Sophos Cloud Optix
Typefaces can be a tricky business, both technically and legally.
Before word processors, laser printers and digital publishing, printed materials were quite literally “set in metal” (or wood), with typesetters laying out lines and pages by hand, using mirror-image letters cast on metal stalks (or carved into wooden blocks) that could be arranged to create a back-to front image of the final page.
The laid-out page was effectively a giant stamp; when inked up and pressed against a paper sheet, a right-way-round image of the printing surface would be transferred to the page.
.Note how the printed page is the mirror of the typesetter’s blocks.
For books printed in Roman script, typesetters kept multiple copies of each letter in separate pigeonholes in a handy tray, or printer’s case, making them easy to find at speed. The capital letters were kept in their own case, which was placed by convention above the case containg the small letters, presumably so that the more commonly-used small letters were closer to hand. Thus capital letters came from the upper case, and small letters from the lower case, with the result that the terms upper case and lower case became metaphorical phrases used to refer to the letters themselves – names that have outlived both printers’ cases and movable type.
Getting the right look
Designing a typeface (or “font”, as we somewhat inexactly refer to it today) that is both visually appealing and easy to read, and that retains a unique and attractive look across a range of different sizes, weights and styles, is an astonishingly complex task.
Indeed, although the digital age has made it easy to create new fonts from scratch, and cheap to ship them as computer files (another physical document metaphor that has survived into the computer era), designing a good typeface is harder than ever.
Users expect the font to look good not only when scaled up or down to any size, including fractions of a millimetre, but also when displayed or printed as a collection of separate pixels at a variety of resolutions using a range of different technologies.
As a result, good typefaces can be expensive, especially if you want to adopt a font collection as a company standard for your corporate identity, and you want to license it correctly for all possible uses, including on the web, in print, for editorial, in advertising, on posters, in films and videos, for redistribution embedded in presentations and documents, and more.
“Free” font collections abound online, but – as with videos, music, games and other artistic content – many of these downloads may leave you with dubiously licensed or even outright pirated fonts installed on your computer or used in your work.
Nevertheless, many distinguished font creators provide open source fonts available for personal and commercial use, and numerous free-and-properly-licensed font collections do exist, including the well-known Google Fonts.
In fact, the Google Fonts site not only allows you to download font files to use in your own documents or to copy onto your own web servers to embed into your web pages…
…but also allows you to link back to a Google Font server so you don’t even need to host the file yourself.
For boutique websites, that’s convenient because it means you get font updates automatically, and you don’t have to pay any bandwidth fees to your hosting provider for sending the font file to every visitor.
Local or cloudy?
On the Naked Security website, for example, our body text [2022-01-31] is set in a typeface called Flama, which isn’t open source.
So, we host the font file ourselves and serve it up as part of the web page, from the same domain as the rest of the site, using an @font-face style setting, in the fashion you see here:
This means that even though you are unlikely to have Flama installed yourself, our website should render with it in your browser just as it does in ours, using the WOFF (Web Open Font Format) version of the font file.
The Flama WOFF font you see below is modestly sized at just 26KBytes, but is our responsibility to serve up as needed:
Licensing and serving in one place
So, Google Fonts not only “solves” your licensing issues by offering open source fonts that you are allowed to use commercially, it can also solve your “how to serve it” hassles, too.
You simply link to a Google-hosted web stylesheet (CSS) page that sets up the necessary @font-family specifications for you, and fetched the desired font files from the Google Fonts service, like this:
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=fontyouwant">
Of course, that means that Google’s servers get a visit from your browser, and thus Google unavoidably gets your IP number (or an IP number provided by your ISP or VPN provider, which loosely amounts to the same thing).
If you have some sort of tracking protection turned on, your browser might not fetch the requested CSS and font data, in which case you’ll see the text in the closest available font your browser has available.
But if you haven’t set your browser to block these downloads, you’ll get the font and Google will get your IP number.
