14

Alright... how the FUCK is an IP address considered personal data by GDPR????

Fucking boomers don't even know what an IP is. Guess what, every website you've ever been to has your IP! It's in your router, your fucking ISP's registry, and in every DNS server within 1000 miles of you!

Imagine thinking your IP gives up private information, god, just fuck me, I hate all of it, idiotic fools fumbling around with shit they don't understand.

...WKO making every developer's life a living nightmare because fucking GOOGLE FONTS stores a copy of your IP for their stupid analytics. You know what? Just don't use the internet either, that needs your IP too. In fact, don't pay taxes either, the tax office has a copy of your address, that's pretty personal information if you ask me! Just live in the woods and survive with the wolves.

I already know the future 'resolution' to this one - store fonts locally, resolve this dangerous "issue"... "waaaahhh fullStackClown! the site is slower now!!!"

...an infinite circle of clownshipness continues...

tune in next week as the world continues to approach it's circus fate!

Comments
  • 25
    Static IP's can quickly identify you.
    Dynamic IP's not as easy depending on how often your ISP pushed you to a new one.

    An IP is personal, and can identify an individual.
  • 22
    IP address (if static) is a potentially identifying piece of data (in GDPR's words: "online identifier"). Also, it's data that could be used in profiling user's actions.

    GDPR not only says whether or not you should collect users' data. It also specifies that, if you collect it, you must keep it for the shortest period of time possible. And that period of time is to be defined. AND there must be a predefined set of people who can access that data.

    This applies to IP addresses as well. Not everybody in the company should be able to see access.log files. And once no longer needed, the access.log must be rotated and eventually removed, along with my IP.

    Applies to webapps, DNS servers and other systems that want to be GDPR-compliant

    ref: https://fieldfisher.com/en/...
  • 7
    The issue here is not the IP address itself.
    It is the data connected to it. because you usualy couple the username, and other info with the IP.
    whats more annoying - if everyone keeps the IP (dynamic means you are static for x time, with your ISP mapping it to your account) - then you can track the IP across the sites you visit.
    The actual problem is Mobile Apps. look at the mobile ad aggragators, and how they bundle 15+ ad sdks that track you using your ad id. Those fuckers collect even your current battery percent...
  • 2
    Datenschutz!!!
  • 2
    Btw ip Adresse also gives away your country and sometimes city.

    And then theres Google tracking routers with android phones. They know all the time exactly where you are beacuse they know ecactly where every router is.

    Imo theres not enough laws on this.

    If its used only to measure daily usage of something AND stored as a hash, its ok for me atleast.
  • 5
    Because it is technically possible to identify who had that IP at that time. It doesn't matter that you cannot find it out without the provider's help, and it doesn't matter that you'd need to pass legal hurdles before the provider would tell you.

    All that matters is that there is a technical path.

    Since many people failed to understand that, the lawmakers had the wisdom to include the IP address right in the text as example so that this discussion is moot and even people who still don't understand that will have to comply even without understanding.
  • 3
    Also, storing fonts locally just makes sense because browser caches are not shared across websites anymore, and you spare the latency of building up an additional connection. Don't be lazy.
  • 17
    Seems like you've completely misunderstood GDPR. IANAL, but when a user gives you personal information as they ask you to provide them a service, you can use that information to provide the said service.

    If someone reserves a table at a restaurant with their name, you can store the name so you know who is the reservation for. But you shouldn't keep a log of all visitors ever – instead, you destroy the information once it's no longer needed to provide the service. IP addresses work just the same way. That simple.
  • 4
    @electrineer 🏆Best comment🏆⬆️ on the topic right up there.
  • 0
    @C0D4 law enforcement doesn't care if dynamic or static, its an ip Adress, coming from ISP y. Go to them and ask for subcriber Details hold by ISP(actual address, last Name, first Name).

    With that info, go talk to them.
  • 4
    @max19931 law enforcement isn't the issue.

