Much has been made of the risks to privacy by incorporating the “free” services that the giant social media companies offer onto a webpage; the services are generally free because the website will now be plugged into the internet-spanning personalized ad tracking networks of those companies. Even seemingly innocuous tools can cause data privacy problems, as a company out of Germany has found out. The company has been ordered to pay a small GDPR fine due to its use of a font hosted by Google Fonts, which reportedly leaked the IP addresses of visitors to its website to Google without any disclosure to the customer.
GDPR fine provides warning for those using free web-based tools
“If the product is free, you are the product.” Some variation of this popular quote has been around since at least the 1970s, but it enjoyed a predictable resurgence in the age of social media and targeted advertising.
As the case of this unnamed German company illustrates, even the smallest “freebies” on the internet may be a surreptitious tracking and data harvesting tool. The issue in this case is with Google Fonts, a library of over 1,000 fonts that can be embedded in web pages and Android apps via an API (and used by some 50 million websites around the world). The service is free to use, but “phones home” to Google with certain information about site visitors when fonts are fetched from its servers.
The site was only fined €100 (about $110) by the Landgericht München’s third civil chamber in Munich, as it appears the IP address was the only item leaked in the one complaint received by the German data protection authority. The EU’s General Data Protection Regulation (GDPR) requires that any collection of sensitive categories of personal information, including IP addresses, only be done with the awareness and consent of the site visitor. Websites must also have a documented reason for collecting each of these types of information.
The GDPR fines could be much harsher going forward if the site does not fix the violation, however. The court also ruled that the site could be fined as much as €250,000 for each future violation involving Google Fonts, along with the possibility of six months in prison.
Google Fonts flap reinforces that IP addresses are personal information
The leaking of IP addresses is subject to GDPR fines as they can at least theoretically be traced to an individual user, even if they are dynamic (as was the case here).
If the site was collecting personal information, it would usually deploy a banner informing visitors of what is being gathered and collecting their consent. If Google Fonts is the only issue, there is a much simpler fix; Google allows websites to self-host the font collection, removing the need to communicate with remote servers (and potentially pass personal information that could be subject to GDPR fines).
The ruling also determined that a need for free fonts for operation of the site cannot be invoked as a defense against GDPR fines, given that the Google Fonts self-hosting option exists. This concept would likely translate to other free services of a similar nature. Two other recent rulings also addressed this use of embedded third-party services that may be collecting personal data even if the website operator is not aware of the full scope of it; Austria’s data protection authority ruled in January that the use of Google Analytics could constitute a GDPR violation, and a December ruling determined than an Akamai cookie management tool was also sharing IP addresses without user consent.
The issue with IP addresses specifically may also be one that is unique to the larger social media companies and advertising networks, as part of the concern of Google Fonts passing an IP address in isolation is that it could be going into the larger Google ecosystem that collects all sorts of other personal information from other sources. The similar cases that involved GDPR fines for embedding of free services were all something run by a tech giant with a significant advertising presence.
Another issue with the tech giants, those largely based in the United States and doing the bulk of their data processing there, is that the Schrems II ruling put special new requirements on personal data transfers out of the EU. GDPR fines are now much easier to rack up once data begins crossing out of the region.
Sites must also be prepared to do their own due diligence on these services. As Security Boulevard notes, Google’s “About” page for Google Fonts makes no mention of its collection of potentially sensitive personal information. And some of the language, such as calling the collection “open source,” could mislead users into believing that the fonts are being offered “free as in beer” to anyone who wants to use them without strings attached.