
Discussion if Google Fonts is GDPR compliant - mmoez
https://github.com/google/fonts/issues/1495
======
amluto
Or website operators could stop embedding objects hosted by Google. GDPR
protects _users_ to some extent, but sites should protect themselves, too. The
information available to hosts of embedded assets is quite valuable,
especially when those assets are in the form of scripts, and sites should
seriously consider monetizing that information themselves rather than just
giving it away.

~~~
crazygringo
Except that a shared CDN which everyone uses results in better performance.

For the popular fonts, a user probably already has them in their browser cache
from other sites, so they load instantly.

Having sites redundantly host identical font files separately is a step
backwards for users, who wind up waiting longer for a page to load, or
experiencing the jarring FOUT (Flash Of Unstyled Text).

~~~
_wmd
> Except that a shared CDN which everyone uses results in better performance.

This is thrown around a lot, but very rarely with hard numbers to support it.
A cold DNS cache costs at least one roundtrip, a cold SSL session cache costs
several, a new SSL connection (presently) costs at least 2.

Meanwhile, all the above is necessary to talk to an origin site anyway, and
networking performance for the best part of 10 years has been dominated by
latency (i.e. roundtrips) rather than throughput.

Hoping the user had an idle connection to the Google CDN when measuring cold
request start is wishful thinking

Meanwhile self-hosted reuses all of the above and enables assets to be
combined into a single transaction, which vastly improves the behaviour of TCP
cold start

~~~
exacube
From googling: [https://www.keycdn.com/blog/web-font-
performance/](https://www.keycdn.com/blog/web-font-performance/)

Skip to "Here is a comparison of hosting Open Sans locally vs Google CDN."

They found it was faster to use a Google CDN. One of the things this article
suspects is that CDNs will have better world-wide coverage, and therefore
overall latency, than hosting your font yourself.

I'd like to see a comprehensive study of your counter point, though.

~~~
_wmd
This test was performed with a single client based in LA, and concluded the
fastest font - Open Sans - downloaded in 476ms. The test fails to measure how
much of this is setup time vs transfer time, or account for behaviour of TCP
during the transfer. You will find, and I will measure this for you if you
really want, that setup time absolutely dominates this cost.

If setup time is amortized across all assets on a site, as it is when self-
hosted, the true cost of the 220KiB font download will be vastly lower --
closer to 100ms assuming a sufficiently warm TCP connection over even an 8Mbit
link, and significantly less again with faster links.

As for browser-side caching, this is once again wishful thinking and there is
no room for it in any kind of engineering discipline

~~~
crazysim
Does Google Fonts even use TCP? It might be HTTP2+QUIC.

------
cobookman
The joke is that nothing is gdpr compliant.

I've not met 1 company who met all aspects of this law.

I'd guess this also means that any asset in a 3rd party CDN would be non
compliant with gdpr

~~~
Lunatic666
Wouldn't using cloudfront be compliant, because it's your bucket? Turn off the
logs, then it's anonymous. Or did I miss anything?

~~~
antsar
It may be your bucket, but Amazon is still a third party. Does turning off
logs disable _all_ logging on the Amazon side, or just your copy of those
logs?

~~~
icedchai
You really think Amazon doesn't have logs for security and troubleshooting?

What about all the networks between you and Amazon?

------
darrenkopp
You can absolutely store IP addresses (and other personal information) without
consent and be GDPR compliant. You just need to explain what you are storing,
for what purpose, who you share it with, how long it's stored, and comply with
the "rights" put forth in the legislation. GDPR merely constrains what
information Google can _share_ without your consent and requires them to be
more explicit in stating what information they gather about you.

~~~
anotheryou
Indirectly you share the users IP by letting their browser sand a get request
to google. The problematic is the same for any CDN you use.

------
anfogoat
As far as I can see, the request that asks for the font is a simple GET. So
does this mean that an HTTP request to third-party X, who will log the user's
IP, User-Agent and possibly the origin, will now require an agreement with X
and explicit consent from the user? If so, will the consent need to be
established before the request?

~~~
anotheryou
I'm pretty sure you need a contract for data processing at least. I'm
absolutely not shure if you _also_ need consent. (please let me know if anyone
found out!).

npr.org went back from WWW to what feels like WAP for those not giving
consent.

------
icedchai
Think of all the lost productivity wasted on stuff like this...

~~~
rectang
Think of all the abuse prevented. It's a tradeoff.

Of course, if you're someone who profits off of abusing users, you may see the
GDPR as wholly negative.

