a-privacy-concern-about-google-fonts

“If you are not paying for it, you’re not the customer; you’re the product…”

It’s obvious and logical. Hidden in plain sight like The Purloined Letter. So much, that you really don’t take it into consideration when designing a web site or an app.

We may overlook it because our concern with fonts is usually about copyright laws. And what is in plain sight is the information about it. The fonts are open source! And the text in the About page is inspiring!

Making the web more beautiful, fast, and open through great typography

We believe the best way to bring personality and performance to websites and products is through great design and technology. Our goal is to make that process simple, by offering an intuitive and robust collection of open source designer web fonts.

Google Fonts About page

So… let’s copy-paste them!

Furthermore, these web fonts are almost twenty years old and the majority of the websites use them.

But wait… what about privacy issues? It’s not in plain sight. I think that is what we call a dark pattern.

Well, it is not necessarily a big problem, depending on the requirements of your client. Or what you believe or who you trust. Or your principles about the internet and privacy. I don’t know.

But what I know is that we must be aware of this. And if you are already aware, you must keep it in mind when using web fonts.

There are two links in the Google Fonts About page, one for Terms and the other for Privacy. But they are very general of all Google products and services like search, accounts or apps.

By using Google Fonts, the Terms of Service that specifically applies is for the Google API because you usually embed with or @import into your CSS one of these URLs: fonts.googleapis.com or fonts.gstatic.com.

The APIs are designed to help you enhance your websites and applications (“API Client(s)”). YOU AGREE THAT GOOGLE MAY MONITOR USE OF THE APIS TO ENSURE QUALITY, IMPROVE GOOGLE PRODUCTS AND SERVICES, AND VERIFY YOUR COMPLIANCE WITH THE TERMS. This monitoring may include Google accessing and using your API Client, for example to identify security issues that could affect Google or its users.

Google APIs Terms of Service

Notice that when it says “to ensure quality, improve Google products and services”, Google Ads, Google AdSense or Google Analytics, are products or services. And it can be any other product or service for any of its clients or customers. The ones who pay, of course.

And notice also that where it says “to identify security issues” it is just an example. Nobody is going to complain about the use for security, so it’s intelligent to put the word “security” there.

Google could track the users of your website or app in a similar way to how a pixel-based tracking system works.

Or not. The problem is with “could”. But the information from all the sites using Google Fonts is too good to not use it, right?

So, let’s be aware of that. I became aware of it from a Reddit post.

There are ways to turn this around, of course. The obvious thing is to host the web fonts in your server and not call them from fonts.googleapis.com or fonts.gstatic.com. But you should check the code in templates or components that you use, anyway.

For more technical information check out the Reddit post and this article about fingerprinting by Federico Dossena in his blog.

Leave a Reply

Your email address will not be published. Required fields are marked *