Skip to main content

Bunny fonts issue - CRITICAL

Comments

24 comments

  • KC George

    Hi Philipp,

    If downloading fonts from Google is precisely the same as downloading fonts from Bunny fonts, then I agree that you have good reason to be concerned. What if these are not identical?

    You said

    The main issue is the forwarding of the calling IP address to a 3rd party without consent

    This declaration on the Bunny Fonts website states that the user's IP address is not forwarded to a third party.  

    We do not store, process, nor transfer any user information. A non-exhaustive list includes: IP addresses, session information, and user activity. Nothing is recorded outside of basic (non-identifiable) diagnostic data — which stays on European servers, operated by bunny.net, incorporated in the European Union — for performance and reliability purposes (e.g. load distribution, et cetera).

    You said

    The IP is still transported on page-load

    Any URL you type into a browser to access a website is converted to an IP address before the page is fetched. DNS resolution is the term for this process. DNS resolutions do not compromise a user's privacy, and the General Data Protection Regulation does not forbid them. The only IP address that is exchanged when a page loads is this.      

    Because Google fonts used to transmit users' IP addresses without their consent, you needed OMGF in the past. Since user IP addresses are not disclosed to third parties and their privacy is not being violated, you may no longer require OMGF.

    However, to account for the change, you might want to update your data processing agreements. Please think about including a section explaining how your website handle fonts. You may indicate that Bunny Fonts hosts your fonts and even reference them when they discuss how GDPR compliance is met by Bunny Fonts

    0
  • Dimi from Brizy

    Hey Philipp,

    We received all your comment, emails, support tickets on all the platforms :) 

    I've sent an email reply already. It's not efficient to have the same  conversation everywhere. Let's continue over email or here, but only in one place please. 

    I think Bunny Fonts solves our fonts GDPR issue 100%. The only thing you need to do is update your agreements and add Bunny Fonts as a sub-processor. We have a DPA signed with them, we can send it to you if that will help. 

    Best,

    0
  • Matthias Hahn

    Hi!

    The problem is not Google Fonts, but that a connection to a third server is established. It doesn't matter if this is Google or Bunny. It's not my server. I can describe this in my privacy policy, but it is not recognized by the lawyers who write the warnings.
    For Googlefonts I have caching plugins that block these calls and my site is legally compliant. For Bunny fonts this does not exist. So all my websites are immediately no longer DSGVO compliant, even if I describe this in the privacy policy, which BTW now also all have to be revised, whereby the privacy policy generators bunny fonts do not know and I still have to do that manually too.
    This "improvement" is a disaster for us europeans. I'm about to say goodbye to Brizy, as elementary features of the product are changed here without notice. Will you pay my penalty notices?
    The real problem is that there is the font Lato, which can not be deleted and which is always loaded from a foreign server. Be it google or bunny. The fonts I use in my site I load as a local font in my site. All the handstands I have to do only because of the one system font that is completely irrelevant to the site visitor and earns me a DSGVO violation. Just today a colleague showed me a penalty notice because of Google Fonts. And it doesn't matter if it's Google or Bunny. It's a third party server that is contacted without consent. 
    The last thing I can say is undo this nonsense or I can't continue to use brizy for my projects.

    Best regards,

    Matthias

    1
  • KC George

    Hi Matthias,

    You have mentioned 

    The problem is not Google Fonts, but that a connection to a third party server is established

    I wonder if websites connecting to external servers are covered by the General Data Protection Regulation. Please share the link if you come across an official GDPR document that mentions websites linking to other servers. I'd really like to research it. According to what I understand, the GDPR's main goal is to protect users' privacy. Until a business collects, stores, or transfers personal data about its users, it is not subject to this legislation. 

    However, Brizy can help you if creating webpages without making any requests to outside servers is your goal. Please visit https://gdpr.kctest.online/, my test website. The GT Metrix waterfall demonstrates that not a single request is made to a third-party website by this Brizy site. https://gtmetrix.com/reports/gdpr.kctest.online/QcgAzsgl/ I don't use a caching plugin to prevent queries from going to Google. I use the following plugins: https://jmp.sh/hTKlhHl

    By setting a different local font as your default font (fall back font), Lato can be removed from your website. As an illustration, I've set "Montserrat Local" as my default font.

