To be fair, the majority of those gstatic connections are for things like fonts. When you are actually logged in there,s only one (for a font), and that is cached by the browser (because you've received it already).
Worryingly, I saw requests (that ublock stopped) to https://exponea.com/, dc.services.visualstudio.com/v2/track, and googletagmanager, _and_ if I book an appointment it sends the details of the booking to the analytics service... that's pretty horiffic.
I think the principal is that any page with my medical details on it should not load 3rd party JS from external sources. Regardless of its reported function, it's just not ok.
That's a bit of a stretch of an interpretation - you can serve fonts via Google as long as you obtain permission, and it being illegal doesn't mean you're going to get put in jail. The case this came from finedthe company €100.
> The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of €250,000 for each violation, or up to six months in prison, for continued improper use of Google Fonts.
Hopefully, it's not actually written as dumb as it sounds:
Okay, so we don't serve fonts from google-ish domains. We know server from freefontswithtracking.com a wholly owned subsidiary of Alphabet! See, no longer serving fonts from Googs. /s
The trouble with this argument - and I write this as someone who is generally a strong proponent of privacy safeguards - is that the logical conclusion is the end of the WWW as we know it.
Balkanisation has been a concern for some time mostly because of government regulations in different jurisdictions that conflict.
However if a site can't import any externally hosted resources without getting explicit consent first then that breaks CDNs, payment services that require you to use their versions of scripts for security and/or regulatory reasons, services that host content where providing locally hosted alternatives might not be practical such as video or audio files or mapping data, and the list goes on.
Some reasonable middle ground is clearly needed here. Perhaps there could be some reasonable standard for privacy that those external services can meaningfully promise to maintain and then some sort of safe harbour provision where importing resources from privacy-respecting sources is acceptable. Of course that only works if services that promise to respect privacy and then don't will be hit with meaningful sanctions but the same is true of any obligations under GDPR and other privacy laws today.
CDNs are already broken unfortunately. Both Firefox and Chrome use per-site caches [0].
> payment services that require you to use their versions of scripts for security, services that host content where providing locally hosted alternatives might not be practical such as video or audio files or mapping data, and the list goes on.
That's reasonable, and the GDPR doens't stop you from doing that, but it does mean that you must tell the user that you're loading it from a third party, ask permission to do so, and list the data that you're sharing with that party in exchange for them providing those resources.
CDNs are already broken unfortunately. Both Firefox and Chrome use per-site caches [0].
But many sites serve their own resources via a CDN for performance and resilience reasons. The major CDNs have the capability to record a lot of history about where systems reachable at a certain IP address have been visiting online. And of course it's impossible for a site that works that way to ask your permission before doing so because it has no way to communicate with you first. The same is true for other services like DNS.
That's reasonable, and the GDPR doens't stop you from doing that, but it does mean that you must tell the user that you're loading it from a third party, ask permission to do so, and list the data that you're sharing with that party in exchange for them providing those resources.
Which is the problem. The logical end result would be like the "cookie consent" junk but much worse. Do we really want a WWW where every service someone encounters needs explicit permission to do its job even if that job is simply to send some generic information to the IP address that requested it? Are we all going to have to download the DNS records for the entire Internet to our local systems every few minutes as well? What about other things we do online that necessarily involving remote servers, like sending an email? Does every system involved in forwarding a message I send to a dozen friends now have to contact me (how?!) and obtain my permission before forwarding the message to the next link in the chain?
There ought to be some reasonable limits to protect privacy. I don't think a website for a medical facility should automatically use Google Maps to show a route from a patient's home address to their facility. But in that case the information request on the user's behalf is much more specific. It's not just the user at 127.0.0.1 visiting some (unknown) site that uses a popular web font for its text and the user's browser then fetches the relevant data from Google Fonts without asking first.
Open the network tab and there's a lot of gstatic network connections.