1. 51
  1. 35

    Good ruling - it is a privacy problem, and potentially a security problem, and in all likelyhood, a performance problem too as the browser must do more lookups and connections (and the alleged benefit of caching across sites rarely worked anyway, and then the other issues recently made browsers stop even trying anyway). This fad was always very iffy on multiple measures.

    1. 6

      a performance problem too as the browser must do more lookups and connections

      There was a time when browsers only did a small amount of parallel connections per domain, that’s when you saw www1, www2, www2 for assets. I think that’s been changed for the most part, but I don’t buy the argument that doing a (parallel) lookup for either your own subdomain or a 3rd party domain would take longer. With http2 there should be more pipelining, so it’s not a clear yes or no - or people don’t use http2.

      TLDR: While I don’t want to detract from the privacy problem, I don’t buy the performance problem. That’s a case by case decision, unless you’re actually including assets willy nilly from a ton of domains.

      1. 4

        Roll the latency distribution dice N times and your overall load time is max’d to the worst of all parallel response times plus local compute costs. You lose worse by rolling more often. Tail at scale.

        1. 1

          point taken, but that’s what async is for, to a degree. Maybe my “case by case decision” was a bit handwavy, but maybe my experience is skewed towards teams that take care of this anyway and are already minimizing their external dependencies. So “if you include 2-3 it’s probably not worse than with 0 external” but if go towards 10-30, then your cited reference kicks in…

          1. 2

            You don’t know what those 2-3 extras are until your first HTML arrives, after having set up the connection and sent the request etc… The only case where it wouldn’t result in a slowdown is if the first server’s connection’s throughput dramatically dropped to the point where the dependencies could be entirely fetched in the time between when the first bit of HTML arrives and the response is fully received.

      2. [Comment removed by author]

        1. 1

          Hey mate. You double posted this FYI.

        2. 1

          What are the other issues that stopped browsers caching? (I’m assuming you aren’t talking about JS because browsers cache JS in all the ways they can come up with)

          1. 3

            Sites were checking the performance of loading various assets to do cross-site tracking; they could see if shared.com/thing was loading fast to figure it was in the cache and thus the user had been to shared.com before. There was a category of these side-channel attacks the browser vendors wanted to block. It went into effect last year.

            But, even before the browsers changed the cache implementation, most javascript libraries and fonts wouldn’t be in the cache anyway just due to the variety of sources and versions different sites used. And trying to use a global thing meant you couldn’t bundle and strip things to only what you used. (For example, with font files, if it is for your site in particular, you can only ship the subset of glyphs you use. This kind of aggressive stripping not super common irl anyway, but it impossible with the cdn approach entirely.)

            1. 1

              Hmm, I wonder if this can be exploited through JS engine caches - you would not be likely to be able to find out about an arbitrary site, but you could probably do your own tracking.

        3. 14

          1990’s: “The internet will let people trivially get information from all sorts of places all over the world!”

          2020’s: “…and that’s not necessarily a good thing.”

          1. 10

            1990’s: The internet will enable anyone to access information and avoid gatekeepers!

            2020’s: oh no…

          2. 9

            I knew it was worth it to self-host all my scripts, fonts, and CSS!

            1. 7

              Amount of effort to self-host tiny assets like fonts is negligible. Sad that this is such a common issue in the industry.

              1. 4

                Does this mean CDNs are illegal in Germany now?

                1. 12

                  No, it means that you must have a contract in place with your CDN that provides the guarantees according to the GDPR. Since Schrems, this means that the CDN must not be subject to the US legal jurisdiction (or any other jurisdiction that does not have adequate privacy protection). I believe most CDNs provide contracts that can comply with the GDPR (I know that the German Azure region jumps through a lot of legal and compliance hoops, for example) but you need to be very careful about using free ones: if you’re not paying with money then you may be paying with your user’s PII and the GDPR states that you need explicit, informed, revocable, consent for this.

                  1. 10

                    No. The ruling means that you need to get consent before using Google Fonts.

                    1. 13

                      And it will need to be as easy as not giving consent, and consent shouldn’t be a prerequisite for service.

                      In other words: either no more icon fonts, or self host them. I hope for the former as someone who already disabled custom fonts (web fonts or not) in my browser.

                      1. 4

                        Icon fonts are really a terrible solution anyway. They usually download more icons then a page needs and are almost always inaccessible.

                      2. 1

                        you need to get consent before using Google Fonts.

                        Only if not self hosting them right?

                        1. 7

                          Yes, self hosting fonts is alright.

                          The issue is (broadly) the use of Google Fonts, which leaks the user’s IP address to Google without their consent.

