kit.svelte.dev is not GDPR compliant

[ghost]

Describe the bug

kit.svelte.dev is not complying to the General Data Protection Regulation (GDPR), and if someone in Europe files a complaint, the Svelte team will have to deal with fines "up to $11.03 million or two percent of the company's annual revenue, whichever is greater."

Reproduction

1. Go to https://kit.svelte.dev
2. Scroll down to "deploy anywhere."
3. Depending on your location, you will see your exact location on the globe; that part of the website violates GDPR Article 7 because the server uses geolocation data without the user's consent. https://github.com/sveltejs/kit/blob/3f7af7ac72e390ffa1f59d780a41e5cf71dff852/sites/kit.svelte.dev/src/routes/edge.svg/%2Bserver.js#L123-L126

Here is the result on my screen:

Logs

N/A

System Info

N/A

Severity

annoyance

Additional Information

(the above dropdown was left as is due to it being inapplicable to this type of issue)

I am sorry to be the bad cop here, especially after SvelteKit reaching v1. However, although I am not residing in Europe, it was necessary for me to report the issue, so the Svelte team, and possibly Vercel, could re-assess its best practices regarding user privacy. About a few months ago, I ran into an issue on Angular's issue tracker about GDPR noncompliance, and I said the following to try to stir up a faster response there after months of relative inactivity:

What is the explanation for this? Why is the [angular] team not responding to something that involves potential litigation? Just because Angular is a Google project does not mean Google's analytics can be used without consent.

The same thing applies here. Just because the SvelteKit website runs on Vercel does not mean it can use Vercel's geolocation APIs without consent.

[dummdidumm]

The data is not stored anywhere, it's also not shared anywhere, it's already present without us having to do anything specifically like "give me the IP address", and it's only based on the IP address, not specific geolocation data. Does GDPR still apply in this situation then?

[stephenlrandall]

The SvelteKit website does not come remotely close to violating GDPR, which applies to user data being "processed" (stored, sent, erased). Nothing is being processed here.

[ghost]

This LinkedIn Pulse article does say that sensitive data should be protected (even after using SSL/TLS) in transit, and, based on my own intuition, not doing so can leave a connection vulnerable to man-in-the middle attacks that could trigger a GDPR violation complaint from the affected parties or the EU itself.

[524c]

I'm watching this closely because the GDPR is very complicated to understand details like this 🤔

[yousufiqbal]

It's not being saved or used by svelte. Just showing it to you.

[kvetoslavnovak]

@IRod22 are you an EU lawyer with GDPR background? Because I am and your legal analysis seems really extremely strict and extensive and contrary to judiciary practice here in EU.

[yob-yob]

Talking about getting geo location data, In my mind I thought it was using the browsers GeoLocation, but it's not, it's actually using Vercel's Edge Function Features...

https://vercel.com/docs/concepts/edge-network/headers#x-vercel-ip-longitude

This means that kit.svelte.dev used vercel's features to track my location but vercel did not ask for permission for tracking my location.

GDPR Article 7 Talks about Conditions for consent

(Take note of the word processing, data subject and personal data)

1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject's consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Important Definitions

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Based on what I have read and understand, I could say that this issue does have it's reasons....

[ghost]

@kvetoslavnovak, @524c, @yob-yob:

I am not a lawyer, but I am thinking very strict because the implications of a GDPR violation are huge for an open source community even though it is supported by a relatively big company like Vercel.

---

Also, I agree that the GDPR is hard to understand certain details, so for that reason, I think we need to take immediate action. I think the /edge.svg route needs to be rewritten to use an external API (such as getting a map of all CDNs for example) or be taken offline and replace the consuming component's code with pre-written SVG. Either way, immediate action needs to be taken because due to how quickly the v1 announcement can spread, the chances of a violation will increase.

[dummdidumm]

Vercel doesn't have your geo location, it has a broad approximation of it based on your IP address, probably using general accessible IP-to-location databases. And without your IP no web server could respond to your requests.

