A place to cache linked articles (think custom and personal wayback machine)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

index.md 6.8KB

4 yıl önce
12345678910111213141516171819202122232425262728
  1. title: Google Webfonts, The Spy Inside?
  2. url: http://fontfeed.com/archives/google-webfonts-the-spy-inside/
  3. hash_url: 8ff07392b3eb5ac3735976014729f4de
  4. <img src="http://fontfeed.com/wp-content/uploads/2014/01/Google-Fonts_header.png"/>
  5. <p>The FontFeed being a <a href="http://wordpress.com/" title="WordPress website">WordPress</a> blog, an article mentioned by <a href="http://www.fontshop.com/fonts/designer/erik_van_blokland/" title="Designer page on FontShop">Erik van Blokland</a> caught my attention. On his private blog web developer xwolf – alias for <a href="http://www.aravaeth-onan.de/" title="Wolfgang Wiese’s personal site">Wolfgang Wiese</a> – <a href="http://blog.xwolf.de/2014/01/01/wp3-8-spion-inside-google-webfont-nutzung-fuer-admins/" title="xwolf | WP3.8: Spion inside – Tracking dank Google Webfont-Nutzung für Admins">wrote about an intriguing “side-effect” of the use of Google webfonts in the new WP3.8</a>. Its recent introduction unveiled a refreshed back-end for the WordPress – it all looks indeed quite good and usability is satisfactory. However the developers did something that is not entirely fine in these times of constant surveillance and sourcing of metadata by official agencies and criminals alike. Along with the new back-end the use of Open Sans was introduced. When logged in, the fonts are not served locally but from Google webfonts. This creates privacy issues.<br/>
  6. <span id="more-28220"/></p>
  7. <p>The HTML source code looks like this:</p>
  8. <p><img src="http://fontfeed.com/wp-content/uploads/2014/01/Google-Webfonts_code.png" alt="" title="Google webfonts in WP3.8 code" class="alignnone size-full wp-image-28238"/></p>
  9. <p>The justification for the decision to serve Google webfonts in the WP3.8 back-end can be found in the post <em><a href="http://make.wordpress.org/core/2013/11/11/open-sans-bundling-vs-linking/" title="WordPress | Make WordPress Core › Open Sans, bundling vs. linking">Open Sans, bundling vs. linking</a></em> on the WordPress website. The piece spawned a lengthy comment thread in which Kiwi WordPress developer <a href="http://geek.ryanhellyer.net/" title="Ryan Hellyer | WordPress Ramblings">Ryan Hellyer</a> also pointed out the privacy issues.</p>
  10. <blockquote><p>I suspect that bundling scripts into WordPress core will create privacy concerns for many people. The ability to perform analytics via them will disturb a small segment of the user-base.</p>
  11. <p>It may even be illegal in some countries. Germany springs to mind in regards to that. They’re already super ticked off about being spied on at the moment, so I think it might be best if WordPress doesn’t join the party too.</p>
  12. <p>And yes, you can install a plugin to force them to be self-hosted, but many people will just unwittingly hit the “update” button without ever realising that they’re opening themselves up to privacy issues.</p></blockquote>
  13. <p>According to Wolfgang Wiese the solution is a plugin called <a href="http://blog.milandinic.com/wordpress/plugins/disable-google-fonts/" title="Disable Google Fonts plugin for WordPress">Disable Google Fonts</a>. As its name implies, its sole function is to prevent loading of Google webfonts by WordPress and bundled themes (Twenty Twelve, Twenty Thirteen, Twenty Fourteen). Wolfgang recommends that every single person who has a personal WordPress installation should immediately install the plugin too. Its developer Milan Dinić sums up a couple of reasons why you don’t want to load fonts from Google’s servers:</p>
  14. <ul>
  15. <li>privacy and security (Google knows about each page view)</li>
  16. <li>local development or production (no or limited Internet access)</li>
  17. <li>availability of Google’s servers (some countries block access to Google)</li>
  18. <li>language support (these fonts have limited characters support)</li>
  19. <li>performance (Google’s servers are hit on each page view)</li>
  20. </ul>
  21. <p>So what exactly is the problem? The problem is this provides Google Inc. – a company listed on the stock exchange whose core business is trading metadata – yet another “tracking station”. User access can be tracked by gathering at least the header data of the connection request. This also includes cookies from the Google domain. Google learns that someone has an Administrator or Editor account for a certain website, and has a relationship to that site. But not only Google. Other websites also use Google webfonts; some of them in their themes and some regular users. Furthermore certain websites integrate Google Adsense and use Google Analytics.</p>
  22. <p>Similar to mobile positioning it is not possible to see where people go. But thanks to cookie IDs and alternatively from other unique data Google can “see” whether someone logs on on a website or if the other website simply is called on. If the account eventually calls on another website that allows Google to connect personal data to (for example Google+ or YouTube), then the company knows who owns that account.</p>
  23. <p><img src="http://fontfeed.com/wp-content/uploads/2014/01/blog-screenshot-googlewebfonts.png" alt="" title="Screenshot Google webfonts" class="alignnone size-full wp-image-28239"/></p>
  24. <p>It’s all about metadata after all. By itself, on one single website, this may seem harmless. But by collecting and merging the metadata of several websites comprehensive tracking becomes possible. And not only that – the fact that the WordPress folks now embedded Open Sans only in the back-end allows Google to gain a valuable attribute – it finds out whether there is a working relationship between the account (the owner) and the website.</p>
  25. <p>In his post Wolfgang sarcastically thanks the design team at WordPress for delivering his personal data to Google for a minimal gain in performance. He cannot really understand why web designers would embed Google webfonts without thinking twice, opening themselves up to possible privacy issues simply because it is so beautifully simple and the download file for the current theme is smaller. Or because others do it this way.</p>
  26. <p>Because he also owns themes, plugins and programmed his own CMS, Wolfgang knows very well how little effort is needed. He doesn’t get why it would be so hard to simply offer the option instead of having Google webfonts download by default. One can use Google webfonts with confidence, but should do it consciously, and include the option to switch them off. He thinks it’s just plain laziness or incompetence from web designers/developers, because all it takes is a few lines of code to make Theme Options.</p>
  27. <p>Google is not the ultimate bad guy. Yet it should stick to its motto “don’t be evil”. If some day in the future the NSA waltzes in with a warrant or if economic interests come to the fore. There have been other companies that once were “good”, but became less savoury due to changes in management.</p>