    And Ad tracking site will store the IP address along with other collected data (browser fingerprinting, device details, the list goes on) to build a profile, that profile can be then tapped into other ad trackers and social media platforms to form a more detailed view of a single user. So yes an "IP" is a piece of information, the general fool doesn't care about, but it's small part of a bigger problem, especially if it's static or doesn't bounce often,
  • 2
    Counter question: why does your website not provide the font and instead has the user redirected to a third party service to begin with

    Why does a don't service need to collect analytical data
  • 4
    @LotsOfCaffeine CDNs make page loads faster, nothing wrong with that principle. Just need to pick a CDN that isn't also an ad network, search engine, social platform, browser vendor, ML lab and the W3C's pimp.

    And also, maybe, is located outside the five eyes and/or has a warrant canary or clear and legally binding no-logging policy.
  • 0
    if you check the concept of digital signature it is the combination of email address, ip and timestamp. the ip is a really easy way to identify someone, it's reasonable to say it is sensitive info
  • 1
    @lbfalvy shouldn't that only be a problem once since the client caches the font?
    Or doesn't even download it if its already cached through some other website?
  • 1
    I can eaaily identify people depending on what IP they are connecting from.
  • 2
    This is the same GDPR written by Europeans that think they can dictate laws to the entire world. You shouldn't expect anything they say to make sense.

    Obligatory reminder: The GDPR only applies to companies with a physical presence in the EU and does not apply to any person or website outside the EU, because that's how sovereignty and laws work.
  • 0
    GDPR is one of the most retarded laws anyways, and people still don't understand that all their beloved "free" services are gonna cost more in the future because
    1. Ads simply don't work as good if you can't target them with orwellian scripts
    2. Trying to achieve GDPR compliance will cost a fortune which in the end the consumer pays
    3. GDPR compliance is hard to get right, so companies WILL fail, they WILL get fined and they WILL pass that cost on to their customers.
  • 0
    @NotJeckel they claim it also applies if you have EU customers. Ofc enforcement might be complicated (not where i live though, as switzerland couldn't possibly crawl farther up the EU's ass without actually being a member than it already did)
  • 1
    @LotsOfCaffeine they don't NEED it, they want it. And it should be their fucking right in exchange for a free service. If you don't like that install pihole.
  • 2
    @NotJeckel It applies if you're doing business in the EU, which in the case of a website means that you have EU visitors. The country of origin is one of the details you can deduce from an IP address
  • 1
    The main problem with GDPR is that it forbids choosing arbitrarily who can use my service and who can't. I think disclosing what I do with the data my users provide me with is good and should be common sense. But if i view data as some form of payment, if my business for whatever reason doesn't work (as good) without it, or if I simply don't want my analytics to not have the full picture, then i should be able to tell said user to fuck right off. My site, my rules.

    It's like saying the restaurant has to serve food even to customers that don't pay. It's just not fair. And i know most privacy advocates don't care about that because they think it only affects the big evil G and F. Well, they're gonna see that like with everything (laws, taxes) it sooner or later mostly affects small businesses and consumers.
  • 1
    @eval We understand and acknowledge that. We don't want companies to go bankrupt, we want them to make money some other way. The reality is that revenue from targeted ads isn't coming off the price of anything, it's just some extra cash all websites enjoy. You don't get to pay instead and it happens whether the website in question actually needs the money or not, because there's no such thing as a website that can't make use of visitor statistics.
  • 3
    @eval The express purpose of the GDPR is to ensure that data is never a form of payment, and it's not something you can just take because you want it. You must have an explicit reason to store data, be clear about how you use it and you must always design your business processes in such a way that users never fully lose control of their data, not even in exchange for services. Data is inalienable from the user.
  • 3
    @eval in response to your points:

    1. The Brexit campaign showed that overly precise targeting is dangerous. Yes, it's an industry that gets damaged. There are some industries that are simply net negative and should be restricted. There's no evidence that if left alone the advertisement industry would eventually grow into something less harmful, so it's not allowed to grow freely.

