Ask HN: What does the GDPR penalty for loading fonts mean for website owners?

[emschlr]

Story of GDPR penalty for loading external fonts from Google - https://news.ycombinator.com/item?id=30135264

I was thinking of starting my own blog recently. I like the idea of having comments section in blog powered by Disqus or another service that can be embedded in website with javascript. But this will be violating GDPR? Is it risky move?

From now on we should load all page resources from the same domain? No more using of external javascript to power syntax highlighting for code blocks, commenting section? What do website owners think about this penalty decision? What changes will you do to your websites to protect yourself?

[speedgoose]

If you really want to use Disqus, you could load the Disqus code after you obtain explicit consent from the user to be tracked by Disqus.

[davidkuennen]

I already switched to hosting everything myself wherever possible for my website [1].

I think it's becoming increasingly risky to include many different domains without naming them in your terms and explaining what they do with your users data (in this case the IP-Addresses).

It'd be hard for services like Disqus. In such cases I think you'd need to include them in your terms/privacy policy.

Disclaimer: I'm no lawyer/expert

[1]https://stockevents.app/en

[tannhaeuser]

IANAL, but it could mean that we're going to see an Abmahnwelle in Germany, ie. where law firms systematically scan websites hosted in DE for violations and demand cash at the threat of sueing. The habit of Abmahnen is a staple in German civil law and is seen as part of Rechtspflege (upholding the law by putting economical interest behind), but its application has been limited in recent years by a high court AFAIK, and I don't know how it could work in this particular case where visitors have individual claims. Which I think is the dangerous thing ie. continuing using Google Fonts and other CDNs without consent could set you up for quite a lot of claims.

FWIW, yesterday I rushed to change my sites to serve all assets locally.

[DocTomoe]

We like to think "abmahnen" was a particularity of German law - but it is not. Americans know it as the "Cease and Desist"-letter.

When you now do what was the right thing to do to begin with - not introducing third-party tracking from unreliable countries - then all is well.

[brtkdotse]

AFAIK the German version always comes with a bill for a few hundred euros to “cover the lawyers time”

[DocTomoe]

Nope. The german version can come with a bill, but that is not strictly a requirement - and it's only legitimate if it does come from a law firm (you could theoretically send a Abmahnung without the help of a lawyer).

[brtkdotse]

Interesting, thanks! I guess I’ve only read the horror stories

[Habgdnv]

If you have your blog self-hosted in your garage !IN EUROPE!, and your apache use custom log format that do not log IP addresses, and I add an <img> to some image on your site (example - some cool car), I should be OK?

Now imagine this: Then one day you change the image with something else (example - birds picture). Can I sue you that without my permission you changed MY website?

My logic is that if in court I am responsible for something that is outside my webserver (it is on your webserver), then you should be responsible too? (it is still your webserver)

What if one day you decide to start logging IP addresses, and move your blog from your garage server to AWS in USA without notifying me?

[martin8412]

Your logic makes no sense whatsoever.

You own a website, then you're responsible for the content on said website. You choose to embed content from 3rd parties? Then you take on a risk. If you have a business relationship with this 3rd party, then you can maybe take them to court.

[brtkdotse]

That’s a helluva straw man you got there!

Look, there’s two options:

1) Only serve things your control.

2) If pulling in stuff from a third party (ie instructing the users browser to pull in stuff from a third party), have an agreement with the third party.

[BjoernKW]

I think this decision isn't helpful or beneficial - like many other decisions, rules, and provisions related to GDPR (the fundamental idea of which is good, it's just that the implementation and execution is ... less so).

Decisions like that will only lead to more people and businesses hosting everything themselves when they probably shouldn't. With font files there's probably little that can happen in case one hosts those oneself.

However, for other aspects such as not being allowed anymore to use any third-party service with any connection to the US whatsoever, it's not quite as simple.

If everyone now starts hosting everything themselves, we'll end up with less secure systems, worse security, and less user privacy, because most people and most businesses won't be able to maintain the same security standards as companies like Google. For many services, there simply is no EU-based alternative without any affiliation to US-based companies.

Even if there is, the question remains if those are able to provide the same level of security. Unfortunately, there's this widespread fallacy that a service or provider automatically is "safe" simply by virtue of being EU-based.

Long story short, it is what it is. Not complying with this decision puts you at risk. If that risk is easily mitigated by loading files from your local server instead of a CDN, there's no reason not to do it.

As for services such as Disqus it's more complicated, though. Disqus isn't exactly known for being particularly privacy-friendly. So, apart from the hosting question, it might be a good idea to look for alternatives anyway.

Blogging software products such as WordPress often provide a comment feature out-of-the-box. So, why use a third-party service for that in the first place?

[brtkdotse]

> For many services, there simply is no EU-based alternative without any affiliation to US-based companies.

This could actually prove to be a boon for EU devs. A huge market of “X-but-GDPR-compliant” just opened up. Plausible is already out there doing analytics, I know Sweden has a service for GDPR-compliant commenting for newspapers.

[cblconfederate]

> X-but-GDPR-compliant

That market does not exist, it will never make money (maybe from leeching the public sector but everyone makes some scraps there). In fact the idea that laws will create a market was a bad idea.

[BjoernKW]

In some instances, yes. For the most part, however, this simply is not realistic. There's no viable exclusively EU-based video conferencing service, for example.

Currently, the only GDPR-compliant solution in that case is to self-host a tool like Jitsi, which comes with the security headaches outlined above, though.

[ketz1]

No contact, no company, njala domain, cloudflare proxy. Problem solved for small sites/blogs

[ketz1]

Http works w/o a tos and privacy page lol

[dusted]

It's idiotic beyond reasonable belief. It went wrong with the cookie misunderstanding (users own their browser, they are entirely free to use or not use the cookie feature). Now it just goes more wrong until it's all wrong all the time.