[ghost]

@dummdidumm you are correct about using the IP address; however, some people may disagree with the additional processing because, in the case of the edge API, just knowing what city the user is in could definitely scare the user into thinking that the website knows their exact location. I do not think Vercel is that transparent about how IP addresses are processed either.

[gterras]

See Lawfulness of processing https://gdpr-info.eu/art-6-gdpr/

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject

It is commonly admitted that "the biggest city near you" isn't enough to identify anyone thus won't override any interest or right.

[ghost]

I think we need a vote and some assistance from the community because we are getting two different answers from two different articles of the GDPR.

---

(edited)

• Those who react with a :+1: are saying that the SvelteKit website is GDPR compliant.
• Those who react with a :-1: are saying that the SvelteKit website is not GDPR compliant.
• Those who react with a :confused: are saying that they are unsure whether the SvelteKit website is GDPR compliant or not.
• Those who do not react a :+1:, :-1:, or :confused: are not participating.

Votes will be collected at 2:30 AM UTC (8:30 PM CST). If anyone has additional info from the GDPR or legal experience, please tell us about it in the comments, so voters are better informed.

[524c]

@kvetoslavnovak, @524c, @yob-yob:

I am not a lawyer, but I am thinking very strict because the implications of a GDPR violation are huge for an open source community even though it is supported by a relatively big company like Vercel.

Also, I agree that the GDPR is hard to understand certain details, so for that reason, I think we need to take immediate action. I think the /edge.svg route needs to be rewritten to use an external API (such as getting a map of all CDNs for example) or be taken offline and replace the consuming component's code with pre-written SVG. Either way, immediate action needs to be taken because due to how quickly the v1 announcement can spread, the chances of a violation will increase.

Look, I just commented out of curiosity on the subject, but my opinion on this has no relevance. I'm sure the maintainers will know how to address the matter if they deem it necessary.

[kvetoslavnovak]

• x-vercel-ip clearly uses only Vercel edge server location data
• data refer to a general location where Vercel edge server is located and not the location of the user him/herself
• there is no processing of Vercel edge server location data (storing., sending) hence these data are not even possible to be erased from somewhere
• the data about Vercel edge server location are only sent to the user in common https response communication
• there is no usage of user`s browser geo-location data
• there is no usage of user`s IP address

Vercel edge server location != user`s geo-location data or IP address

Quite appropriate analogy is a ZIP code of your city area used by post services vs. an address of your street, building and flat number. And the ZIP code is even more detail compared to Vercel edge location.

Like saying that Date.prototype.toLocaleDateString() method violates GDPR or server rendering the dark theme according to window.matchMedia('prefers-color-scheme: dark');.

If you for example are aware of the (in)famous German Google Fonts case, the problem was not the IP addresses being sent to Google Fonts service either so much as Google storing these IP addresses.

[ghost]

Everyone, I just got the results of a GDPR scan with Sovy, and the report is not pretty. Essentially, where 100% is fully compliant, the SvelteKit website got a 10% score because it violated 9 parts of the GDPR, and a few of those involve what is being discussed here.

(Note that the report will expire in three weeks)

[PatrickG]

Ohoh, it looks like Google is going to be in big trouble too. https://hub.sovy.com/gdpr-scan/?siteid=9daa1e4e-f785-4e36-8c8a-9e584b4f2084

[styxpilled]

I ran this tool against their own website. Only 30%... :( https://hub.sovy.com/gdpr-scan/?siteid=4cf6d97f-b37b-4813-9943-1f5fa337616a I think maybe they could hire a company that offers GDPR help, like maybe https://www.sovy.com/?

[rhysw97]

This guy is probably just trolling or trying to sell something haha. I mean this information can't even be used to personally identify someone so it doesn't even come under GDPR even if it was stored as it isn't even 100% accurate to where someone is.

[ghost]

I'm closing this issue.