Is that private enough?
Apparently, not always.
A District Court in Munich, Germany, recently heard a legal complaint in which the plaintiff argued that a website that had linked across to Google Fonts, instead of downloading and hosting a copy of the free font on its own site, had violated their privacy.
The court agreed, demanded that the website operator start hosting fonts locally, and awarded the complainant damages of €100 (about $110).
The court’s argument doesn’t seem to be suggesting any and all other third party “widget linking” is now considered illegal in Germany (or, more particularly, in the region where this court holds sway), but only that websites are expected to host content locally if that’s easily possible:
Google Fonts kann durch die Beklagte auch genutzt werden, ohne dass beim Aufruf der Webseite eine Verbindung zu einem Google-Server hergestellt wird und eine Übertragung der IP-Adresse der Webseitennutzer an Google stattfindet.
(The defendant [i.e. the website operator] can make use of Google Fonts without establishing a connection to a Google server, and without the IP address of the website user being transmitted to Google.)
What next?
If you’ve ever had rogue adverts – what’s known as malvertising – thrust into your browser when you’ve visited an otherwise unexceptionable and trustworthy website, you might be thinking, “This is a great decision, because if everyone who monetised ads served them up from their own domains, it would be much easier to keep track of who was responsible for what, and ad filtering would become a whole lot simpler.”
But if you’ve ever visited boutique websites that have tried to do it all themselves and found yourself struggling with content such as JavaScript that could have been updated but hasn’t been, or server-side plugins that seem to contain bugs that you thought were fixed long ago, you might be thinking, “Sometimes, it’s worth having a web content supply chain that’s longer and more complex that is strictly necessary, if the content providers further up the chain have more knowledge and resources to keep things up to date.
There’s also the problem that this judgement has penalised a website provider for linking to a Google service that has (or at least claims to have) a pretty liberal privacy and tracking policy:
The Google Fonts API is designed to limit the collection, storage, and use of end-user data to only what is needed to serve fonts efficiently.
Use of Google Fonts API is unauthenticated. No cookies are sent by website visitors to the Google Fonts API. Requests to the Google Fonts API are made to resource-specific domains, such as fonts.googleapis.com or fonts.gstatic.com. This means your font requests are separate from and don’t contain any credentials you send to google.com while using other Google services that are authenticated, such as Gmail.
Yet the judgement is of necessity mute about embedded links that track users as part of their service, such as web analytics tools, because those services are almost always cloud-based by design, and therefore cannot be hosted locally.
Are those to be made illegal in Bavaria, too? Or will the cloud-centric nature of web analytics effectively exempt analytics services from this sort of judgement simply because the expectation is that they’re rarely, if ever, hosted locally?
And what about so-called “live content” from other sites?
Twitter, for example, requires that if you want to show a complete tweet in your web page, you need to embed it directly, rather than locally hosting a screenshot and providing a link that a user can optionally click later on.
From a traffic point of view, that makes sense for Twitter, because “live” links not only display current tweet statistics, but also make it really easy for readers to engage frictionlessly with the tweet.
But it also makes sense from a legal and cybersecurity point of view, because Twitter itself can adapt data that’s embedded via links to its site (such as deleting offensive, illegal or misleading content as desired or required), instead of relying on every website that ever took a screenshot of a tweet to go back and update or remove the content if common sense or a court order demands it.
Have your say
Where do you stand on this?
Do you think this is an overreach by the court?
Do rulings like this suggest we’re heading towards the end of the era of third-party adverts (after all, adverts don’t have to be served via the cloud; they all could be served locally, even if most services don’t yet support that way of working, and even if it’s a lot less convenient)?
Will we be more secure if all website operators are required to self-host all content such as the stylesheets and JavaScript they rely upon, or would that inadvertently favour the crooks by leaving us with more out-of-date code than we would otherwise have?
Let us know below… you may remain anonymous if you like.
