GDPR ruling - most websites are not compliant now!

[gpietersz]

As far as I know UK courts have not ruled on this, but given its the same law (for now!) and a lot of countries have interpreted it this way now, its quite likely. Also applies if you have to comply with any of these countries interpretations of GDPR.

This ruling (and the previous ones referred to in the article) means a lot of websites: https://www.theregister.com/2022/01/31/website_fine_google_fonts_gdpr/

It looks to me that a lot of stuff - analytics, chat scripts, CDNs (like Cloudflare) is now in breach of GDPR.

 

[japancool]

The Germans should immediately go after all 50 million sites. The use of Google Fonts cannot be allowed to continue!

 

[Ozzy]

Another case of lawyers not understanding technology

 

[Hooble]

This is another case of lawyers not understanding technology at all, a lot of websites pull a lot of centralized resources for example Font Awesome, Type Kit which is used to import fonts for example too. If you have a large estate of where you use your brand and font it can be a blessing to have a service like that.

 

[sjones21]

I guess we'll have to bump that up the priority list for UKBF ?

 

[gpietersz]

This is another case of lawyers not understanding technology at all, a lot of websites pull a lot of centralized resources for example Font Awesome, Type Kit which is used to import fonts for example too.

Just because a lot of sites do it, it does not make it a good thing.

Its not exactly difficult to install fonts locally.

If you have a large estate of where you use your brand and font it can be a blessing to have a service like that.

In many cases you will still have to deploy a lot of files to a site, so adding a few more is not a problem to add some font files.

In other cases you could deploy the fonts on one site, or your own site to share shared static files. It could even be better as you can deploy all common stuff (fonts, images, CSS, whatever) on a single server.

 

[Ozzy]

I can get my head around assets, even though I do disagree and think loading from Google etc makes sense. However what about CDNs, Analytics, User behaviour monitoring? All essential services for business improvement. If we removed Cloudflare from UKBF we’d instantly be exposed and have to take on the overhead of tens of thousands cyber attacks a day on this site. The implication of this ruling IMHO is stupid and badly thought through.

 

[thetiger2015]

What about if your website is hosted by a provider like Shopify? Non of the font uploading stuff is anything to do with us, that's beyond our accessibility.

Same with analytics. It's anonymised as much as possible but how are you supposed to know if your PPC is working, if you're not allowed to track anything, without reading out 60 page document to each visitor before they start browsing?

 

[gpietersz]

However what about CDNs, Analytics, User behaviour monitoring? All essential services for business improvement.

They will have to struture their operations in a way that does not leak the data. Set up subsidiary and host stuff more locally. CDNs are probably most of the way there, because they will serve as geographically close as they can any way.

If they fail to do that, they lose business to whoever does.

What about if your website is hosted by a provider like Shopify?

I think its their business to comply in those circumstances - not sure of Shopify in particular, but hosted services in general.

 

[japancool]

You have to be a special kind of person to take this issue to court in the first place.

 

[estwig]

I've no idea what you guys are talking about, I'm fairly sure my website doesn't comply.

Do I care, not in the slightest, it's just more red tape to ignore!

 

[fisicx]

The issues isn’t the use of third party resources - nothing wrong with doing this. The ruling was the transmission of personal data (in this case the IP) without permission. If you use a CDN and pass user data to the provider you are non compliant.

Now precedence has been set in Germany is suspect many more site will be warned.

 

[gpietersz]

The issues isn’t the use of third party resources - nothing wrong with doing this. The ruling was the transmission of personal data (in this case the IP) without permission.

Yes, and specifically disclosing data to an entity in a country outside the EU, that does no longer has a data sharing agreement with the EU.

However, as most loading of third part resources is from the US or US based services, it does make the most commonly used ones a breach, and it means a lot of other things may be a breach too. Even some backend things (DBaaS, geolocation web services...) may cbe breaches.

There are already strict rules for some things (e.g. medical data).

Personally I think GDPR rules should be, in general, loosened for small organisations, particulary if they do not trade information with others, in which case they should be exempt. Its silly that, to take an example I came across, a parish church has to comply with the same rules a Facebook. The same with small businesses with a limited number of people in their database. Is anyone lobbying for this with EU regs being rewrtten here?

