20.10.2022, Caution trap

Warnings regarding Google Fonts

Google Fonts warning as screenshot. This is what a letter from a lawyer looks like

Whenever you think it can't get any more perfidious, you are surprised again by the ingenuity of some black-hat lawyers.

In the last few days, two law firms (a lawyer with a Düsseldorf address and a lawyer from Berlin) have sent a number of warnings to website operators due to the non-compliant integration of Google Fonts on websites.

These warnings represent clients who feel that their data protection rights have been violated because they have allegedly visited your website and feel that their privacy rights have been violated by the forwarding of their IP address to Google via Google Fonts.

Even if you should keep calm at first: These cover letters are unpleasant, especially if you as the recipient are only bombarded with technical details at first. It is already difficult enough for people in the field to anticipate all the pitfalls resulting from the many changes in the law and judgments. Here is a rough explanation of how this wave of warnings came about:

How can the warning be possible?

Google Fonts are fonts with free software licenses that Google provides in a large directory with over 1400 fonts. (https://fonts.google.com/). By default, Google offers that the fonts you want to use on your website are delivered to your website via their server. This is easy to maintain as it is centralized and fast. Let's assume you have a website with the frequently used Google font "Open-Sans".

When a visitor visits your website, the server of your website reports "Hey, there's actually someone who wants to look at our site. Alert! Google Server, please give me the font "Open Sans" so that I can show the complete page to the visitor". In the HTML world, a request looks like this:

<link href="https://fonts.googleapis.com/css2?family=Open+Sans" rel="stylesheet">

How does the "violation of personality" come into play?

To enable communication between different nodes on the Internet, each node needs an IP address. This is how the Internet is structured in principle.

A visitor to your website has an IP address (e.g. from Telekom), which he or she uses to surf around the world. The computer on which your website runs, also known as the server, also has an IP address. And the Google computer, i.e. the font server, also has an IP address.

According to a ruling by the European Court of Justice, your IP address, which you use to surf the internet, is part of your personal data and should therefore be specially protected by other users on the internet. This is regulated by the GDPR in Germany, among other countries.

Data protectionists argue that the visitor's IP address can leave the EU via this communication and end up with Google in the USA. They could store it and this is not okay without the visitor's consent.

The lawyers are now referring to this.

A member of the "Interessengemeinschaft Datenschutz" has now allegedly visited your website and it happened that the IP address was passed on to Google by delivering the font.

They argue with screenshots of the source file of your website and other evidence. With claims for damages of between 170 and approx. 250 euros, you are offered that all claims are covered.

The amount of the compensation payments is just so high or low that many recipients would rather pay than go to the trouble of finding a lawyer and filing an objection. If this is sent out en masse and only a small percentage of those warned pay, the lawyers and the clients in question earn a lot of money.

What can you do to prepare for this?

First check whether your website is affected by Google Fonts at all:

https://www.e-recht24.de/google-fonts-scanner

If the check returns an alarm, you should switch off the last node, i.e. Google's font server, by downloading the fonts directly to your website's computer and delivering them to the visitor from there. This is called "Integrate Google font locally". There are various options that vary depending on the website. In WordPress, the plugin "OMGF" can produce quite useful results. Sometimes, however, you have to tackle the whole thing manually. Please contact us for a review.

What should you do if you have received a warning or a settlement?

Of course, we cannot and must not give any legal advice here. But here is some food for thought 😉

  1. Surely no one is going to access hundreds of thousands of websites on the Internet, check the source files and take screenshots. So there is probably a program behind this that captures the affected websites. This process alone is not permitted. A lawyer can lose his license in the event of misuse.
  2. If it is obviously a mass warning (which you can quickly find out by searching), the question arises. Out of hundreds of thousands of letters, how likely is it that a law firm will go to the trouble of suing you if you simply do nothing?
  3. Another point is that Google points out that no IP addresses are logged at all when the fonts are delivered. See here https://developers.google.com/fonts/faq.
  4. In any case, an interesting aspect of the proceedings would be that Google's font servers are located in a so-called CDN (Content Delivery Network). This is a network with a number of mirrored servers so that data can be retrieved from the nearest node on the Internet. And in this case, the nearest CDN server would be in Europe. It is therefore possible that the IP address of the "client" has never left the borders. You cannot tell this from a simple screenshot.

You can also find some further tips at e-recht...

Cases with us and conclusion

We have now checked all of our customer sites that run on our systems again and have not found any websites that reload fonts from the Google server.

Unfortunately, 3 customers whose websites we manage have now reported that they have received letters to this effect, even though we had already started to integrate fonts only locally in February. Investigations then revealed that there was a WordPress plug-in that was causing the fonts to be reloaded. We have since fixed this error, but it is of course annoying.

Together with one of our customers, we will now take action against this type of warning letter. If possible, we will keep you up to date here in the blog.

There is one good thing about this: we are now dealing even more intensively with the topic of GDPR and can give you further advice on this. I'm also finally writing newsletters again 🙂

If you have any questions, please do not hesitate to contact us!