I think the sooner websites and users stop participating in enabling Google’s worldwide digital surveillance apparatus, the better.
This is why I don’t browse without the NoScript extension in Firefox and Pale Moon, which I can use to block any script that tries to communicate with Google’s servers. I set my own choice of fonts in the browser, and don’t allow websites to override them.
(BTW, I have to use an additional extension when browsing: NoSquint, which can blacken and enlarge text, and zoom webpages to make them more readable.)
What’s your objection to allowing sites to specify fonts *from the same server as the rest of the content of that site*? If you allow sites to fetch images then you’re already at a similar (if admittedly slightly lower) risk than letting them fetch fonts. (In fact, font filetypes and image filetypes actually overlap, given that you can use SVG for both images and fonts).
I’m not saying you shouldn’t do it – and blocking fonts does remove the risk of rendering file formats you otherwise don’t need, including TTF, WOFF and WOFF2 – but my own theory is that if you insist on blocking *all fonts by type alone* (i.e. you don’t even allow fonts hosted on the same server as the page you’re viewing) then you should be blocking all images of any type as well, because the added risk of being tracked by or exposed to complex files with subtle exploits feels similar to me for images and fonts, especially if video formats are included under the heading “images”.
That’s strictly a matter of readability for me. So many websites have started using pale gray fonts and ultra-low contrast design everywhere, and/or miniscule gossamer-thin text, that I have to automatically override them with larger, black font. (Which creates a problem when I encounter sites that use very dark backgrounds, so I have to make a quick re-adjustment for those.) Also, some sites use very questionable text styles: cursive and other strange-looking fonts that I am loathe to wade through.
However, I block Google fonts because it’s Google, which means there is sure to be some data exploitation going on. (Plus, as I said, I don’t want to enable reliance on their web tools.)
As for images, when I visit a site I haven’t been to before, NoScript starts me at a baseline of “deny all” scripts until I allow this one or that one, and not necessarily all of them. At that point I make a quick judgment call for each script: allow, don’t allow, ban, temporarily allow, etc. (For instance, I would ban outright anything related to Facebook and its companies.) And I have to want to see a site’s content really bad if I consider enabling scripts I wouldn’t normally.
For my usual websites, I already have the desired permissions set.
Cumbersome? Maybe. But that’s how I want it. 😉
Is this a web hosting problem or a Google problem? You could argue the same with Facebook links… Ironically in the printing industry you are not allowed to share and download the fonts in order to open other people’s files. You’re expected to embed the font inside a PDF for printing. A lot of Illustrator users convert fonts to outlines before submitting documents to get around this. Personally I would be more concerned with the tracking cookies that follow you from site to site / analytics. Also, did they link directly to Google or Github? Still the same issue but arguably Github / Microsoft. What if they used an anonymous proxy to disguise the IP? Is it the web hosts responsibility or the users responsibility to disguise their IP? Would it apply if they used a VPN? A lot of issues raised then. You could always use uBlock Origin and block remote fonts but that would bring the responsibility back to the user again.
The concern here seems to over web content of the “<link …> sort, where things like stylesheets are automatically sucked from a third party that themselves suck in further content, all of which can be tracked by IP alone, given that IP numbers are personal information. Therefore anything where you visit site X and end up automatically also connecting to site Y or Z seems to be considered “unfair”, if the thing you want to do doesn’t have to be hosted on Y or Z and could be duplicated locally.
In other words, the argument seems to be that if you visit site X and this automatically also fetches any sort of stuff from Y and Z without the user needing to click a link or make an informed choice every time, then that’s within neither the spirit nor the letter of GDPR, even if your IP alone is the sum total of the private data revealed.
Quite why this case hinged on Google and Google Fonts on one particular website isn’t clear. You could even say that a case like this seems to imply that any sort of content delivery network that you don’t run yourself on your own servers – having separate sites for images, for example – could fall foul of the same concerns. So perhaps this was a dry run for something more ambitious?
