Website fined by German court for leaking visitor's IP address via Google Fonts

Now that's egg on your typeface


Earlier this month, a German court fined an unidentified website €100 ($110, £84) for violating EU privacy law by importing a Google-hosted web font.

The decision, by Landgericht München's third civil chamber in Munich, found that the website, by including Google-Fonts-hosted font on its pages, passed the unidentified plaintiff's IP address to Google without authorization and without a legitimate reason for doing so. And that violates Europe's General Data Protection Regulation (GDPR).

That is to say, when the plaintiff visited the website, the page made the user's browser fetch a font from Google Fonts to use for some text, and this disclosed the netizen's IP address to the US internet giant. This kind of hot-linking is normal with Google Fonts; the issue here is that the visitor apparently didn't give permission for their IP address to be shared. The website could have avoided this drama by self-hosting the font, if possible.

"The unauthorized disclosure of the plaintiff's dynamic IP address by the defendant to Google constitutes a violation of the general right of personality in the form of the right to informational self-determination according to § 823 Para. 1 BGB," the ruling stated, as algorithmically translated. "The right to informational self-determination includes the right of the individual to disclose and determine the use of their personal data."

The decision says IP addresses represent personal data because it's theoretically possible to identify the person associated with an IP address, and that it's irrelevant whether the website or Google has actually done so.

Google Fonts screenshot

Google Fonts' typeface picker ... With some sample text of our own in light of this case

"The defendant violated the plaintiff's right to informational self-determination by forwarding the dynamic IP address to Google when the plaintiff accessed the defendant's website," the ruling says.

The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of €250,000 for each violation, or up to six months in prison, for continued improper use of Google Fonts.

Google Fonts is widely deployed – the Google Fonts API is used by about 50m websites. The API allows websites to style text with Google Fonts stored on remote servers – Google's or a CDN's – that get fetched as the page loads. Google Fonts can be self-hosted to avoid running afoul of EU rules and the ruling explicitly cites this possibility to assert that relying on Google-hosted Google Fonts is not defensible under the law.

The German court ruling echoes two other recent decisions, one earlier in January by Austria's data protection authority that found the use of Google Analytics violated the law, and one in December last year when a different German court found that a Danish consent manager's CookieBot program shared European IP addresses with US-based Akamai in violation of EU data laws.

These data privacy judgments complicate how websites and applications can integrate remotely hosted content or services by requiring a legitimate purpose for doing so if personal data gets transferred or lawful consent.

They reflect the consequences of the EU Court of Justice's 2020 decision to strike down the Privacy Shield data protection arrangements that had previously allowed US companies to exchange data with European partners under "Standard Contract Clauses." That ruling is known as Schrems II because it originated with Austrian privacy activist Max Schrems 2011 complaint against Facebook in Ireland.

Google did not immediately respond to a request for comment. ®


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022