[www.kde.org] [Bug 376291] New kde.org adds tracking by 3rd-party, googleapis.com

Ken Vermette bugzilla_noreply at kde.org
Sun Feb 12 10:58:52 UTC 2017


https://bugs.kde.org/show_bug.cgi?id=376291

Ken Vermette <vermette at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vermette at gmail.com

--- Comment #1 from Ken Vermette <vermette at gmail.com> ---
Google doesn't use Google fonts as a tracking mechanism, at least, not in the
way that any website doesn't do by nature with basic traffic logging.

See:
https://developers.google.com/fonts/faq#what_does_using_the_google_fonts_api_mean_for_the_privacy_of_my_users

Google doesn't have cookies for web fonts, uses heavy caching (meaning only the
first hit a day for a font - from anywhere - may be logged), and other things.
The only metrics Google states they collect from web fonts is "which fonts are
popular", and "which websites use fonts", but neither of them are
user-specific. Additionally, browsers properly implementing https should not
provide referral information *at all* to included resources - not even the
domain referring.

Noto is made by Google, and Google updates the web fonts regularly. I don't
know how often the font is adjusted or added to, but it was a consideration.
Serving the font ourselves will cost us a little extra load without the caching
(nothing anyone will ever notice, but still - it can add up if we aren't
careful), and the font may periodically fall out-of-date.

All that being said, while I personally don't consider the use of Google Fonts
as a breach of privacy or introduction of tracking, I understand the concern.
KDE also prides itself on privacy, and even the *opportunity* to gleam some
small amount of information from our service could be considered an issue. Even
the perception of tracking may be enough in some cases.

If someone really paranoid disables third-party resources to ensure no tracking
can happen, the downsides will be marginal; either an existing noto on their
machine will be used, or it will fall back to a similar looking sans font.

I'm neutral on moving the font resources to our server, but knowing that fonts
are not a viable form of tracking to Google nor one that they claim to try
using, I'd like to ask if this is still considered an issue; if it is, I'll go
ahead and do the switch.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the kde-www mailing list