As you say, fonts, font licensing, font embedding and font redistribution have been a massive headache on all sides for decades (including the ritual of getting a list of fonts that the printing company already had before you started designing your content, so you could ultimately send them a single PostScript file and it would all Just Work legally, without anyone needing to “leave extra files” on the floppy that would “accidentally” be present when the job was processed).
Yet of all the tracking/analytics/third party data fetching that the plaintiff chose to zoom in on….
…it was correctly-licensed font files :-)
Will be interesting to see what happens next!
Seems like they’ll be going after Content Delivery Networks next. After all, you could just as easily host a copy of that third-party script or CSS file on your own site, and not have your visitors automatically connect to the CDN.
Then it will be the DDoS protection services like CloudFlare. They get to see all of your website traffic, without any obvious sign for the user that they’re involved at all. Everyone should *obviously* be forced to reimplement that service themselves.
Hosting your site on [popular hosting platform]? I don’t think so. Why give [popular hosting platform] your visitor’s IP address, when you could just as easily host your site on an old 386 in your basement at the end of a 36.6Kb connection.
(In case you can’t tell, I think this was a ludicrous overreach.)
+1
And anyone with a DNS record that is a CNAME to a different domain… and what about HTTP redirects? And what about people who host their web servers at home… but carelessly outsource their DNS service to their ISP?
As you say… once you go down this rabbit hole, where do you stop?
Thanks for making trudge through a lengthy (and totally unnecessary) lesson in typography before I got to the point of the story! What a waste of my time!
Glad you enjoyed it!
(While the additional riffage is indeed not strictly necessary, I reject outright your claims that the additional content was “lengthy” – it was a couple of hundred words at most – or that it was “totally unnecessary”, given that many people fail to appreciate how widely-stolen font files are, and how much art and science goes into a genuinely good typeface, and why services that help site creators to license their typefaces correctly can be considered a Good Thing. And I resent the word “trudge”, which is, after all, rather an insult.)
As for your sarcasm… well, one problem with being sarcastic, apart from the fact that it’s an unpleasant habit to get sucked into, and doesn’t represent the high form of wit that so many people seem to think, is that the reader has every right to take you at your word. So, with that in mind…
…you’re most welcome!
I actually enjoyed the lead-in. 😀
Thanks! (So did I, but I accept that my objectivity might be in doubt.)
All I’ll say is, next time I go to a pub quiz, I’m taking Paul along!
Well… I don’t drink (it leaves more space for caffeine) and I haven’t found a pub that does good coffee yet. They all have coffee machines these days but pub coffee in 2020 still has the industrial feel that old-time CAMRA types insist that pub beer had in 1980. I make an effort to test the waters, as it were, every few months, though lockdown sort of broke that habit so it’s a while since I was even in a pub.
Also… are pub quizzes still a thing in the era of 5G (or Wikipedia on a USB stick)? Don’t they just devolve into “Google Fu” contests and biffo about cheating?
In sticking with the conversation about fonts, I think the anonymous poster above needs a ‘sarcasm’ font, which still doesn’t exist in this day.
There needs to be a sarcasm font as well as a sardonic font, since verbal emphasis is difficult to imply in the written word without much description.
Taupe text on a taupe background?
I think we’re all nuts.
Does this mean “all of us are one type of nut or other”, or “each one of us is every kind of nut there is” :-)
(In other words, in this sentence, do we treat “all” as right-assocative, like exponentiation, or left-associative, like multiplication?)
I am a Scifi fan and enjoy Gibson’s books; while reading one of his books (the one where camo/military dress leads to various confrontations) I saw a documentary on some Font’s creation and ownership 🙂 I am waiting for a Gibson’s book documenting a Font War! Doesn’t seem unreasonable to me, 🙂 Those people had a love _affair_ with their work 🙂 (really!)