    2. GDPR compliance isn't difficult if you think about it every step of the way, and once every developer understands the 12-16 key principles it'll be natural. This is like claiming that mandatory seatbelts, airbags and crash testing are bad because the modifications and extra design considerations will eventually be paid by the customers. Also, techincally the only thing you need for GDPR compliance is a phone number where people can ask to delete their data, and indeed a way to delete that data. If you're not abusing the data very few people are actually going to call you.
  • 3
    3. Not everyone who violates the GDPR gets fined, typically what happens is that companies don't give a fuck, ignore removal requests and pretend the issue doesn't exist because that's the default executive response to everything, and then whine when a court announces the obvious truth.
  • 3
    Data can't be a commodity because its value is derived from power over a living person. This is the express purpose of the GDPR, not an unintended side effect. You can use the data for various purposes, including for your own benefit, with the simple restriction that the user must always be informed of who has it and able to take it back.
  • 1
    @Fast-Nop in what world is letting the client download all the font file(s) required faster than asynchronously loading them from a cdn and swapping?
  • 1
    @fullstackclown In a world where you can as well download asynchronously from another source such as your own domain instead of Google.

    Although I'd already question why you have so much font bloat that you resort to hacks like that in the first place.
  • 0
    @Fast-Nop bye bye caching though... Which does make sense when every second site uses Roboto. Then again, it's true these 100kB probably won't kill anyone, and in turn you save some tls habdshakes
  • 4
    @eval As I already wrote, browsers cache on a per website basis, and that since 2020 already. Means, if site A downloads a Google font, and site B also, the second one will not be fetched from the browser cache.
  • 1
    @Fast-Nop true, i overread that before (and didn't know it). Then again, why is that so? Exactly, to prevent tracking. So just another thing going to shit in the name of privacy.
  • 2
    @eval Just another feature that tracking abuse made invalid. Btw., for someone who is so against privacy as you are, I'm astonished that you post under a nickname here.
  • 2
    @eval i shouldn't need to get a seperate device to filter out all of this bullshit just cause web devs are too lazy or incompetent to serve a fucking file on their servers and instead chose to use a service that infriges on my privacy
  • 0
    @Fast-Nop Yeah, their recommended way for using their fonts is a "hack"... 🤡 give me a break

    my sites score 100 across the board in lighthouse, I'd ask what your scores are, if you even would know of such a "hacky" tool
  • 2
    @fullstackclown The site I'm running scores 100 both for desktop and mobile, and that from cheap ass shared hosting. Also, don't rely blindly on what Google says - you may remember their crap recommendation of including "critical" styles right in the page itself.

    Doesn't change the fact that if you load so many fonts that you need to do asynchronous hacks which Lighthouse probably doesn't even notice in scoring, you have too much bloat.
  • 3
    Downsize images to display size, remove redundant font, use vanilla js instead of frameworks.

    Hell, serve the website using html5/css3 and a little bit of JS on top.

    Makes every website load blazing fast.

    And remove all cookies not needed for core function of the website.
  • 0
    @Fast-Nop i'm not anti privacy in general, i just think "Hausrecht" for site owners is more important. Also, the privacy that is important for me is one that i will never get because of things like "Vorratsdatenspeicherung" by providers.

    I'd rather have my data scraped and analyzed by google or FB instead of the governement, for the simple fact that what they are trying to is make money... And i even get a service in return. And i can choose not to use it if i don't want it.
  • 0
    @LotsOfCaffeine you already get a free site from them, so don't be entitled. You wouldnt go to a free event/attraction (privately financed), and make demands would you?
  • 1
    @eval If the data are with a company, they are also with the government, especially in the US with their NSA gag orders. From there to every other "friendly" government. Or just one judge order away, which is a joke in Germany anyway. The only way to avoid that is not accruing data in the first place, and that's a central pillar of the GPDR: data avoidance. Also, if you want the owner to decide what he wants, then don't offer a public site which is in the public space.
  • 0
    @Fast-Nop And i post with a nickname because sadly nowadays people get canceled for small things. I know however that i can be doxxed any minute, and it's a risk im willing to take. And if the owners of this site wanted to scrape the everliving shit out of my data, in return for
    - free usage of the site
    - free stickers
    - free stressball
    I would support them on that 100%
  • 0
    @eval if they chose to arbitrarily invade my privacy, yes I would