      

    0
  • Matthias Hahn

    Hi George,

    the problem is a third party server connection without consent. So if you can load google fonts after a user consent, you can use this too. 

    Now i have changed the standard font and deleted Lato font in brizy, but there is always a connection to fonts.bunny.net  for Lato. Cache is cleared, and the connection disappears if I deactivate brizy.

    0
  • KC George

    Hi Matthias,

    If you see Lato listed in the above screen, please delete it and check again. If you share your URL I can check from my side as well.

    0
  • Matthias Hahn

    Hello george,
    it's funny, but after I recoded the caching plugin to filter fonts.bunny.net instead of google fonts and disabled it again, it suddenly shows Overpass as a font loaded from fonts.bunny.net. 
    Overpass deleted in Brizy.
    Connection to fonts.bunny.net is gone.
    Very strange. 

    Best reagards,

    Matthias

    0
  • Philipp Wedel

    @KC: Hers the link to the legislation you were requesting: https://www.gesetze-bayern.de/Content/Document/Y-300-Z-BECKRS-B-2022-N-612?hl=true 

    Youre statement: . DNS resolutions do not compromise a user's privacy, and the General Data Protection Regulation does not forbid them.

    is unfortunately wrong. This is exactly what is forbidden. Thats why we cant use barly any CDNs any more. Im script blocking everything externally until AFTER consent.  to be more specific, its not the dns resolution but the request carrying and transferring your IP address to the server your requesting from, that is the issue. 

    It seems that everyone is ignoring the fact that you are raising massive issues here and throwing the at least Germans (since I can't speak for any other legislation) under the bus without propper warning. 

    @dimi your statement is factually untrue. Id wish it was as easy as changing the GDPR statement but I am obliged to block every 3rd party connection BEFORE consent. (This is why I used OMGF with google Fonts, and script blockers for the other code). As Matthias correctly stated, these plugins are not available for bunny. 

    So I only have the options I have at this time are:

    1. change every site manually to use local fonts only with brizy
    2. use bunny and hope that a plugin will solve my issue - somday
    3. roll-back-never-update-brizy
    4. stop using brizy and rebuilt all sites

    All of the options require a lot of time and attention - lets check them out one by one. 

    1. The last site Ive tried to replace the Gfonts and reupload families of already set fonts, had styling issue after styling issue. Out of the blue Headlines lost their styles or Families lost their 300 cut e.g. Thats why im attached to the external gf loading.

    2. Might work if some 3rd party fixes the issue you created. In the meantime Im potentially liable aka screwed. 

    3. not an option unless I go to 4

    4. To be honest I'm as close as I ever was to abandon ship. From my point of view you are actively trying to hurt my business model. Broken updates of the past aside. Ive spent an hour yesterday to fixing broken svgs just to find out that, once more, its an update issue. But even worse. You seem not to grasp the scope of attack vectors you're opening up your clients to. This is deeply concerning. 

    I think Bunny Fonts solves our fonts GDPR issue 100%.

    It might solve yours by ripping up ours. 

    I dont know why bunny isnt an option rather than a mandatory change. I know you did this with the best intentions in mind, but why cant you implement a hotfix with a checkbox to either use bunny or google in the backend? From my point of view, the only change is the URL being called to serve the fonts. At least thats what the bunny website states. This would give everybody time to find a solution until plugins have changed - or the jurisdiction, or both.  

    Ive stated this many times before, but I wish that there was a feature - e.g. a button - that I could press, that would simply import all external Gfonts and import them as local fonts. You decided to go for another route, with all the consequences for your users. 

    Best Philipp

     

    @Matthias, ggf lohnt es sich mal Kontakt aufzunehmen, da wir hier offensichtilch im selben Boot sitzen. 