Ludicrous overreach; the equivalent of banning libraries in programming. Who defines what “easily” or “possible” mean? If you’re concerned about protecting your IP address from being exposed to companies like Google, it should be on you to blacklist your devices from ever talking to Google servers, and to live with most sites being broken. They’ll still know your IP from data scraping someone else who has it, but at least you’ll be appropriately inconvenienced by your insanity, rather than inflicting that on every website operator unfortunate enough to cross your path.
This sounds marginally more tech-literate than the average jurist, but also seems to make it apparent that tech-illiteracy isn’t the *only* cause behind boneheaded rulings on tech issues. I mean, I get that they’re trying to draw a distinction, but how can you, really? What if that site *did* have 3rd party analytics or live tiles, how would this person have known that before visiting? Why is there any reasonable expectation of privacy for specifically things “they should have hosted themselves”? Useless distinction; if the site didn’t intentionally hide that it was loading external resources in such a way that you might miss the reference in a once-over of the source, then when you did that once-over before loading anything (to make sure it didn’t have any of those perfectly acceptable outside resources to destroy your privacy,) you should have spotted it and never visited the page. And that’s probably how I would handle it, too, instead of starting to host things locally, just put a splash page like the annoying “this site has cookies” bars.. perhaps tied to certain geo-blocks with judges like this, which you can’t access the page until you’ve consented to the use of external resources. Sure, that might be more work and more local storage than just hosting the font locally, but getting bullied into the latter sets a bad precedent.
I think it means some of us have thicker shells than others, but I’m not really sure, I’ve been drinking. Don’t spread that around, though, I want my privacy. Pass the salt.
It doesn’t happen much any more, but Internet Service Providers used to make a point to expire and change your DHCP-assigned IP address frequently, to discourage users from setting up home-based content servers and overloading the limited upstream bandwidth. At that time, at least, there was no need to worry about the “privacy” associated with an IP address, since they were ephemeral.
I use the term Lazy Developer Syndrome for people that make web pages and don’t host their own content, just link to images all over the web – other peoples CDNs and normal pages. Then when the real owner changes their directory all those images/content is gone. Many times files are used from les reputable CDNs and we have to review and make special exceptions, just because they didn’t want to host the images on the same domain, or at least one they own. Plus if you are using “others” files, and someone swaps out malware – its not on the CDN, its on the lazy dev for not hosting their own material. Most common are companies hosting their documents on Goog Docs, with multiple redirects (crap idea of obscurity for sec). Anyways, I don’t support sites linking to content they don’t own/control, makes for unreliable pages, and zero security control over the content.
Though in some cases – and whatever you think of Google, the Fonts service is surely one of these – there is an argument for preferring a service that has a high uptime, good caching, decent security and excellent bandwidth for parts of your content that *don’t* change often, such as fonts? There are only about 1000 typefaces in the whole Google menagerie and they are identical for everyone… so although *I* would prefer to host the data “myself” (for a liberal meaning of “myself” if the server is co-hosted, outsourced or cloudy), I can understand why others might say, “Why have yet another copy of a file that isn’t my own creation anyway?”
If you “link to images all over the web”, then the original content creator gets to control their content. As should be. Another word for taking someone else’s images and hosting them on your own server is piracy.
I know far too many artists and writers who have had their content stolen like this.
Now, if you have negotiated with the content creator to host their creations, that’s different. But far too many people seem to think that anything freely accessible on the internet is copyright-free and freely copyable. It isn’t.
Google goes out of its way to explain that Google Fonts are legal to host yourself…
…but I agree with you anyway. If I were an open source font creator and could choose between 10,000,000 websites keeping their own copy of my typeface files oir 10,000,000 sites getting them from Google’s CDN, I think I would prefer the latter – fonts often get upgraded, for example to improve legibility following user feedback, or to add new glyphs, or to improve hinting, and I’d prefer readers to get the new version the instant it hit Google Fonts rather than waiting until all 10,000,000 website owners had updated their copies.
