A privacy concern about Google Fonts

“If you are not paying for it, you’re not the custo­mer; you’re the product…”

It’s obvi­ous and logi­cal. Hidden in plain sight like The Purloi­ned Letter. So much, that you really don’t take it into consi­de­ra­tion when desig­ning a web site or an app.

We may over­look it because our concern with fonts is usually about copy­right laws. And what is in plain sight is the infor­ma­tion about it. The fonts are open source! And the text in the About page is inspi­ring!

Making the web more beau­ti­ful, fast, and open through great typo­graphy

We beli­eve the best way to bring perso­na­lity and perfor­mance to websi­tes and products is through great design and tech­no­logy. Our goal is to make that process simple, by offe­ring an intui­tive and robust collec­tion of open source desig­ner web fonts.

—Google Fonts About page

So… let’s copy-paste them!

Further­more, these web fonts are almost twenty years old and the majo­rity of the websi­tes use them.

But wait… what about privacy issues? It’s not in plain sight. I think that is what we call a dark pattern.

Well, it is not neces­sa­rily a big problem, depen­ding on the requi­re­ments of your client. Or what you beli­eve or who you trust. Or your prin­ci­ples about the inter­net and privacy. I don’t know.

But what I know is that we must be aware of this. And if you are alre­ady aware, you must keep it in mind when using web fonts.

There are two links in the Google Fonts About page, one for Terms and the other for Privacy. But they are very gene­ral of all Google products and servi­ces like search, accounts or apps.

By using Google Fonts, the Terms of Service that speci­fi­cally applies is for the Google API because you usually embed with <link> or @import into your CSS one of these URLs: fonts.google­a­pis.com or fonts.gsta­tic.com.

The APIs are desig­ned to help you enhance your websi­tes and appli­ca­ti­ons (“API Client(s)”). YOU AGREE THAT GOOGLE MAY MONI­TOR USE OF THE APIS TO ENSURE QUALITY, IMPROVE GOOGLE PRODUCTS AND SERVI­CES, AND VERIFY YOUR COMPLI­ANCE WITH THE TERMS. This moni­to­ring may include Google acces­sing and using your API Client, for exam­ple to iden­tify secu­rity issues that could affect Google or its users.

—Google APIs Terms of Service

Notice that when it says “to ensure quality, improve Google products and servi­ces”, Google Ads, Google AdSense or Google Analy­tics, are products or servi­ces. And it can be any other product or service for any of its clients or custo­mers. The ones who pay, of course.

And notice also that where it says “to iden­tify secu­rity issues” it is just an exam­ple. Nobody is going to complain about the use for secu­rity, so it’s inte­lli­gent to put the word “secu­rity” there.

Google could track the users of your website or app in a simi­lar way to how a pixel-based trac­king system works.

Or not. The problem is with “could”. But the infor­ma­tion from all the sites using Google Fonts is too good to not use it, right?

So, let’s be aware of that. I became aware of it from a Reddit post.

Google’s fonts is the «pixel» no mains­tream filter­list is bloc­king

There are ways to turn this around, of course. The obvi­ous thing is to host the web fonts in your server and not call them from fonts.google­a­pis.com or fonts.gsta­tic.com. But you should check the code in templa­tes or compo­nents that you use, anyway.

For more tech­ni­cal infor­ma­tion check out the Reddit post and this arti­cle about finger­prin­ting by Fede­rico Dossena in his blog.