kit: kit.svelte.dev is not GDPR compliant
Describe the bug
kit.svelte.dev is not complying to the General Data Protection Regulation (GDPR), and if someone in Europe files a complaint, the Svelte team will have to deal with fines “up to $11.03 million or two percent of the company’s annual revenue, whichever is greater.”
Reproduction
- Go to https://kit.svelte.dev
- Scroll down to “deploy anywhere.”
- Depending on your location, you will see your exact location on the globe; that part of the website violates GDPR Article 7 because the server uses geolocation data without the user’s consent. https://github.com/sveltejs/kit/blob/3f7af7ac72e390ffa1f59d780a41e5cf71dff852/sites/kit.svelte.dev/src/routes/edge.svg/%2Bserver.js#L123-L126
Here is the result on my screen:
Logs
N/A
System Info
N/A
Severity
annoyance
Additional Information
(the above dropdown was left as is due to it being inapplicable to this type of issue)
I am sorry to be the bad cop here, especially after SvelteKit reaching v1. However, although I am not residing in Europe, it was necessary for me to report the issue, so the Svelte team, and possibly Vercel, could re-assess its best practices regarding user privacy. About a few months ago, I ran into an issue on Angular’s issue tracker about GDPR noncompliance, and I said the following to try to stir up a faster response there after months of relative inactivity:
What is the explanation for this? Why is the [angular] team not responding to something that involves potential litigation? Just because Angular is a Google project does not mean Google’s analytics can be used without consent.
The same thing applies here. Just because the SvelteKit website runs on Vercel does not mean it can use Vercel’s geolocation APIs without consent.
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 6
- Comments: 19 (9 by maintainers)
I think we need a vote and some assistance from the community because we are getting two different answers from two different articles of the GDPR.
(edited)
Votes will be collected at 2:30 AM UTC (8:30 PM CST). If anyone has additional info from the GDPR or legal experience, please tell us about it in the comments, so voters are better informed.
Everyone, I just got the results of a GDPR scan with Sovy, and the report is not pretty. Essentially, where 100% is fully compliant, the SvelteKit website got a 10% score because it violated 9 parts of the GDPR, and a few of those involve what is being discussed here.
(Note that the report will expire in three weeks)
@kvetoslavnovak, @524c, @yob-yob:
I am not a lawyer, but I am thinking very strict because the implications of a GDPR violation are huge for an open source community even though it is supported by a relatively big company like Vercel.
Also, I agree that the GDPR is hard to understand certain details, so for that reason, I think we need to take immediate action. I think the
/edge.svgroute needs to be rewritten to use an external API (such as getting a map of all CDNs for example) or be taken offline and replace the consuming component’s code with pre-written SVG. Either way, immediate action needs to be taken because due to how quickly the v1 announcement can spread, the chances of a violation will increase.The SvelteKit website does not come remotely close to violating GDPR, which applies to user data being “processed” (stored, sent, erased). Nothing is being processed here.
I ran this tool against their own website. Only 30%… 😦 https://hub.sovy.com/gdpr-scan/?siteid=4cf6d97f-b37b-4813-9943-1f5fa337616a I think maybe they could hire a company that offers GDPR help, like maybe https://www.sovy.com/?
Look, I just commented out of curiosity on the subject, but my opinion on this has no relevance. I’m sure the maintainers will know how to address the matter if they deem it necessary.
@IRod22 are you an EU lawyer with GDPR background? Because I am and your legal analysis seems really extremely strict and extensive and contrary to judiciary practice here in EU.
The data is not stored anywhere, it’s also not shared anywhere, it’s already present without us having to do anything specifically like “give me the IP address”, and it’s only based on the IP address, not specific geolocation data. Does GDPR still apply in this situation then?
Ohoh, it looks like Google is going to be in big trouble too. https://hub.sovy.com/gdpr-scan/?siteid=9daa1e4e-f785-4e36-8c8a-9e584b4f2084
x-vercel-ipclearly uses only Vercel edge server location dataVercel edge server location != user`s geo-location data or IP addressQuite appropriate analogy is a ZIP code of your city area used by post services vs. an address of your street, building and flat number. And the ZIP code is even more detail compared to Vercel edge location.
Like saying that
Date.prototype.toLocaleDateString()method violates GDPR or server rendering the dark theme according towindow.matchMedia('prefers-color-scheme: dark');.If you for example are aware of the (in)famous German Google Fonts case, the problem was not the IP addresses being sent to Google Fonts service either so much as Google storing these IP addresses.
This LinkedIn Pulse article does say that sensitive data should be protected (even after using SSL/TLS) in transit, and, based on my own intuition, not doing so can leave a connection vulnerable to man-in-the middle attacks that could trigger a GDPR violation complaint from the affected parties or the EU itself.