Remove third-party trackers (Google and Adobe)

Since I'm a GDPR legal advisor by trade, I always check the services I use for their privacy implications on me as a data subject. Tor Weather is no exception in this regard ;).

Weather.torproject.org uses third-party resources that receive PII of any visitor. This is always bad from a privacy/freedom standpoint (and certainly not privacy by design), but since the third-parties in this case are Google[1][2] and Adobe[3][4] it's even more of an issue. Both of these companies have a bad track record of long-term and consistent privacy/GDPR violations. But even disregarding the specifics, I feel a organization like the Tor Project should keep Tor operators far from the grasps of these kind of big tech companies.

But this is also in clear violation of the GDPR[5][6][7] since there is no legal basis for this. There is no explicit and freely given consent[8][9] (or any other applicable GDPR legal basis such as legitimate interest) being used for sharing PII with Tor's hired/appointed processors of PII. Tor Project is responsible for this processing (i.e. the controller[8] in GDPR terms) since Tor Project determines the purposes and means of processing these personal data.

I also don't think this use of third-party trackers is even proportional let alone necessary or subsidiary[6][11]. It looks like they are only used for loading in fonts, and those can be hosted locally as well (which makes using the third-party resources fail the proportionality and subsidiarity requirements in the GDPR).

And lastly there is also no privacy statement. Normally as a data subject I would tolerate this if the service is created following privacy by design principles and I find the organization behind it trustworthy, but when there are third-party resources (also note that Akamai is a data processor of the Tor Project) in play this is a whole other story. Transparency is essential for trust and freedom (and also legally required in this case)!

My suggestion is to at least remove the third-party trackers and just host the resources you need locally on the webserver.

[1] fonts.googleapis.com
[2] fonts.gstatic.com
[3] p.typekit.net
[4] use.typekit.net
[5] https://rewis.io/urteile/urteil/lhm-20-01-2022-3-o-1749320/
[6] https://gdpr-info.eu/art-5-gdpr/
[7] https://gdpr-info.eu/art-6-gdpr/
[8] https://gdpr-info.eu/art-7-gdpr/
[9] https://gdpr-info.eu/recitals/no-43/
[10] https://gdpr-info.eu/art-4-gdpr/
[11] https://gdpr-info.eu/recitals/no-39/