The problem I have with this ruling is that it implicitly tells German website operators that it’s vital for privacy that they “self-host” everything on “their own server”, even if that’s a super-cheap, super-dodgy web hosting company with a slovenly attitude to patching.
I am not a particular fan of Google myself, so my overall opinion of the company and its services is pretty neutral (disclaimer: I use their search engine, because I prefer its results, and I have a Google phone that runs a non-Google version of Android, because the hardware was good value and well-made, but that’s about it).
But the idea that my privacy would be better protected by an open source font served up from any old badly-managed, bargain-basement, unpatched local web hosting company *simply because it stops my IP number going to Google and sends it to some other third party instead* seems ludicrous to me.
It should not be beyond the wit of major sites (or those providing hosting facilities to minor sites) to have processes to keep local-served “foreign” scripts, styles, fonts etc. adequately up to date. Those of us on Linux are aware of how updates can be made consistent and served as coherent update packages – so technically this should be possible.
It should also be a matter of good practice that if I am serving up content to “customers”, I really ought to know what that contents is. “Foreign-served” elements would seem impossible to adequately validate to give visitors to your site any assurance that there is not a supply chain issue.
By sites self-hosting and at least reviewing updates before accepting them and then serving them to their visitors would seem to provide some ability to validate the content that they thrust on their visitors.
Yes, small sites may lack the skill to review such updates and may just automatically accept all updates – but that has to be marginally better (due to slightly more awareness) that just connecting to a sprawling network of “resources”.
The only major downside that I can see is that if I as a visitor distrust a resource-provider, say Google, I can use bowser add-ons to block “foreign-served” elements. This becomes more difficult with self-served content?
Perhaps what is needed is a really really trusted organisation that can operate as a “trusted library” with the expertise to review updates before putting them in the library. I don’t think the likes of Google, Fakebook/Meta, Amazon etc would qualify as sufficiently trusted to “just serve” resources without hoovering up user data.
I suspect that any organisation sufficiently big and global and wealthy enough to be that trusted repository of core packages and content…
…would ipso facto be untrustworthy for that purpose due to the centralised data collection thus enabled.
(Even centralised orgs you’d love to trust don’t always live up to your assumptions: witness the NHS in the UK, or perhaps I mean England, deciding it would be perfectly acceptable to share *all* its historical data with private companies on an opt-out basis. And the amazement from the medical profession that not everyone approved of that.)
This (ridiculous) ruling is not specific to google, but would apply for all companies headquartered in US or other countries not considered secure under GDPR.
Would be fun, if Google, Apple, Microsoft, Amazon, Facebook/WhatsApp would block the judges and the plaintiff (and everyone agreeing with this ruling) from using any of their services, including phones, operating systems (just to be safe), browsers, websites, websites using any of their cloudservices, messengers and block all emails from/to their services…
Interestingly, the District Court’s own website sucks in Javascript from a third-party company called Lingutec (which just happens to be based in Munich, though as far as I can see, two of its three official DNS servers, one of which which my computer will use to discover the site in the first place) are hosted outside Germany, across the border in Austria), which sells accessibility software for services such as screen-reading.
One wonders why, given that the court can host its own fonts, it can’t at least host the main JavaScript of the screen-reading software it uses, thus avoiding the problem of handing to Linguatec the IP number of everyone who visits, whether they subsequently use the screen reader or not. (I can imagine that privacy in browsing a legal site might be considered more important than many other sites tou might visit, given the many very personal reasons you might have for going there in the first place.)
Additionally, the button you’d use to trigger the function (or the keyboard shortcut, given that even if you have 6/6 vision the “read now” icon is tiny and notr terribly obvious) doesn’t give you any up-front indication that reading the screen will result in ongoing traffic to the Linguatec site that gives away what you’re interested in.
