I wonder how the recent ruling of the Bavarian state court regarding Google Fonts and GDPR affect Storj and this proposal?
Edit after moving this post to a separate thread: by «this proposal» I meant Geofencing and advanced placement-constraint support #4227
It’s currently discussed inside the Team for a while (since its publication).
I have nothing to share at the moment.
Very interesting new ruling I wasn’t aware of.
Next one to tackle might be Recaptcha.
Not really. According to the ruling, this is specifically targetting Google for being US based, known for data mining and its broad reach which means that the impact when Google collects this data is much more severe compared to another small 3rd party website.
Thus a payment of damages might be justified in such a case concerning Google but not necassarily for embedding content from other websites.
Google Fonts is singled out here because the lawsuit was about Google Fonts. Courts usually cannot extend their rulings to matters not specifically mentioned in lawsuits. I suspect Google Fonts were picked by the plaintiff for simplicity. Had they picked something more complex, the scope of lawsuit would be larger, making the process longer and require more effort. Here it’s simple—the only personal data in question is the IP address and maybe some HTTP headers.
I now wait for a lawsuit asking about hyperlinks to websites hosted under the jurisdiction of the United States. Maybe EU websites will need to warn about them as well? That would be… interesting.
Yep. That’s why I mentioned it here, as I believe it will have some impact on Storj.
In which way do you think so?
Well, by applying the Bavarian court’s ruling to Storj we can infer that any EU-based end user who did not explicitly agree to, cannot be told by satellites to contact nodes hosted under US jurisdiction. This means that, let say, if a business operating within EU jurisdiction makes a product that runs on-premises, let say some backup software, this product will likely not be allowed to use libuplink, and instead will have to use an S3 gateway run inside EU.
The same problem happens if JS library for the browser - #7 by jtolio will ever be operational, because Javascript code in a web browser is essentially an on-premises part of software.
That’s just two scenarios, and I’m worried there will be more. Like, maybe this means that there needs to be a satellite hosted outside Google Cloud?
Anyway, I trust Storj engineers will figure the problem out.
That’s an interesting view.
But I am not sure if it is applicable to Storj.
One of the grounds of judgment was, if disclosing the IP is required. In that case it was not, because the fonts can be stored locally on the webserver and it is not required to embed them dynamically. I think we can agree that there is no similar option for the Storj DCS product.
Another ground of judgment was that the IPs get transmitted specifically to Google, a company which is renowned for tracking users, storing IPs and creating profiles. But this is not what Storj is doing.
There is also another thing. As far as I read it using Google Fonts dynamically is not against the law even after this ruling. It is against the law to do so without either consent or legitimate interest, e.g. technical requirements.
You can store user data locally on the webserver as well. Same principle.
To quote the judgment (actually, a machine-translated version, I don’t speak German):
So it doesn’t matter whether it’s Google or not. It doesn’t matter whether it’s a company “renowned for tracking users” or not. What the judge focused on is that it was transferred to a jurisdiction which does not guarantee protection. This means even the most privacy-focused company in USA would get the same ruling, because it would still be in the same jurisdiction.
Likely out of scope for the lawsuit. Ie. it’s not that we’re sure it’s lawful—it was just neither determined as lawful or unlawful yet.
Well, @Toyoo is of course right by saying this ruling targets Google because it was a case against Google about Google fonts. However, the ruling can have broader impact because it implies how the law is interpreted.
The law doesn’t single out a country, but does make a distinction between EU and non-EU. So, granted. But that doesn’t limit the scope much.
I don’t see how a law could make distinctions with such vague definitions. It doesn’t matter what a company is known for. It matters what they do and what contracts are in place. In this case the relevant details are the data sharing agreements (or lack thereof) and having permission from the user (or lack thereof). Those things would still apply to any third party. Any individual can think of Google as the big bad evil data gobbler. But a judge can’t in a legal argument. That would open the law up to way too much opinion and make it pretty much unmanageable.
