How to deal with Google Fonts “data breach”?

Update: Since 09/2022 all the bundled skin can download Google fonts, and use them locally, which does not fall under the scope of the GDPR law. Just turn on Settings / skinName / Advanced / Copy Google Fonts to the album.


Recently, we’ve heard some German users were threatened by law firms, because of the Google Fonts used on their sites.

Allegedly those firms collect those sites that use Google Fonts by bots. This way they can find even small sites visited by only a handful of people (perhaps relatives only), not posing any risk to their visitors’ privacy. At first, I thought these firms were some kind of a mafia, masquerading themselves as legal businesses, but they turned out to be real law firms. I believe, that if they were “bona fide” actors, they had not threatened website owners with a lawsuit right away – perhaps they could have called their attention to the problem first.

In January 2022 a German Court fined a website €100 for leaking their visitor’s IP addresses via Google Fonts without their consent. Here’s an article on the matter. So far nobody has paid attention to IP addresses, which normally tell a website where to send the requested content back. This is how the internet has worked in the past 30 years. These IP addresses for most home users are dynamic, i.e. they change daily, and only the internet service provider can tell who had that particular IP address at a given time. Those who were afraid their IPs were revealed were already using anonymizers – I believe –, like VPNs or secure browsers (Tor).

Now, this court has decided it is the website that’s responsible for hiding the user’s IP from a service. Even though the website itself doesn’t even know if the user has an IP address at all. It is the browser that sends the IP address to Google Fonts, which is by the way Google Chrome for the majority, and we use Google Search, Google Drive, Android, and hundreds of services a day that reveal our IPs to Google. As the saying goes: “Google knows you better than you know yourself”. You can’t stop Google from spying on you with a consent dialog.

Can you imagine how many dialogs you should “OK” if the dream of the inventors of GDPR law came true? Thousands a day. Site visitors already take these popups as a pure annoyance, and click them away without a thought. What do they expect when a visitor is presented with the choice of revealing their IP or not, will they not visit a site because of this? Most people have no idea what an IP is, anyway. How do we expect them to make an educated decision?

Wouldn’t it be a better approach if we had such preferences managed by the browser? It’s easier to ask once if a user trusts Google Fonts than on every website.

It’s a lawyer’s world. I remember I had a car to which I had to make a contract every time I got in, promising that I will not be distracted by the car’s entertainment system. I had to do this while driving most of the time. What if I sued the lawmakers for distracting me from driving? 😉

In the case of heavy-weight data-harvesting services like Google Analytics or Facebook, it’s easy to ask the visitor and avoid loading them if they refuse it. However, with Google Fonts or jQuery, “the damage is already done” when the consent dialog pops up, so there’s no way of handling it nicely. You either refrain completely from using those services or you “violate the law”.

What can you do to avoid “lawyers”?

First off, turn on Avoid using Content Delivery Networks under Settings / SkinName / Advanced panel, provided the skin offers this option. A “Content Delivery Network” is a third-party service that makes it quicker to load some external libraries. Even though the current wave of blackmail does not mention this, this might be their next target, I’m afraid.

Then choose a font that is not from Google from Settings / SkinName / Site / Typography / Font family. Anything above (including) “Verdana” will do. Choose [Same as base font] as the Headline font.

Once ready with the settings, hit “Make album” and “Upload”.

Needless to say, this affects only sites in the EU. And it seems, besides Germany, nobody takes this seriously.

We are currently working on a solution that loads those fonts from Google during the upload process to the target site, therefore no visitor IPs will be disclosed to Google.