    0
  • KC George

    Hi Philipp,

    Thanks for the copy of the Munich judgement. I have briefly studied the judgement. These are the highlights of the judgement, as I understand it.

    1. When Google was given access to the user's IP address without prior consent the user's personal and informational self-determination rights were breached.
    2. Since Google fonts can be used without connecting to a Google server, the website owner had the option to withhold the user's IP address from Google. 
    3. The user's IP address is considered as personal information because it can be used to identify the person behind it.

    We can draw these implications from this judgment.

    • The website owner would not infringe on the user's privacy and right to informational self-determination if he did not reveal or transfer the user's IP address to the font hosting company or any other server.
    • Consequently, a website owner who employs a font hosting provider who does not gather user's IP addresses or any other personal information is not in violation of the General Data Protection Regulations.
    • If a website owner does not disclose a user's IP address or any other personally identifiable information to a third party, he does not need the user's prior consent.

    In addition to the four options you have listed for the future, I would say that you also have a fifth option, which is to specify in your data processing agreements how your website complies with GDPR when using a font hosting provider who adheres to the regulation and does not gather users' IP Addresses or any other personal data.

    I agree that we should look into these feature requests if using a GDPR-friendly font hosting provider does not make your websites completely GDPR compliant. 

    • Give users the ability to select their font hosting provider. Bunny/Google Fonts
    • Give users the option to automatically install all Google fonts being used locally with a button click
    0
  • Philipp Wedel

    Hi, thanks for checking the judgement.

    You are getting two things wrong though. Maybe this article might help.

    https://www.ebnerstolz.de/de/uebermittlung-ip-adressen-websites-rollt-dsgvo-abmahnwelle-396977.html

    IPS are counted as personal indtifiable data. Therefore all gdpr measures and mechanisms apply. Totally stupid but that’s the way it is.

    For a cease and desist it’s enough if the possibility exists that the shared pid could be used through a 3rd party, not the actual use itself. The transfer itself is illegal as is - on top of that.
    Prior consent is mandatory every time a ip is transmitted. It doesn’t matter if inside Europe or to the states. It’s worse if it is transported towards the us since new versions of privacy shield and other regulations are not ratified as of today. Also the us handles the definition on pid different. But the higher standard applies.

    For European vendors (as well as us ones actually) you need a data processing agreement. But that’s an additional goodie. That does not invalidate the necessity of a prior consent.

    Technically - as you mentioned- the ip is transferred to bunny since there is no other way to do this in the request. That qualifies as a transfer of pid. It doesn’t matter if bunny states that they obfuscate, anonymize or send them tinside a sealed capsule on a trajectory to the moon. All of this happens after the transfer and the delivery - so after the violation already took place.
    Again - The possibility as well as the transfer itself are sufficient independent of another.

    Obviously, it’s better to use a European company with the safeguard in place than google. No discussion about that. But the consent is mandatory prior to any transfer. And for any takedown notice, it won’t (in legal terms) heal anything to have the dp agreement in place.

    Even cookiebot was taken down due to this matter. Just an IP transfer → takedown. 

    The judgement is on google primarily, but it is recognized as a fundamental judgement - so current law - on ip transfers in general. That’s why all admins in Germany live in constant fear ever since. The letters are hitting left and right.

    0
  • Philipp Wedel

    To clarify further:

    Since Google fonts can be used without connecting to a Google server, the website owner had the option to withhold the user's IP address from Google. 

    No. The court stated that he could have withheld the information through local implementation. Not through the use of another vendor.

    Consequently, a website owner who employs a font hosting provider who does not gather user's IP addresses or any other personal information is not in violation of the General Data Protection Regulations.

    Nope. That’s not the causation that follows, nor is it anything the court suggested or "allowed".
    There is absolutely no indication that the use of a third party without consent in Europe is allowed, or that’s what the court intended. That's outside the court's scope. They only rule on the specifics.

    Causation is: if you use anything but local fonts, prior consent is mandatory. (which was mandatory in any case, any way before)


    The website owner would not infringe on the user's privacy and right to informational self-determination if he did not reveal or transfer the user's IP address to the font hosting company or any other server.