~~~
CryptoPunk
This is generally dealt with through market choice, with people choosing the
trade off that they perceive as optimal for themselves. Instead we now have
one standard for data handling being imposed by the EU, and precluding a vast
number of potentially more optimal interactions.

~~~
rectang
Your solution didn't work for users. It was a market failure that produced
huge negative externalities borne by users, for which there was no practical
means of redress.

Because users were faced with a raw deal, now we have regulation.

~~~
CryptoPunk
The practical means of redress was the government empowering individuals with
public funding for development of anonymity technologies, public directories
comparing services and their abidance to voluntary data protection standards,
and possibly public service announcements educating people about what data
they disclose while browsing non-anonymously, or browsing particular types of
websites, and how that data can be shared and used by private data collectors.

Regardless, I don't think it's clear that the benefits of the market being
left to itself haven't outweighed the costs. My snap judgment (which isn't
that useful when assessing massively complex topics like this) is that the
benefits dwarf the costs.

Much of the internet services that have emerged over the last 20 years have
been paid for by personal information that users have traded away in exchange
for these services. Everything from Gmail, to Google searches, to Facebook, to
millions of Youtube videos, to the vast amounts of self-help content one can
find about any topic, is ad-funded, which depends in large part on this
exchange of personal information for web services.

The problem is people are taking all of these services available on the web
for granted, and recklessly assuming we would have all of them without the
ability to target ads using collected PII, and with the added burden of
complying with the onerous GDPR requirements.

~~~
rectang
I like your proposals and I think they're a good start, but I don't think they
are practical for a large portion of the population. They are only realistic
for the wealthy, and most of us aren't wealthy.

People who are struggling to get by are not going to have the time, energy, or
expertise to comparison shop. And when their identities get stolen because
their personal information was leaked by a provider, they're just going to get
crushed.

Those proposals of yours didn't happen for a reason: they are not in the
interest of the capitalist class, and the way modern markets are set up,
capitalists have way more power than other individual citizens.

Denied effective means of organizing to protect themselves from exploitation
and abuse, is it any wonder that when the masses vote for politicians
advocating regulation?

Find a variant of market Libertarianism where the majority of the population
can actually defend their rights rather than get steamrolled and you'll see
less regulation.

~~~
CryptoPunk
>>People who are struggling to get by are not going to have the time, energy,
or expertise to comparison shop. And when their identities get stolen because
their personal information was leaked by a provider, they're just going to get
crushed.

The cost to innovation is too steep a price for the additional safety gained.
As it is, we don't live in a safe world either way. We are constantly
struggling against the forces of uncertainty.

It is only through innovation that we better enable ourselves to contend with
these forces.

Look at all of the web innovation that has arisen over the last two decades.
It's given us a significant boost in our ability to manage the world around
us.

Restrictive regimes like GDPR inhibit the free flow of action that generates
innovation. It's bad bargain.

>>Those proposals of yours didn't happen for a reason: they are not in the
interest of the capitalist class, and the way modern markets are set up,
capitalists have way more power than other individual citizens.

I don't agree with your classist categorizations, but let's just say there is
a powerful special interest that stands in the way of a given political
solution.

I'd argue that any effective solution would need to be implemented over the
lobbying and resistance of one or more of said powerful special interest
groups.

If a political solution didn't need to be implemented over the objections of
one of these groups, then I'd argue that it's almost certainly not effective,
for one or more reasons.

So I'd say it's better to not implement a political change, if the ideal
solution is not viable.

------
simion314
Why is Google not answering that they do not track IPs ? it is likely they are
tracking them, so are they tracking the IPs for security reasons or they
mining the traffic.

Someone that knows more on how this work can you answer if Google can see more
then your IP? like user agent or cookies ?

~~~
wooter
probably, at the very least for avoiding DOS attacks on important common
assets. GDPR is one of the most shortsighted laws I've ever read

~~~
simion314
If you have read the law or this linked github page you have seen that
security was considered, search for this text

The processing of personal data to the extent strictly necessary and
proportionate for the purposes of ensuring network and information security,
i.e. the ability of a network or an information system to resist, at a given
level of confidence, accidental events or unlawful or malicious actions that
compromise the availability, authenticity, integrity and confidentiality of
stored or transmitted personal data, and the security of the related services
offered by, or accessible via, those networks and systems, […] by providers of
electronic communications networks and services and by providers of security
technologies and services, constitutes a legitimate interest of the data
controller concerned.

Did you read this and it was not enough for you, Btw is DDOS and not DOS
attacks (in case it was not a typo)

------
jocoda
Never mind Google Fonts, what about SafeBrowsing? What about Chrome?

------
anotheryou
I already saw the first legal actions against users of it...

