Okay, so: German court decided on Jan. 20th 2022 that sites will need to host Google fonts locally.

Visitors are otherwise entitled to receive 100€ in recompensation for Google fonts transferring IP numbers to Google servers.
Google uses fonts to track users, especially if they are logged into only one other server, where stored personal data might identify them.

Court decision text in German (Landgericht München)

N Hunni dafür, dass ich mir überflüssige Schriften anguck und Kuckl mir dabei über die Schulter guckt?
Hmm. Ich schaff, say, 1 nutzlose Webseite pro Minute, dann der Schreibkram..hmmm...

@wuffel Genau so dachte ich mir das auch. Doch im "echten Lebn" muß man Websitenbetreiber wahrscheinlich erst verwarnen, ihnen dann Zeit zum Reagieren geben und dann erst kann man nach Moneten fragen. Blöderweise riecht das Ganze nach Überbusiness für Abmahnanwälte, kein schöner Nebeneffekt.

Darauf wird es rauslaufen.
Aber das sind meine extraspeziellen Freunde. *Zur Vitrine mit dem #Trollhammer des sagenumwobenen Zwergenkönigs Grochnargh

@wuffel Auf jeden Fall einen herzlichen Gruß an Grochnargh und auch die Schwester Grochnarghlö! Ich hörte, daß sie ihren Bruder noch übertrifft, wenn es gegen monetäre Absahner geht ;)🔪

Ging...die beiden sind ja seit der Urmutter Zeiten vor 4000 Jahren tot.

@jayrope @wuffel

Es ist aber nun auch kein Hexenwerk ein paar Schriftarten selbst zu hosten.
Das gilt auch für viele andere Dinge wie z.B. JavaScript-Frameworks.

Bei großen Datenmengen (z.B. Videos) kann ich das ja noch nachvollziehen, die kosten ja nicht nur Speicher, sondern auch Traffic.

@sl007 Sweet, but i do this hand, need no (more) app for that :) Google fonts let's one download, the rest is ftp and css. Super quick, no problem.

@sl007 Same here, no need for helpers from elsewhere here, too.


One important point in this court decision is that there had been no consent of the website visitor that his IP address might be transferred.

While I agree that the better options are to not use remote fonts at all or at least to store them on the own server (1st party), another option would be just to get the visitor to agree that his IP address will be transferred, before it is.

Actually, the court decision does not mention anything about storing fonts locally.

@Porfirio See image for the paragraph about local hosting, from the link i posted, paragraph 8 there.

Also, ergonomically, any more pop-up dialogue boxes & consent declarations are widely _unappreciated_ ;)

It takes me max. five minutes to host any fonts (even Googl efonts) locally.

Nothing speaks against that.


Thanks! In so far I stand corrected. There is a mentioning of hosting the fonts locally.

But as I ponted out there is also the other "option" on asking for consent. And yes, I am glad that all this "give us your consent to f*ck your rights"-shit is quite unpopular.


> another option would be just to get the visitor to agree that his IP address will be transferred, before it is.

No, that is not really "another option", you don't "get the user to" do whatever suits you.

The GDPR requires you to ask for their consent and comply with their choices. Not to « get them to accept so you can you whatever you like".

It means asking for consent without trying to influence their answers, or @jayrope - 1/3

blackmail them in the typical “You either accept or you can't use the site because the code is written in a way that you'll be tracked anyway, if you" manner.

If you ask for consent ONLY to avoid probably less than 5-min of "work" to put fonts locally, then you're basically giving users choice to either accept google's (or whoever) tracking or go to fuck off. That is NOT Legal. To be valid, the consent should be informed, unambiguous, @Porfirio @jayrope - 2/3

specific and *freely given*, not enforced in order to be able to use the service.

@jayrope @Porfirio - 3/3

@devnull or tricked with dark patterns. not sure what I hate more, openly admitting that they gathering info beyond all meaningful sense or tricking you into agreeing on that with red cross which instead of closing pop up just clicks on the banner :/ @jayrope @Porfirio

@jayrope nice. A good practice I am following since becoming a part of the WirSpeichernNicht movement. If I'm not doing logs why would I give someone else the opportunity?

@SolSoCoG Bin da ganz bei dir. Alleine, daß Google Services (muß nochmal schauen wo ich die Zahl her habe) in der Lage sein sollen, 80% aller Webseitenbesucher auf dem Planeten hinterherzulaufen, scheint Grund genug, diese Services in der eigenen Arbeit abzuschalten bzw. durch lokale oder Google-ungebundene Services zu ersetzen.

Is this real? We are not at a browser.

We boosted but the CloudFlare alarm went off so we had to unboost, thanks for understanding.

🔔 CloudFlared Domain:
🙆 An alternate link:


@jayrope Danke! Gleich mal das Ganze auf meiner eigenen Webseite am Stück blocken.

@mario Gern, das hilft allen. Google Fonts herunterzuladen und lokal zu hosten ist ebenfalls sehr einfach. Am Ende siehts dann genauso aus, jedoch ohne Verbindung nach draussen.

@jayrope never understood why people wouldn't just do that

five minutes of work, and your cookie consent looks much shorter

@meena Totally agreed. Conciousness of web devs today towards what they do to the visitors of sites they admin is yet minimal. To me that is just sloppy - and there is zillions of examples for this lack of work ethics...