While I suspect that a lot of people might be more willing to trust a site dedicated to helping those with poor vision get online access to the official portal of their State’s judiciarty than to trust Google Fonts…
…I can’t see, based on the judgement, why the two companies should be treated differently. Either you have to host it locally until you can get informed consent… or you don’t, surely?
You might think so, but with GDPR there is a huge difference, depending on the country the other company is located. For GDPR there is basically no difference if you are a huge enterprise and doing business with 1) your own subsidiary, 2) a small company next door, or 3) with another different company from a different state, if it is considered secure by GDPR standards. You can send personal data in all 3 cases, if you follow GDPR rules and they are the same rules and obligations in all 3 cases.
But this gets very tricky and complicated, if you try to do something similar with countries considered insecure under GDPR.
I would describe as an everyday person with now waned once semi-professional computing /programming (now referred to as Coding) skills & experience of building and maintaining a semi-professional for my own business (very much a boutique site not least due to the nature of business being artistic). For me then, the exchanges and interaction above proved interesting and informative while presenting to the reader the multiple facets of the argument in a way a singular narrative could not, regardless the prosaic skills of a single author. From such a wordy two introductory sentences an astute participant would rightly deduce my field has at some interim point changed to that of law.
My reason for posting is twofold; first to thank the author and all contributors to the ensuing discussion for collectively highlighting so many considerations as to enable a simultaneously wider and deeper understanding of the issues involved; second, to add my own input from the perspective of a person with lived experience of quite a few sides of the debate but more importantly I think, from the position I have always considered myself to be, namely that of the everyday person.
This everyday person is currently in what seems to be the last day or two of recovery from Covid after a pretty hellish 8(?) days. I’ve enjoyed the sarcasm and friction and witty retorts as much as the article itself and the points put forward in response.
My own view is that as with so many things there is such polarisation that consensus and balance are made more difficult to achieve than they really ought to be. Everyday people don’t see the specialised reasons behind the genuinely functional needs involved, while advertisers and corporates don’t necessarily respect the varied reasons a person’s privacy concerns are equally valid, if not more so. We’re getting somewhere I think, with the introduction of consent as an operating concept although I do believe (as one learned in law is somewhat bound to) that consent is not consent unless it is both informed and freely given. That, I feel is the heart of the matter. A person does not necessarily want to hand over chunks of information about themselves to be used by other actors for purposes deemed illegitimate by the person concerned. Whereas, as demonstrated by participants here, informed understanding enables a person to weigh the balance appropriately.
It is of course unrealistic to expect everyone to become informed in all areas of everything which is why the responsibility ought to lie with the major parties in any instant field to provide the clarity needed by which a person can cut through the obfuscation enjoyed by nefarious actors, or shall we say actors to whom privacy is of little regard.
A person’s approach to privacy may be considered by another to be anywhere on a scale between casual /reckless and fanatical /paranoid. The important thing is, in my opinion at least, not one concerned with said scale & position occupied, but that of consent. It falls on governments to create the framework in which those who would use a person’s information are required by law to provide a fully transparent means by which the average person can reliably and easily decide whether to give or withhold their informed consent without real or perceived incentive/penalty attached to their decision. Mechanisms such as default choices and button highlights, radio toggles etc etc should all be configured /presented to protect a person’s privacy by default, on the simple presumption that the potential consequences of a missed opportunity to obtain data are massively dwarfed by the potential consequences a person may suffer once control of their personal information has been lost to another.
Until such a system operates I think we’ll be seeing more unsatisfactory outcomes insofar as they do not appropriately weigh the technical and moral aspects of the argument, which will consequently go back and forth in the courts. At least such is the nature of law that by this process we may look forward to a point where we eventually arrive at something like that which I describe. How long that might take however is anyone’s guess.
“you many remain anonymous if you like.”
I am not many, but I may remain anonymous 🙂
Nicely done! [DRUM_EMOJI][CYMBAL_EMOJI]
Fixed, thanks.