    Especially for a "service" that is a fucking font download, don't be ridiculous
  • 0
    @LotsOfCaffeine then don't fucking use it?! And events do invade your privacy. For many concerts for example you agree to be photographed and the image used for promotion. How is that ok and tracking not? Both is invading your privacy for profit.
  • 1
    > It applies if you're doing business in the EU, which in the case of a website means that you have EU visitors

    @lbfalvy No, that's not how the world works.

    If I live in the USA (or anywhere else outside the EU), am a USA citizen (or citizen of anywhere else outside the EU), and my website is hosted in USA (or anywhere else outside the EU), then absolutely no EU rules, laws, or regulations apply to me or my site, regardless of where my site's visitors happen to be.

    Again, this is the most basic aspect of how sovereignty, government, citizenship, and national borders work; namely that I am only subject to the laws of my nation, the nation I'm physically in, and the nation where my site is hosted. Third-party governments, such as the EU, have no say in anything I do.
  • 1
    @NotJeckel The EU regulations also apply to a US site that serves EU citizens. What doesn't work is the enforcement - unless you have some EU dependency that can be fined.
  • 1
    @Fast-Nop No, they don't apply. The EU may say that they apply, but they don't. The EU has no power or authority to dictate laws to anyone outside their borders.

    If the USA declared that no car with a USA passenger is allowed to drive faster than 20 kph, would taxi drivers in Germany have to drive slower when transporting USA people on vacation? No, obviously not, because USA laws don't apply to people in Germany, just as EU laws don't apply to people outside the EU.

    This is such a basic premise of the world; a nation's laws only apply to people within that nation's borders.
  • 3
    @NotJeckel Ofc it applies, except that you can argue that a law without enforcement option doesn't apply.
  • 1
    @NotJeckel

    It applies if you do "business" in EU,
  • 2
    I do enjoy when people argue about things they themselves don't understand

    Who wants some 🍿 ?
  • 1
    @Fast-Nop A government's laws only apply to that government's citizens and people within it's borders. Those laws only apply to citizens in another nation if the two governments have made a treaty that states as much. There are currently no treaties that extend the GDPR beyond the EU's borders.

    I guess we are going to have to agree to disagree on this since you're doing nothing but repeating your claim without any argument to back it up.
  • 0
    @NotJeckel The EU position is that the action manifests within the EU domain, either territorially or from citizenship. That is, by reading the website.

    That's a somewhat problematic position because governments such as Saudi-Arabia could make similar claims to incriminate all non-Islamic content even if it's hosted e.g. in France by French citizens. However, it would run into the same kind of enforcement problem.
  • 3
    @NotJeckel There are no rules governing the extent of a state's power. In practice, laws only apply to people the state has practical power over, that is, people with property, contractual obligations or those physically present. To improve this situation, there are agreements between many western countries and organizations such as interpol. Cases not covered by these agreements, and establishment of the agreements themselves, is the purpose of diplomacy. For example, drug dealers selling by mail to Germany from any western country where it's legal would most likely be arrested and tried in a German court.
  • 3
    So, the GDPR applies to American websites working in the EU if the EU can convince either the companies or the US to enforce it, possibly by threatening them with a region-wide traffic block. For example, Microsoft is exempt from any and all EU regulations for the next 20 or so years, because all governments run Windows so they have the entire civilized world by the balls. Every once in a while they get a laughably low fine and then continue about their business.
  • 1
    @lbfalvy When enforcing one's rules on other countries, having by far the biggest military budget in the world is certainly also helpful.
Add Comment