Agreed. When using a hosted font, the browser sends a full GET request. That includes all headers that service has access to. IP address, browser agent, referrer, origin, etc. Some of this depends on the site’s CORS (which are often incorrectly configured) and other settings, along with browser cache; but in general it’s just another GET.
By using the hosted font, Google is absolutely getting tracking information. Yes, they say it’s not tied to an account, though it’s easily done since they have the IP and browser / device info. True, it’s not as intensive as an analytics api, but it’s still tracking. I have no doubt that they map the font usage to account metadata in order to build and sell usage profiles. It is speculative, in the same way the person standing over a body, holding a bloody knife is speculative of the killer. It’s close enough for their purposes. Also, many ad blockers block analytics urls, fonts are a different matter (though you can enable font blocking in some.)
For stronger security, and to prevent data leakage, when building a web application, host your own fonts. When using the web, block third party fonts. Or if you care to go all-out, setup a forced redirect to locally hosted fallbacks instead of going out to the open web to get a font.
Agreed. When using a hosted font, the browser sends a full GET request. That includes all headers that service has access to. IP address, browser agent, referrer, origin, etc. Some of this depends on the site’s CORS (which are often incorrectly configured) and other settings, along with browser cache; but in general it’s just another GET.
By using the hosted font, Google is absolutely getting tracking information. Yes, they say it’s not tied to an account, though it’s easily done since they have the IP and browser / device info. True, it’s not as intensive as an analytics api, but it’s still tracking. I have no doubt that they map the font usage to account metadata in order to build and sell usage profiles. It is speculative, in the same way the person standing over a body, holding a bloody knife is speculative of the killer. It’s close enough for their purposes. Also, many ad blockers block analytics urls, fonts are a different matter (though you can enable font blocking in some.)
For stronger security, and to prevent data leakage, when building a web application, host your own fonts. When using the web, block third party fonts. Or if you care to go all-out, setup a forced redirect to locally hosted fallbacks instead of going out to the open web to get a font.
Google isn’t freely hosting fonts as a kindness.