And what disadvantages? Like pricing or licensing terms?
When you use Google fonts, they track every request you send them, building profiles on your customers/users and selling that data. They are also able to know your complete visitor stats including location, interests, computer info, time in the site, and damn near anything else.
If you care about that, source your own font from your servers.
How? You make an unauthenticated request to the cdn to get the font data. So they get IP and user agent, but no site cookies or other scripts are loaded. I’m not trying to defend them; fuck Google, but it is definitely not like other analytics services from Google. So, computer info (beyond user agent), time on site, interests, etc. is speculative at most.
To clarify, when I say “speculative”, I mean they are speculating your identity, not that your assessment is speculative. They can make a pretty good estimate of who you are even behind nat and use that with graph resolution to maybe surmise those details about you, but it isn’t deterministic like the analytics api. And they “promise” they aren’t doing that with the fonts api, but obviously they aren’t to be trusted.
Agreed. When using a hosted font, the browser sends a full GET request. That includes all headers that service has access to. IP address, browser agent, referrer, origin, etc. Some of this depends on the site’s CORS (which are often incorrectly configured) and other settings, along with browser cache; but in general it’s just another GET.
By using the hosted font, Google is absolutely getting tracking information. Yes, they say it’s not tied to an account, though it’s easily done since they have the IP and browser / device info. True, it’s not as intensive as an analytics api, but it’s still tracking. I have no doubt that they map the font usage to account metadata in order to build and sell usage profiles. It is speculative, in the same way the person standing over a body, holding a bloody knife is speculative of the killer. It’s close enough for their purposes. Also, many ad blockers block analytics urls, fonts are a different matter (though you can enable font blocking in some.)
For stronger security, and to prevent data leakage, when building a web application, host your own fonts. When using the web, block third party fonts. Or if you care to go all-out, setup a forced redirect to locally hosted fallbacks instead of going out to the open web to get a font.
Google isn’t freely hosting fonts as a kindness.
Browser fingerprinting is surprisingly accurate. Any other you site you visit which uses google analytics (which is like all of them) with the same fingerprint is then linked up, so voila the user is no longer anonymous. The categories that your site may be catering to are therefore added to the profile. Each page request on this site loads the font file again, adding to the perceived time on the site (that is, take last request time - first request time, now you have a pretty good estimate). The point is that while it’s not invasive and exact as running google’s js on your site, it does add to their user profile which Google sells to brokers and all that crap. My point being that they can gather a lot more info than one would think when only Google Fonts is used on a site.
These days, you also likely get faster loading times when you self-host the font, because it can be sent through the same HTTPS connection and because caching doesn’t work anymore like it used to many years ago (cached files aren’t shared anymore between websites).
Designers would tell you the quality is typically better on a professionally designed and commercially sold/licensed font, although there have been some excellent FOSS fonts in recent years, usually because of someone paying professionals to put the same effort into the font but then releasing it under a Free or Open license. The drawback of commercial fonts is mainly cost, especially for some popular fonts. The cost can vary depending on your intended use, such as one price for print material, a different price for web use or app use, and online uses might even be licensed for how many visitors a site has. Like, a license might only cover 100,000 visitors per month.
And as others have mentioned, Google Fonts as a service is “free” but as with many Google offerings comes at the cost of additional Google tracking. They’re mainly using Free/Open fonts so they don’t have to pay licensing fees, not really out of support for free software. They have a lot of offerings that are mediocre ripoffs of commercial fonts.
Butterick’s Practical Typography has a few recommendations on Free/Open fonts. The whole “book” is something I recommend reading to anyone who has even a passing interest in making their written work look more professional.
When I was contracted by the military we weren’t allowed to use hosted foss fonts because they were considered a vector for attack if the font server were compromised. A font you host yourself is safe in that respect. One might suppose a commercial entity would be safer, but I wouldn’t say that is necessarily so.