                          1. 1

                            I guess in this context isn’t not really the IP address that is the issue, but that Google could use that to track peoples browsing habits because they have enough linked meta for an IP to no longer be considered anonymous.

                            1. 1

                              IPs are always considered PII.

                              1. 1

                                The answer is more nuanced than that.

                                An IP address is considered PII only if it “identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

                                If you have enough correlating customer data it makes an IP address de facto PII.

                                As far as I know, this is why it has been ruled that usage of Googles Font CDN is in breach of GDPR.

                                1. 1

                                  The argument in the decision (https://openjur.de/u/2384915.html, line 9) is broader: “Dabei reicht es aus, dass für die Beklagte die abstrakte Möglichkeit der Bestimmbarkeit der Personen hinter der IP-Adresse besteht. Darauf, ob die Beklagte oder Google die konkrete Möglichkeit hat, die IP-Adresse mit dem Kläger zu verknüpfen, kommt es nicht an.”

                                  “It is sufficient that the defendant has the abstract possibility of identifying the persons behind the IP address. It does not matter whether the defendant or Google has the concrete possibility of linking the IP address to the plaintiff.”

                                  1. 2

                                    That is interesting. I may be misunderstanding/translating the legalese but the decision stating how the “plaintiff was also not obliged to encrypt his own IP address before accessing the defendant’s website” sounds like a misunderstanding of how IP’s are used given had they done so they would not have gotten a response.

                                    However, I would like to assume the authors of this decision were well advised and what they mean by that statement is the defendant should have proxied the requests to third party resources in order to mask the plaintiff’s IP, something I fully agree with.

                                    What ever the fall out of this ruling, I hope it results in a better internet for individual privacy.

                                    1. 4

                                      German lawyers discussing the decision have been suggesting that the “encrypted” part probably refers to the use of a VPN service, but that part is unclear to native speakers, including native lawyers. The context doesn’t allow for “defendant (i.e. the website) should have done something” like you suggest, as this is solely about “plaintiff should have done something” so the VPN interpretation is more likely.

                                      Since court decisions don’t tend to offer random trivia, it’s likely that the defendant argued “If plaintiff is so concerned, shouldn’t they use a VPN?” which required the court to consider it at least in passing, hence that “No, they don’t have to work for their privacy” paragraph, to never mention it again.

                                      The weird terminology doesn’t necessarily mean that the court doesn’t understand the mechanism: for all we know they got an extensive intro course during the hearing, but that still doesn’t mean that they’re aware of the ins and outs of writing tech-German.

                                      Since the decision is first and foremost addressed to plaintiff and defendant (this isn’t a landmark ruling of a federal court), it’s good enough if the parties to the case can make sense of that particular part (and they know the context)

                                      1. 1

                                        Thank you, that absolutely makes sense.

                                        It’s an interesting case, and I hope more comes out of it; people certainly should not have to work for their privacy. I have watched the internet devolve from many small gardens into a polluted wasteland of corporate greed and it is good to see some people are still taking the fight to their door.

                        2. 1

                          Good, we can have another annoying popup! First for cookies, then for fonts, then for that image gallery JS you’re streaming in from some npm cdn, and…..

                          1. 3

                            Just serve the files yourself.

                          2. 0

                            You already have consent: a user could configure his browser not to download those resources, e.g. via uMatrix.

                            1. 18

                              That’s not how consent works

                              1. 2

                                If someone tries to rape you, they already have consent: you could punch them in the face.

                                1. 2

                                  That is really not the same. All resource link in a page is, is a request for your browser to fetch and use it. You have the option to use a browser (e.g. links) which doesn’t fetch that resource. You have the option to configure your browser not to fetch that resource (e.g. with uMatrix).

                                  You control your browsing experience, no t the site whose resource your software running on your hardware is rendering according to the configuration you specify. You are in complete control!

                                  1. 4

                                    Most users don’t have the technical knowledge to disable third-party requests. And I’m pretty sure it’s not even possible on Android and iOS, the only two usable mobile OSs.

                            2. 3

                              That’s going to be an interesting one, because you’d still be allowed to do the CDN with your own domain. But on a technical level, both that and a shared name CDN could end up doing exactly the same thing.

                              1. 2

                                Only CDNs hosted in the US, afaiu (and only if you don’t get permission).

                              2. 4

                                Is there something specific to fonts here? Seems like this would apply to minified JS, social buttons, analytics tags… a lot of off-site requests reveal the users IP address.

                                1. 7

                                  No its not specific to fonts. The headline just makes it seem that way. It’s what you thought - about revealing the IP address to third parties.

                                2. 3

                                  More details here. Not finding the part where it says we all have to self-host our personal websites from our basements.