Curious how useful is an IP address with a simple HTTP get request?
As long as a sane Referer-Policy is set, the Referer won't be sent. Sure there's a lot more to browser fingerprinting but with just an HTTP request, all the data that would be known from it is the language and the user agent. Both of which are not unique data points and shared by thousands of other users. No cookies either in this case of Google Fonts.
You are logged in to to google and so are your family members.
You visit YouTube.com from IP X with device (user agent) Y.
Your family member visits YouTube.com from IP X with device Z.
Google Fonts gets a request via the API key of mydomain.de from IP X and device Y.
Google now knows that you visited mydomain.de
Edit: I stand corrected that Google Fonts doesn't use an API key.
I suspect they still can correlate the font request with the domain, however I have no proof.
Consider this an example for other services like maps.
Several people and devices could be shared by the same IP though, either who are on the same network or in the vicinity of the same mobile mast (or in the same mall or restaurant)... that's why IP often isn't used as conclusive evidence that you are the same person just because you are on the same IP.
Well technically you share a lot more data. IP, browser agent, time (which in combination with IP can tell exactly who used that specific computer) and cookies set on the *.google.com domain.
So it's actually interesting that the court only focused on the IP-address although the ruling would probably have been the same even if they widened the scope.
So how valuable would it be to you if I would share with you that I spent $20 yesterday on shopping groceries. Probably not so much. But if I would share with you 90% of my spending, you might be able to infer a lot more information about me.
So the question isn't how useful the single request is, but rather what can be done with a lot of these requests. And Google and Facebook are specialists in generating lots of said requests with services like google fonts and like-buttons. And once you realize that the sum of these requests is so valuable that they are considered personal information, you want to protect them with laws.
These laws, like the GDPR, are already in place and this is one of the instances where someone didn't respect such a law. So you can argue now, that this single request isn't so valuable, but isn't that true for every penny of a million dollars?
I understand what you're saying but it doesn't exactly address my curiosity of this specific case of HTTP GET requests for font files (no JS, no iframe, and no cookies either in this case).
Your thoughts about a like button widget, or even Google Analytics are perfectly valid. But I am talking about this specific topic under discussion, Google Fonts.
As long as a sane Referer-Policy is set, the Referer won't be sent. Sure there's a lot more to browser fingerprinting but with just an HTTP request, all the data that would be known from it is the language and the user agent. Both of which are not unique data points and shared by thousands of other users. No cookies either in this case of Google Fonts.