@tommy @jakob @BollerwagenPicard Entweder, oder. Doch allein aus tchnischen Gründen zieh eich persönlich lokales Hosting vor. Es ist schneller, datenparsamer, und ich mußnicht immer wieder daran denken, ob der Text eines Disclaimers - wenn er nicht automatisch per script von einem externen Formulaten, natürlich wieder gegen neue Logfiles meiner Besucher geändrt wird - der aktullen Rchtsprechung ntspricht. Weniger scheint hier deutlich mehr zu sein.
@tommy @jakob @BollerwagenPicard Und dem noch hinzugefügt, war meine Post wohl eher an Coder gerichtet. Doch code-unbewusste Wordpressbetreiber wissen jetzt immer noch nicht, was zu tun ist. Es müsste denen klarer werden, daß eine Webseite zu betreiben eben auch bedeutet, technische Verantwortung gegenüber den eigenen Besuchern zu übernehmen. Einige der Kommentare sprechen da jedoch ganz anders: Das nervt, im Zweifel einfach DE-Seiten geoblocken ;) Dies ist aber inhaltlich nicht unser Verlust.
@jayrope @tommy @jakob naja DE-Seiten werden nicht geogeblockt, sondern DE-Nutzer. Hier noch ein Beispiel wie schnell das geht https://www.borncity.com/blog/2018/03/03/project-gutenberg-blockt-alle-deutschen-nutzer/
A newer server operated by the Mastodon gGmbH non-profit