    Correct. As long as there is no transfer to a 3rd party, all he needs is the processing agreements and partners that are gdpr compliant that might gain access to the data - but not necessarily will.


    In addition to the four options you have listed for the future, I would say that you also have a fifth option…

    That’s not an option, but a mandatory statue. An additional layer, eg a requirement.
    I need dpas with every vendor that can access pid.

    0
  • KC George

    Hi Philipp,

    It appears from your comments above that there is a confusion regarding the transfer of IP addresses. Let me explain the potential causes of your confusion. The judge employed this terminology in the Munich verdict.

    The data subject is a private person who visited the website of the controller. The controller used Google Fonts in a way that the dynamic IP address of the data subject was automatically transferred to Google's server in the USA. Google Fonts is a library which includes over 1300 different fonts and can be embedded in a website by its operator.

    When reading this statement, a reader may perceive it as

    1. The website gathered the public IP address of the user. 
    2. It was then transferred to Google and saying please send the font files to the user in this IP address

    It's possible that this isn't a true portrayal of how the internet operates. Let's examine what occurs in the background. Think about a website that takes advantage of the Google font hosting service.. As part of the page loading process,

    1. To obtain the necessary font files from Google, the web server sends the user's browser to fonts.gstatic.com and fonts.googleapis.com.
    2. Google receives requests for fonts from the user's browser. (For instance, "Please give me montserrat.ttf" or "Please provide roboto.ttf")
    3. The user is subsequently provided with the font files by Google, and the downloaded font is used by the user's browser to display the website's text.

    A generic HTTP font request to Google would look like this. https://jmp.sh/nEbePcg This sample shows that the font requests submitted to Google do not include the user's IP address.

    However, in the past Google used to track the IP address of the requesting browser when you make a request to fonts.gstatic.com or fonts.googleapis.com. An example of a website that tracks your IP address is https://dnschecker.org. Please look at my IP address, which is in the top right corner of this website.

     

    Another example of a website which tracks IP Address is https://www.whatismyip.com/

    Returning to the Munich verdict, the user's privacy was violated as a result of the web server's redirection to fonts.gstatic.com and its tracking of the user's IP address. The Munich ruling could be interpreted as this

    The data subject is a private person who visited the website of the controller. The controller redirected the user to Google Fonts and the dynamic IP address of the data subject was automatically tracked by Google's server in the USA. Google Fonts is a library which includes over 1300 different fonts and can be embedded in a website by its operator.

    If you carefully examine the HTTP request process, you will realize that requesting font files from a third party hosting service does not violate a user's privacy unless the third party server tracks the user's IP address when delivering the font files.

    You had mentioned

    Technically - as you mentioned- the IP is transferred to bunny since there is no other way to do this in the request. That qualifies as a transfer of PID. It doesn’t matter if bunny states that they obfuscate, anonymize or send them inside a sealed capsule on a trajectory to the moon. All of this happens after the transfer and the delivery - so after the violation already took place.

    You seem to believe that if you employ Bunny Fonts as your font hosting service, user's IP address is always forwarded to them. This does not occur while sending an HTTP request to fonts.bunny.net. Only if Bunny Fonts tracks the IP address of your website visitors would you violate their privacy. They do not, which is why they are GDPR compliant.

    0
  • Philipp Wedel

    Hi KC, 

    Thanks for the explanation. But the request you shared is only the outgoing. The incoming server side request must contain an ip address, otherwhise the server wouldn't know where to send the requested data to - or the handshake is missing. 

    You seem to believe that if you employ Bunny Fonts as your font hosting service, user's IP address is always forwarded to them. This does not occur while sending an HTTP request to fonts.bunny.net. Only if Bunny Fonts tracks the IP address of your website visitors would you violate their privacy. They do not, which is why they are GDPR compliant.

    I indeed believe that an IP is transferred with the request. 