@meena Oh, pardon me, getting it. Yes, burger menu was a bit of a css-only problem here - but i've managed:

@meena And to be mor specifically answering: A cookie conent in't even neceary, if you don't have any cookis happening. On a wider note Google fonts don't use any cookies. They are part of Google's (and other's) future tracking universe, which doesn't need any cookies. It needs users to be logged into sites, while the fonts just track their IP number elsewhere. You match these two things and you have a personalized connection. So we all should remember to log out of sites we don't use right now.

@kuba @jayrope you're logged in somewhere (GMail), that gives the initial clue. and then you use a website that uses Google Fonts, but no Google Analytics? You can still be correlated.

@meena @jayrope but how, without cookies? Based on IP or the user agent string?

@kuba same as fakebook with 1 pixel beacon. the power of big data and good algorithm. So they have hits from time to time from person X on different sites because of that pixel or fonts, but somewhere on server now records exist. At some point person will open site where they are logged in, so now ALL these records have name on it. I'll admit, just recording an IP with request for font/beacon is not so powerful as tracking, but this is not only thing to fingerprint someone. @meena @jayrope

@kuba @meena @jayrope if my understanding serves, by matching your IP (and probably browser fingerprint) between (in this example) gmail and where you viewed the fonts.

@meena @kuba @jayrope They discovered these simple tricks in the mid 2000s, and it's largely how Google got to be what it is now. Data mining the logs.

For a long time naive techies also gave them cover, with the mantra of "I trust Google with X". Sponsorship has also helped to ensure that nobody gives a tech talk about this. But I notice that the EU is now starting to get interested in self-hosted fonts, and so the classic grift might not be able to continue much longer.

@kuba @meena @jayrope
By downloading them on one site you send an site origin to google, i'd guess.

@fabiscafe @meena @jayrope and then they know that this font is used in that particular website. What i'm wondering is how exactly does it track a user.

Don't get me wrong, I hate Google with a passion and always self-host my fonts. I've tried reporting sites for using Google Fonts and it rarely worked, I just want to know what exact angle can be used for it to trigger a fine

@kuba @fabiscafe @meena The angle is, that Google real time cross-references collected ip numbers, browser types and access times from access logs, data that is generated by numerous websites accessing Google fonts. Why collecting meta data leads to personalized tracking is shown by David Kriesel in this speech

@kuba and an IP address. Thats something you push to a server just by connecting directly. So by this + your browsers identity string you can pretty much create a profile that is trackable across sites. If you then have also access to something like cookies or abuse cache data, geolocations and whatsoever, you can also track users across IP changes.

@kuba oh I see your point now. but google already knows that site Y used their "free" fonts. They want information that some particular person has visited this site, and if you open site in one tab and google search/email/other in another tab, that gives them 99,9% assurance that that person was you, now they can add more info about you into huge database, to sort you into categories and then sell data to literally anyone interested. @fabiscafe @meena @jayrope

@jayrope Germany will kill it's connection to the world... Thank you fucking government

@BollerwagenPicard @jayrope
Google is not "the world".
they just piss in every corner of the world.

@jakob @jayrope but you know that it is more easy to geo block Germany than changing your WordPress theme?

@BollerwagenPicard @jakob I am happy to leave anyone as unconcious or otherwordly as they want to be. If that makes any sense in the long run is for them to find out. Not anyone else's business.

@jakob @jayrope @BollerwagenPicard wasn't the point, that the "einwilligung" was missing? So they are allowed, but they have to be transparent about it.

@tommy @jakob @BollerwagenPicard Entweder, oder. Doch allein aus tchnischen Gründen zieh eich persönlich lokales Hosting vor. Es ist schneller, datenparsamer, und ich mußnicht immer wieder daran denken, ob der Text eines Disclaimers - wenn er nicht automatisch per script von einem externen Formulaten, natürlich wieder gegen neue Logfiles meiner Besucher geändrt wird - der aktullen Rchtsprechung ntspricht. Weniger scheint hier deutlich mehr zu sein.

@tommy @jakob @BollerwagenPicard Und dem noch hinzugefügt, war meine Post wohl eher an Coder gerichtet. Doch code-unbewusste Wordpressbetreiber wissen jetzt immer noch nicht, was zu tun ist. Es müsste denen klarer werden, daß eine Webseite zu betreiben eben auch bedeutet, technische Verantwortung gegenüber den eigenen Besuchern zu übernehmen. Einige der Kommentare sprechen da jedoch ganz anders: Das nervt, im Zweifel einfach DE-Seiten geoblocken ;) Dies ist aber inhaltlich nicht unser Verlust.

@BollerwagenPicard @tommy @jakob Projekt Guteberg ist schon einige Jahre geogeblockt für Besucher/innen aus DE. Da gab's wohl Ärger mit deutschen Verlagen.

@jayrope @tommy @jakob naja ein anderes Beispiel ist die unsichere Lage bei den Klemmbausteinen in Europa... Andere Hersteller haben sich hier nur sehr selten auf den Markt getraut durch europäische Richter und Lego.

@jakob s gibt noch ein paar Andere ;) Las uns keine Namen nennen: Any press is good press ;)

Sign in to participate in the conversation

A newer server operated by the Mastodon gGmbH non-profit