A privacy concern about Google Fonts

Notícies

Google 1984 Big Brother
17.03.2020 - 14:40
Àmbits Temàtics: 
Àmbits de Treball: 

“If you are not paying for it, you’re not the customer; you’re the product…”

It’s obvious and logical. Hidden in plain sight like The Purloined Letter. So much, that you really don’t take it into consideration when designing a web site or an app.

We may overlook it because our concern with fonts is usually about copyright laws. And what is in plain sight is the information about it. The fonts are open source! And the text in the About page is inspiring!

So… let’s copy-paste them!

Furthermore, these web fonts are almost twenty years old and the majority of the websites use them.

But wait… what about privacy issues? It's not in plain sight. I think that is what we call a dark pattern.

Well, it is not necessarily a big problem, depending on the requirements of your client. Or what you believe or who you trust. Or your principles about the internet and privacy. I don’t know.

But what I know is that we must be aware of this. And if you are already aware, you must keep it in mind when using web fonts.

There are two links in the Google Fonts About page, one for Terms and the other for Privacy. But they are very general of all Google products and services like search, accounts or apps.

By using Google Fonts, the Terms of Service that specifically applies is for the Google API because you usually embed with <link> or @import into your CSS one of these URLs: fonts.googleapis.com or fonts.gstatic.com.

The APIs are designed to help you enhance your websites and applications (“API Client(s)”). YOU AGREE THAT GOOGLE MAY MONITOR USE OF THE APIS TO ENSURE QUALITY, IMPROVE GOOGLE PRODUCTS AND SERVICES, AND VERIFY YOUR COMPLIANCE WITH THE TERMS. This monitoring may include Google accessing and using your API Client, for example to identify security issues that could affect Google or its users.
Google APIs Terms of Service

Notice that when it says “to ensure quality, improve Google products and services”, Google Ads, Google AdSense or Google Analytics, are products or services. And it can be any other product or service for any of its clients or customers. The ones who pay, of course.

And notice also that where it says “to identify security issues” it is just an example. Nobody is going to complain about the use for security, so it’s intelligent to put the word “security” there.

Google could track the users of your website or app in a similar way to how a pixel-based tracking system works.

Or not. The problem is with “could”. But the information from all the sites using Google Fonts is too good to not use it, right?

So, let’s be aware of that. I became aware of it from a Reddit post.

Google's fonts is the "pixel" no mainstream filterlist is blocking

There are ways to turn this around, of course. The obvious thing is to host the web fonts in your server and not call them from fonts.googleapis.com or fonts.gstatic.com. But you should check the code in templates or components that you use, anyway.

For more technical information check out the Reddit post and this article about fingerprinting by Federico Dossena in his blog.

 

Written by

Adolfo Ramírez Corona

 

-----------------------------------------------------------------------

More about Google Fonts Tracking:

  • Google Terms :

    Section 3: Your API Clients

    a. API Clients and Monitoring

    The APIs are designed to help you enhance your websites and applications ("API Client(s)"). YOU AGREE THAT GOOGLE MAY MONITOR USE OF THE APIS TO ENSURE QUALITY, IMPROVE GOOGLE PRODUCTS AND SERVICES, AND VERIFY YOUR COMPLIANCE WITH THE TERMS. This monitoring may include Google accessing and using your API Client, for example to identify security issues that could affect Google or its users. You will not interfere with this monitoring. Google may use any technical means to overcome such interference. Google may suspend access to the APIs by you or your API Client without notice if we reasonably believe that you are in violation of the Terms.
     

  • ProtonMail removing Google Fonts from its site

  • How Google is tracking you, and how to avoid it

  • Google Fonts in WhoTracksMe