    From Stackexchange: HTTP requires a full on TCP handshake, followed by the HTTP protocol "stuff" (the actual communication of HTTP request/response). 

    For the ruling, it did not matter that google logged anything. It mattered that PID had been transferred without prior consent. The Judge did not ask google for their tracking methods or policies or the data collected. Thats again - out of scope. 

     

    Referring to StackExchange again, it seems quite hard to replace, spoof or anonymize the ip during the handshake: https://security.stackexchange.com/questions/96419/how-to-send-httprequest-anonymously 

    Best Philipp

     

    0
  • Gunnar Strauch

    Hello, I am using Brizy for multiple websites and several of my clients asked me already about this font issue. Some months ago I manged with the help of OMGF and local hosted fonts via Brizy Font manager to remove requests to fonts.gstatic.com or fonts.googleapis.com.

    I was surprised to see a request to bunny when I checked it again today. I share the scepticism about the use of an external server raised by Philipp and Matthias earlier. I also understand the point made by George in his last reply. However, I don't think that the crazy German judges or some greedy lawyers looking for violations will make this distinction if a HTTP request led to tracking of an IP adress or not. They will see a foreign server in the request list and send out the dissuasion... Then I have to deal with an angry client.

    On the practical side, I managed to remove any request to bunny by using OMGF, uploading the fonts via Brizy Font manager (downloaded from google webfonts helper) AND (this is new) changing the green selection to a self-hosted font (e.g. Montserrat-Self) and deleting all used fonts (eg. Montserrat) from the Brizy Font Overview. Just changing the green selection wasn't enough. Thank you George for this recommendation two days ago.

    0
  • KC George

    Hi Philipp,

    The HTTP request I shared with you had both the request and its response

    What you mentioned from StackExchange is accurate. A full TCP/IP handshake is necessary for each HTTP request. The requesting browser's IP address is exposed to the server during the TCP/IP handshake. This makes it possible for the Server to capture the user's public IP address. This blog post explains how a URL request and TCP/IP handshake work. https://www.freecodecamp.org/news/what-happens-when-you-hit-url-in-your-browser/

    You are also correct that it is difficult to spoof the IP address during the TCP/IP handshake. Therefore, during an HTTP request, the user's IP Address is virtually always made available to the server. However, exposing an IP address does not infringe on a user's right to privacy. When a website logs or transfers a user's IP address, it violates their privacy. According to the Munich ruling, the website owner violated the user's privacy when Google obtained his IP address.

    Google Fonts updated their FAQ on June 22nd. After the Munich ruling, they stopped recording user IP addresses. The updated FAQ is available here.. https://developers.google.com/fonts/faq. It says

    The Google Fonts API logs the details of the HTTP request, which includes the timestamp, requested URL, and all HTTP headers (including referrer and user agent string) provided in connection with the use of our CSS API. IP addresses are not logged.

    Therefore, a font hosting service provider is GDPR compliant provided they do not record or transfer a user's public IP address during the HTTP request.

    0
  • KC George

    Hi Gunnar,

    I fully concur with this portion of your comment.

    However, I don't think that the crazy German judges or some greedy lawyers looking for violations will make this distinction if a HTTP request led to tracking of an IP address or not. They will see a foreign server in the request list and send out the dissuasion. Then I have to deal with an angry client.

    While this is true, if we are aware of the circumstances that led to the Munich verdict, we shouldn't let this worry us too much. The facts that gave rise to the Munich ruling are no longer valid. Google stopped collecting IP addresses from users. 

    0
  • Oliver Kluth

    Hi!

    I am also very concerned that the GDPR requirements are neither understood nor facilitated to comply with them!

    Simply loading from an external server is by technical definition not GDPR compliant unless the visitor has explicitly agreed to it! Conversely, a visitor must be able to refuse this!

    The problem with "Bunny" is now that there are many plugin solutions for blocking Google fonts that worked without problems, so that the pages were GDPR-compliant (and no visitor consent was required, since the font was usually automatically provided locally by these plugins). However, Bunny is so "insignificant" that there is no plugin solution for this that I know of. 

