Hacker News new | past | comments | ask | show | jobs | submit login

I currently work on it as well, so happy to pitch in.



Any estimate when Inter can be expected?

https://github.com/google/fonts/issues/1455#event-2995287982


Does Google use this to fingerprint and track users across different websites?


The Google Font FAQ includes the question: What does using the Google Fonts API mean for the privacy of my users?

> "...your requests for fonts are separate from and do not contain any credentials you send to google.com while using other Google services that are authenticated, such as Gmail."

>"Google Fonts logs records of the CSS and the font file requests, and access to this data is kept secure."

https://developers.google.com/fonts/faq#what_does_using_the_...


So a lot of fluff and no actual reply. Users can be tracked without cookies being sent, while "access to the data is kept secure". Call me a cynic, but I lost my trust in google a long time ago.


To answer "track users across different websites", I think they pretty clearly say the opposite:

> The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently.

> When millions of websites all link to the same fonts, they are cached after visiting the first website and appear instantly on all other subsequently visited sites. [...] The result is that website visitors send very few requests to Google: We only see 1 CSS request per font family, per day, per browser.

I guess, what would you want to see that would assuage your concerns, beyond what is written in the FAQ?


They do not say the opposite.

Apparently they need to collect and store end-user data for serving fonts efficiently. Wonder what that could be...

And if that information happens to be enough for further tracking then it seems to be fair game!


Couldn’t it just be for edge server location determination?

Not a Google fan, but at their volume of traffic seems like it could be something they’ve optimized for.


Could be!

But they could have said so. And they could also have said that the information is not correlated with anything else.

All we know is that they have, very carefully, written something vague that they could do pretty much anything they wanted with.

And we are left with the question, why would they do that?


Probably to not have to consult the lawyers every single time someone creates a new analytics aggregation.


"Users can be tracked without cookies being sent"

How? Stylesheets can't use fingerprinting or Flash cookies or anything like that, only scripts can.


Stylesheets can fingerprint with the help of a server to track what resources get loaded or skipped, and a few clever media size queries etc.


The Referer header will leak what page you were on and you probably already have connections to Google from the same client IP address. Even if you have Referer blocked, the particular font requested could indicate information about what page you are on when combined with other data.


TLS Session resumption (tickets / caching)


Multiple people (I know as my upvote just now didn't even get you back in the black) downvoted you (and now me ;P), but you are absolutely correct that that quote didn't really have anything to do with the question.


Can you still be tracked if the fonts are delivered from your server?


No. A font file served from your own server is just like any other static asset. (I increasingly tend to do this for my sites, as I've found that using FontSquirrel to create WOFF/WOFF2 files that contain subsets of fonts and/or "collapse" font features -- e.g., stylistic alternates -- can make for very small, efficient files if the subsetting meets your needs.)




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: