I am required to create the design of a website for my institution. I am not a designer or webmaster, and I am very badly informed in this area. I am already a bit stuck in the font selection.

The project budget does not allow the purchase of commercial font licences. A quick web search showed that a very convenient way to use free fonts would be to use the Google web font service. Another option would be self-hosting, but as far as I understand, it is 1) somewhat more challenging technically, and 2) more limited, as there are fonts which can be used for free through Google, but their licence does not cover that we redistribute them through hosting. (If this is not true, please correct me).

We are an European institution with high requirements for privacy. The web site in question has an area with sensitive data (R&D know-how not yet protected by patents) and we may extend it to also save some personal data of users in the future. So we are very wary of embedding external services.

What are the privacy risks connected to the use of the Google web font API? How much access will Google have to our data if we use their font service? Is it feasible to use their fonts if we wish to keep part of our website secured against unauthorized access? Or am I limited to self-hosting open source fonts?

Yes, there are privacy concerns with using Google Web Fonts. If you have strict privacy concerns you should probably not use the service. Users of Google Web Fonts are bound by Google's generic API terms of service, which includes this clause:

By using our APIs, you agree that Google can use submitted information in accordance with our privacy policies, such as http://www.google.com/privacypolicy.html.

Google's privacy policy allows it to collect a large amount of data about users of its services, both to improve the service and to support it commercially. This includes log data (e.g. browser version) and location data (the IP address of your site's visitors). Sites that use Google Web Fonts are feeding data back to Google. It's possible that Google doesn't actively collect and use that data right now, but it is worth considering alternatives if you are privacy-conscious.

Font Squirrel is a great source of free fonts that can be used commercially. Several of the fonts hosted by Google, such as Open Sans, are available to download from Font Squirrel and host yourself at no charge, and it's not nearly as tricky as you might think. Their downloadable “webfont kits” include a “how to use webfonts” HTML file that talks you through it, but there are other guides to using web fonts available online.

FontSpring How To Install Web Fonts

Update:

Google now publishes some info on Google Web Fonts and privacy in their FAQ that makes Google Web Font use seem a little safer from a privacy perspective:

The Google Fonts API is designed to limit the collection, storage, and use of end-user data to what is needed to serve fonts efficiently.

Use of Google Fonts is unauthenticated. No cookies are sent by website visitors to the Fonts API. Requests to the Google Fonts API are made to resource-specific domains, such as fonts.googleapis.com, googleusercontent.com, or gstatic.com, so that your requests for fonts are separate from and do not contain any credentials you send to google.com while using other Google services that are authenticated, such as Gmail.

In order to serve fonts as quickly and efficiently as possible with the fewest requests, we cache all requests made to our servers so that your browser only contacts us when it needs to.

Requests for CSS assets are cached for 1 day. This allows us to update a stylesheet to point to a new version of a font file when it’s updated. This ensures that all visitors to websites using fonts hosted by the Google Fonts API will see the latest fonts within 24 hours of their release.

The font files themselves are cached for one year, which is long enough that the entire web gets substantially faster: When millions of websites all link to the same fonts, they are cached after visiting the first website and appear instantly on all other subsequently visited sites. We do sometimes update font files to reduce their file size, increase coverage of languages, and improve the quality of their design. The result is that website visitors send very few requests to Google: we only see 1 CSS request per font family, per day, per browser.

We do log records of the CSS and the font file requests, and access to this data is on a need-to-know basis and kept secure. We keep aggregated usage numbers to track how popular font families are, and we publish these aggregates in the Google Fonts Analytics site. From the Google web crawl, we detect which websites are using Google Fonts, and publish this in the Google Fonts BigQuery database. To learn more about the information Google collects and how it is used and secured, see Google's Privacy Policy.

  • Although I prefer not using any Google service, I don't see any problem with the fonts, the information they can track is the contents of the request headers, which is not much. Requesting fonts don't generate a cookie and when having a Google cookie on the browser session (due to direct login), didn't appear to be any communication between parts. Of course we can argue that any bit of information sent to a server is traceable and that adds up to a big database, but could you explain what is the concern in this case? If there is any, I'd like to add it to my list of I don't like google – PatomaS Apr 10 '14 at 0:11
  • 2
    FontFeed touches on the privacy implications of using Google Web Fonts. It's hard to know what Google do with the data they collect, but there is potential to identify visitors of sites that use Web Fonts via the user's browser fingerprint cross-referenced with other Google services they use such as Gmail and YouTube. That may pose no problem to many webmasters, but if you don't want to leak data about your users to third parties, it's best not to link to third-party libraries. This includes omitting "Like" and "Tweet" buttons. – Nick Apr 10 '14 at 7:11
  • Thanks for your answer. After reading that article, which states the same I mentioned before, I don't see any problem. They can only track/use the headers sent, not even a cookie. I don't like Google, nor Facebook, nor twiter, etc etc, but things have to be fair. There is no security risk on using their fonts. Still is a better idea to use fonts found on most devices naturally. But I think this subject may be better suited for the chat than the comments section. – PatomaS Apr 10 '14 at 8:02
  • Sure, we can use chat for this. The question wasn't about security risks – it was about privacy risks. I agree that Google Web Fonts present little security risk. – Nick Apr 10 '14 at 9:02
  • uuups sorry, I meant privacy instead of security, sorry. – PatomaS Apr 10 '14 at 9:27

Regarding the fonts as an aesthetic element as well as the main element for readability, you may consider using the Core fonts for the Web, which basically is a set of very common fonts that you can find on almost any device, and if those fonts are not present, there are many possible alternatives available on each device.

I'd recommend using those font so you avoid any other problem, but if you decide that those fonts are not what you want, you still may use them as a base for developing the site and later on you change them.

If you don't have specific requirements, or your aesthetic requirements are just for headings and small fragments of text, use that set with CSS and any special text as an Image.

If you decide to use some of the Google fonts, there is no security problem on using them regarding private sections of your website. That private part should be protected by some combination of user and password to avoid unauthorized access. There may be some concerns about cookies set by those fonts and the relation of navigation patterns that may be collected (which is not your private information), but I'm not sure if the request for the fonts generate a cookie.

Considering what you mention about your experience, the kind of organization and possible concerns of senior members on your organization plus the advantage of avoiding the download of extra resources, I would use the common set of fonts mentioned above.

Your Answer

 
discard

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Not the answer you're looking for? Browse other questions tagged or ask your own question.