From what I understand, the parts of this case that break the law is sharing and IP address with a third party, without a data sharing agreement and without user consent. This applies to the entire internet basically. And yes, it would apply to sharing a customer IP address with storagenodes as well. But since those facts of the case are so extremely broad, I doubt we’ll see this applied to those kinds of situations… which is really why I don’t like a lot of European law and how vague it often intentionally is. I would have to read up a bit more on this specific ruling to know if my summary of the facts is accurate. But as has happened so many times before, it feels like this again ends up with everyone throwing their hands in the air and being totally in the dark about what this means for them or their products.
This is indeed a very valid point. I guess it’s hard to argue why the browser has to pull the font from Googles servers every time.
Again, laws don’t single out companies based on reputation. It would be a mess if they did.
Ahh yes, the big old massive back door that nobody knows how it is exactly defined. 
I’ve already seen some very creative interpretations of this in a wild. All the way up to: “We have a legitimate interest in advertising to our customers!”
I really feel for the company lawyers having to interpret these laws.
But with regards to @Toyoo’s example of sharing an IP with node operators. I think that is one of the clearer examples of data sharing that really isn’t possible to avoid while still delivering the core product to customers. So yeah, I agree with @jammerdan that the exception would apply there. The same would be true when linking to other websites. But it’s going to be hard to argue that embedding an image from a third party domain is still legal, because you could easily host the image yourself…
So here it would be quite trivial to show you can’t offer the product Storj offers now if you need to store all user data on a Storj server. So in my experience something like that is generally considered a legitimate interest.
However, if users are worried about sharing their IP with storagenodes, they could still use the Gateway MT, which is kind of neat too.
Sidenote… how horribly bad is google translate at translating legal language… it’s near impossible to follow… bleh.
No I dont think so as you cannot run Storj DCS from the Webserver alone. The defendant in this case claimed that embedding the fonts is technically required. The court instead ruled that the defenant can use Google Fonts without transmitting the IP to Google. The question is not if there is ‘any’ thinkable alternative but an equivalent one with better data protection.
It does matter in the courts decision. The court states: (Translated by Google 
):
With regard to the plaintiff’s loss of control over personal data to Google, a company that is known to collect data about its users, and the individual discomfort felt by the plaintiff as a result, the associated encroachment on general personal rights is so significant that a claim for damages is justified.
If it was a different company with a different history than Google, the court ruling mighit have been different. If it would not matter, then the court would not have mentioned it this way. And what we shall not forget on this matter is that this was the ruling of a single state court in Germany. This ruling has no precence for other state courts.
Well maybe this is going to change, currently most comments tell you that if you have a legitimate interest, e.g. technical requirement or user consent, then you are most likely fine.
Not the law, the courts. They have to decide if the matter is severe enough to constitute payment of damages for example. In this case the court found the transmission to Google severe enough to grant payment of damages.
The courts job is to interpret the law, not to inject their own opinions.
That’s true. But what the court does here is, to affirm that it is currently discussed in a controversial manner if the GDPR breach must reach a certain severity threshold to grant payment of damages.
And then they leave that open for the reason that the defendant has admitted that the IP has been leaked to Google and that Google is well known for tracking users and collecting data. And as a result of this reasoning the payment of damages has been granted.
That would be legitimate interest if your use case demands specifically “running Storj DCS code”. In many cases, though, what you need is just generic “provide storage” or “provide a CDN”, for which there’s plenty of GDPR-compliant services around. So, if you market your services as specifically Storj-related, then sure, you can claim legitimate interest. But if you’re, let say, a generic video streaming site, then it will be difficult to substantiate this claim.
Consider a case where you’d run a business out of Windows 95 machines, claiming that you have legitimate interest in doing so (despite lack of security) simply because you don’t want to change to anything else. GDPR demands data processing with good security practices, and that excludes use of security-unsupported software. It would be understandable if the service provided requires the use of, let say, a piece of hardware that just doesn’t have drivers for anything but Windows 95—maybe some old CNC machine, or a data recovery service focused on old hardware—which would be a legitimate interest here to run Windows 95. But if this is not the case, then there’s no actual legitimate interest for not following good security practices.