I actually agree with this in principle, although I think people should have been given more time to adjust. That said, there has been a series of rulings and no one seems to have paid attention.

 

[gpietersz]

If we removed Cloudflare from UKBF we’d instantly be exposed and have to take on the overhead of tens of thousands cyber attacks a day on this site.

What sort of attacks? Unless its DDOS most attacks do not succeed against well secured sites. I have only ever had two compromises on client sites. One ignored by advice, the other had a very well hardened web server, but a backend server was somehow found and cracked... that was probably myfault, I should have limited access to whitelisted IPs.

 

[Ozzy]

What sort of attacks?

Quite a varied mix. My point though is not so much that we cannot as I know we can should I desire to do so, but the business case is that it meets my business needs and convenience to outsource the supply of the cyber protection rather than take on the overhead myself.

 

[gpietersz]

@Ozzy

Yes, but that does not protect you from an attacker who attacks your web server directly.

You are in much the same position as my client who had the hardened webserver whose backend machine was attacked. Many people do not take precautions against that.

 

[Ozzy]

Yes, but that does not protect you from an attacker who attacks your web server directly.

Nothing on the Internet can ever be 100% guaranteed safe, but we put in place all reasonable measures we can. I'm not saying we absolve everything to Cloudflare; but back to the topic what I am saying is services such as Cloudflare provide a service that makes strong business sense to me. The implications of this ruling doesn't make logical sense in such situations when taking into account how networks function and the Internet works.

 

[japancool]

So the court fined someone because of something someone else *might* do with the data. But they didn't do it.

Are we fining people because of things that *might* happen now? If you gave me your bank card and PIN number, should I be fined because I *could* have emptied your bank account but didn't?

 

[gpietersz]

If you gave me your bank card and PIN number, should I be fined because I *could* have emptied your bank account but didn't?

Bad analogy. If you knew my bank accuount number, NI number, address, etc. because you worked for my bank, would it be OK for you to give those details to a random person because there is no proof they misued the information.

But they didn't do it.

The point is that there is no way of knowing whether or not they have misused it, and no guarantee they might not misuse it in the future.

 

[japancool]

The point is that there is no way of knowing whether or not they have misused it, and no guarantee they might not misuse it in the future.

There's no guarantee you might not go off and murder someone either.

 

[gpietersz]

Now France says Google Analytics is breaching GDPR for the same reason:

Data transfer to the USA: EDPB issues its opinion on the European Commission's draft adequacy decision

In reaction to the invalidation of the Privacy Shield in July 2020 by the Court of Justice of the European Union (CJEU), US President Joe Biden adopted on 7 October 2022 a new legal framework (Executive Order) to strengthen safeguards on the collection and use of personal data by US intelligence...

www.cnil.fr

 

[gpietersz]

There's no guarantee you might not go off and murder someone either.

Which is why the law does not let you buy a gun without a license, or buy a knife if you are under 18, or carrry a fixed blade in public without a reasonable excuse etc.

 

[japancool]

Which is why the law does not let you buy a gun without a license, or buy a knife if you are under 18, or carrry a fixed blade in public without a reasonable excuse etc.

Yet you can buy a cricket bat without any special permission.

 

[gpietersz]

Yet you can buy a cricket bat without any special permission.

What proportion of murders are committed with cricket bats?

 

[simon field]

What proportion of murders are committed with cricket bats?

You’ve got him stumped there!

And plastic collanders. They can be quite lethal in the wrong hands.

 

[Fagin2021]

What proportion of murders are committed with cricket bats?

Murdering the game of cricket - by most of the England test team.

 

[Marbman]

can of worms springs to mind

 

[paulears]

They’re stopping free speech, and the thought police is on the way.

what gets me on this particular issue is that no actual breech took place, and the complainant was allowed to remain in identified, so who would have paid for the action if they lost? As a computer novice, I used to use ip lookup tools, but they don’t work any more, so how does an IP address identify somebody nowadays? Whois doesn’t work, so is there a different way to find out identity through it?

 

[gpietersz]

They’re stopping free speech, and the thought police is on the way.

I agree, but that is a different issue. The Online Safety Bill is the biggest worry. I bet a whole lot of people from party whips to chinese intelleigence are rubbing their hands in glee - the blackmail potential of knowing people's porn habits is huge.

They want a ban on end-to-end encryption too.