------
Rjevski
Just based on the fact that Google's business model is inherently incompatible
with privacy, I'd stay away.

It is in Google's best interest to sneakily track people despite claiming not
doing so, and they can be very good at it and do in a way that's undetectable
from the outside. In fact, I would be surprised if they're not doing this
already.

~~~
qop
Elaborate on this.

Are you saying Google has crossed the line into social intelligence territory
like china has?

Is there evidence for this, beyond "google is bad!!1!" ?

~~~
crankylinuxuser

         (Notes wifi is "off")
         (Notes GPS is "off")
         (Notes Location sharing somehow got turned on)
    

Hey, we need your help! How was $eatery_you_ate_at_last_night ?

Can you give us direction how busy the $Business_you_parked_nearby is?

And, this
[https://www.google.com/maps/timeline?hl=en&authuser=0&pb](https://www.google.com/maps/timeline?hl=en&authuser=0&pb)

Google shouldn't even be collecting this. But they are. We know not how they
use it. But if you have the data, of course you're using it!

~~~
kevinslashslash
[https://support.google.com/accounts/answer/3118687?visit_id=...](https://support.google.com/accounts/answer/3118687?visit_id=1-636633858417735392-1191870611&p=location_history&hl=en&rd=1)

------
tobltobs
Please change the title to "Discussion if Google Fonts is GDPR compliant".

In the current form the title "Google Fonts not GDPR compliant" is just FUD,
as the argument "Google Font is ok because Google LLC is certified under the
EU-U.S. Privacy Shield frameworks" holds some water imho.

~~~
mmoez
Thank you for the suggestion.

The original title was however not FUD: Some Web site owners in Germany have
received legal warnings for their use of Google Fonts which was considered as
not GDPR compliant (
[https://translate.google.com/translate?hl=en&sl=de&u=https:/...](https://translate.google.com/translate?hl=en&sl=de&u=https://www.datenschutz-
guru.de/die-ersten-dsgvo-abmahnungen-sind-da) .)

~~~
tobltobs
The article you are linking to says that it is not clear if those German cease
and desist letters are based on any facts or if they are itself just FUD.

------
blattimwind
The real question is why you used Google Fonts in the first place. You're
telling me downloading another megabyte (or more) of _stock fonts_ — no actual
corporate branding — is worth both your and my time? Yeah, no. Stick to core
fonts which actually work and render well within the UA, or bring your own
custom branded fonts, but don't bother me with half-baked stock fonts.

The same question for using random-js-library from googleapis.com: You're
trying to tell me that giving Google (and anyone who somewhere between me and
them takes control of that domain) full arbitrary code execution privileges
within your origin is worth saving a one-off download of some JS library? I
don't think so.

~~~
Klathmon
Using subresource integrity "random-js-library" hosted on a 3rd party isn't
"arbitrary code execution", as the useragent will refuse to run the script if
it's hash changes in any way from what you provided.

The same can be used with all other "subresources" like stylesheets and fonts!
However Google specifically makes this hard as they have been known to update
the served font from time to time, which if you are using SRI will break the
font entirely.

~~~
blattimwind
> Using subresource integrity "random-js-library" hosted on a 3rd party isn't
> "arbitrary code execution", as the useragent will refuse to run the script
> if it's hash changes in any way from what you provided.

That's true, but SRI is still rarely deployed; and no surprise there: the
official Google docs don't use SRI in their "paste this into your code"
examples:
[https://developers.google.com/speed/libraries/](https://developers.google.com/speed/libraries/)

Also, Edge still doesn't support SRI.

So, yes, for some UAs this specific problem (resource integrity) is a solved
problem, but like I said, it's far from the default.

The other issues - lack of necessity, load time, degraded visual quality,
giving user data away for free to an advertiser etc. - remain untouched.

~~~
Klathmon
I completely agree that it needs to be more widely used, and I absolutely
think that google could go a long way toward making it more common.

But to be completely honest, lack of user agent support shouldn't be a reason
to not use a feature. Edge doesn't support it, so Edge users are less secure.
There are also user agents that have CORS restrictions disabled or don't
support HSTS, but i'm still going to use and rely on both of those for
security.

And it sounds like you and I disagree completely on the usefulness of fonts.
For me a font isn't "unnecessary" any more than paint isn't necessary on a
house. Sure, you could live in a house without paint, but I want paint on my
house. As for longer load times, and degraded visual quality. The previous is
being dealt with via new font-display css descriptor, and in browsers that
don't support that they have timeouts of normally 3 seconds at most, and the
former is an opinion that I absolutely don't share.