Frankly, it’s better than what I’d expect. Before the age of neural network translation models it was indeed terrible!
That might depend on jurisdiction as well. There was a local case where a defendant was found guilty of cultivating marijuana (illegal here), but the court decided not to apply any punishment, as it was used only by the defendant himself to lessen his own chronic pains, and there was an expert witness stating this is a viable treatment. The judge explicitly stated that they made this ruling because they believe the law is wrong.
The requirements for legitimate interest aren’t nearly that strict. Providing a decentralized storage product is a legitimate business model and this would be a requirement for that model to work. I’m certain that this scenario won’t lead to problems in the court.
At least not for Storj itself. However, I do wonder about your example of a third party using Storj as backend. I’m not sure how much of this can be covered with data sharing agreements between Stork and the customer and ToS. I still think you could argue legitimate interest. But it does get a bit trickier.
Legitimate interest only applies to whether you can store, share or process specific data. It can’t be used as an excuse not to protect customer data. So this analogy doesn’t work.
I guess I’m spoiled by the near flawless translation of natural language these days. It seems the long windy and complicated constructions of legal language can still trip it up a bit though.
So couple of things. The ruling didn’t change, the punishment did. Usually the law sets a range of possible punishments and yes the judge has some leeway there. But this is also a criminal case, where going easy on someone doesn’t negatively impact someone else on the other side. In most legal systems criminal courts have more freedom to give lenience. Giving higher punishments is not as common.
Civil cases tend to be bound by stricter rules, there is some room to move when determining damages, but much less than with criminal cases.
And in either case it wouldn’t change the ruling. Just the damages.
Yeah, that makes sense. But that’s only relevant after already having received a ruling against you. Which doesn’t exactly help other players who might face the same problem, but wouldn’t neet that threshold. I still think it’s a mess… IP addresses seem to be a bit over regulated as they are so crucial in any network for anything to work.
I also don’t understand why IP addresses are considered personal information. Since it is not possible to convert infer a Person from that without a court order to get that data from an ISP.
Also all other information considered personal are worth nothing alone. You can’t infer a Person by just their birthdate or first name. You always need complete set of information to get the full picture.
I’m straying from the topic…
Libuplink runs on a server. So I would expect that the server IP is the one sent to the nodes. Only the server knows the IP of the initial requester of the file.
Yeah, I don’t think this example works as Storj would likely have a legitimate interest in working like this. Although any customer can run libuplink whereever they want. This could also be a personal system, it doesn’t have to be a server. Same for the uplink binary.
I think it gets a little more tricky when there is a JS based browser implementation as in that scenario the browser would be the one reaching out to all nodes and any visitors IP would be shared. I still think a video service using that is one of the more exciting possible implementations of Storj, so I really hope that won’t be a problem either. But we’ll have to see.
It can be used to correlate information collected in different channels.
Let say you visit some specific fetish porn website while taking care of your anonymity. Next thing you do is you log in to a popular code repository site, where your name is known, because that’s your professional activity. Both use a third party service for collecting bug reports from users. That third party can connect the dots easily.
They really can’t since that third party wouldn’t have access to the name known by the code repository site.
I mean, I do get it to some extent from a privacy perspective. It just breaks so many fundamental things that have been widely used since the web first popped up that I do fear it may create unmanageable situations.
Additionally IP addresses are rarely used in tracking implementations because of how unreliable they can be. Lots of people share IP’s. This has always been the case with VPN’s and business or school networks, but more recently it has been even more true for CGN implementations by ISPs.
And then there is how often devices switch IPs. You have dynamic IPs, mobile devices moving all over the place from network to network and using different IPs every time.
There is a reason why most tracking is cookie based atm. (That’s also about to change)
But the there is the argument of finger printing. And IP address may not be reliable on its own, but combined with other characteristics it can be part of a fingerprint that is much more capable of uniquely identifying you.
So yeah, it’s complex and there may be good reasons to protect IPs. I just wish it wouldn’t break so damn much.