    I have now manually added my font locally and "deleted" all foreign fonts.

    I find it a pity, however, that we must discuss with "developers" about applicable law and that with for me untenable arguments!

    Kind regards

    Olli

    0
  • Philipp Wedel

    It still the transfer thats taking place in the handshake thats the porblem. If there is a transfer and if thers an IP, consent is mandatory. No matter what the 3rd party is doing. 

    https://www.datenschutzexperte.de/dynamische-ip-adressen/ 

    Anyway, Daan was quick to release the update I've requested for OMGF. Bunny is now recognized. 

    BTW, bunnys mail servers have been down for the last couple of days hindering me in getting to a GDPR agreement. Great start… the "guaranteed reply in 24h" support took 72 to reply to the initial request. 

     

    After all, the way the Brizy team handled this implementation was a study in how-not-to-communicate-with-your-clients. 

    0
  • Dimi from Brizy

    As KC pointed out the only data Bunny gets is the agent. You can parse the info there to figure out a device type as well as what version of what browser is being used. But with no I.P. address or personal info.

    All the fonts issues from the GDPR stand point were solved, I don't think you need any OMGF plugin, but glad you solved it if you want to have them local via OMGF. I was just about to email Daan and ask him to add Bunny support to the OMGF plugin when I saw your comment. 

    Best,

     

    0
  • Michael Jansen

    I was reading the postings, but at the moment I don’t know if I understand all the information. What is the current standing - the safe way to use fonts in Brizy?

    Is it safe to delete all fonts in Brizy and upload 2 fonts manually which I really need?

    Or can I use all fonts in Brizy GDPR-Compliant now?

    0
  • KC George

    Hi Michael,

    Brizy uses Bunny.net as the font hosting provider and stopped using Google Fonts. When hosting a website developed using Brizy, you would be the controller and Bunny.net would be your processor as per the GDPR definitions. GDPR requires that the controller use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the Regulation and ensure the protection of the rights of the data subject. https://gdpr.eu/article-28-processor/

    Bunny.net guarantee that no personally identifiable data is stored from your users that access your services through them. https://bunny.net/gdpr/  Hence as per Article 28 of the GDPR, bunny.net can be considered a GDPR complaint processor.

    Coming to your questions; Is it safe to use fonts in Brizy? As per Article 28 of the GDPR, Bunny Fonts is a compliant processor and hence as a website owner, you will be compliant as well. However due to a widespread perception in Germany that before downloading an externally hosted font, websites need to take user consent, you may may want to avoid externally hosted fonts if you live in the country. 

    Is it safe to delete all fonts in Brizy and upload 2 fonts manually which I really need? You can delete all Bunny hosted fonts and add 2 local fonts that you use on your website. This will ensure that your website does not make external font requests. Not making external font requests is considered a GDPR requirement in Germany. If this is important for you, please do it.

    Can I use all fonts in Brizy GDPR-Compliant now? Yes; Bunny Fonts and Brizy are fully GDPR compliant as per Article 28 of the GDPR.

    0
  • Philipp Wedel

    @Michael: 

    You will need to manually host the fonts or use OMGF.

    Also you dont wanna use a YouTube Video in a background element, since this is loading Fonts from Google - I hope the self hosted video feature is arriving soon. Then you should be good. Mildly related: There seems to be an active API call issue to YouTube, thats being investigated, atm. When These are all fixed, Ill guess were ok on the GDPR front.

    0
  • Michael Jansen

    Thank you!

    Some Themes / Plugins stores Google Fonts locally (there is a checkbox to activate this feature). Why this way is not possible in Brizy?

    How do Brizy load / store icons? Is there the same problem?

    0
  • KC George

    Hi Michael

    We are sorry; Brizy does not support automatic installation of local fonts with a checkbox selection. Local fonts need to be installed manually.

    Brizy uses a commercially available icon pack. These icons are available as part of the Brizy installation and are not downloaded from a third party server on pageload. Hence this issue does not apply to icons. 

    0

Please sign in to leave a comment.