Google Webfonts, The Spy Inside?

  • Fonts in Use
  • News
Fonts in Use, News | Yves Peters | January 22, 2014

The FontFeed being a WordPress blog, an article mentioned by Erik van Blokland caught my attention. On his private blog web developer xwolf – alias for Wolfgang Wiese – wrote about an intriguing “side-effect” of the use of Google webfonts in the new WP3.8. Its recent introduction unveiled a refreshed back-end for the WordPress – it all looks indeed quite good and usability is satisfactory. However the developers did something that is not entirely fine in these times of constant surveillance and sourcing of metadata by official agencies and criminals alike. Along with the new back-end the use of Open Sans was introduced. When logged in, the fonts are not served locally but from Google webfonts. This creates privacy issues.

The HTML source code looks like this:

The justification for the decision to serve Google webfonts in the WP3.8 back-end can be found in the post Open Sans, bundling vs. linking on the WordPress website. The piece spawned a lengthy comment thread in which Kiwi WordPress developer Ryan Hellyer also pointed out the privacy issues.

I suspect that bundling scripts into WordPress core will create privacy concerns for many people. The ability to perform analytics via them will disturb a small segment of the user-base.

It may even be illegal in some countries. Germany springs to mind in regards to that. They’re already super ticked off about being spied on at the moment, so I think it might be best if WordPress doesn’t join the party too.

And yes, you can install a plugin to force them to be self-hosted, but many people will just unwittingly hit the “update” button without ever realising that they’re opening themselves up to privacy issues.

According to Wolfgang Wiese the solution is a plugin called Disable Google Fonts. As its name implies, its sole function is to prevent loading of Google webfonts by WordPress and bundled themes (Twenty Twelve, Twenty Thirteen, Twenty Fourteen). Wolfgang recommends that every single person who has a personal WordPress installation should immediately install the plugin too. Its developer Milan Dinić sums up a couple of reasons why you don’t want to load fonts from Google’s servers:

  • privacy and security (Google knows about each page view)
  • local development or production (no or limited Internet access)
  • availability of Google’s servers (some countries block access to Google)
  • language support (these fonts have limited characters support)
  • performance (Google’s servers are hit on each page view)

So what exactly is the problem? The problem is this provides Google Inc. – a company listed on the stock exchange whose core business is trading metadata – yet another “tracking station”. User access can be tracked by gathering at least the header data of the connection request. This also includes cookies from the Google domain. Google learns that someone has an Administrator or Editor account for a certain website, and has a relationship to that site. But not only Google. Other websites also use Google webfonts; some of them in their themes and some regular users. Furthermore certain websites integrate Google Adsense and use Google Analytics.

Similar to mobile positioning it is not possible to see where people go. But thanks to cookie IDs and alternatively from other unique data Google can “see” whether someone logs on on a website or if the other website simply is called on. If the account eventually calls on another website that allows Google to connect personal data to (for example Google+ or YouTube), then the company knows who owns that account.

It’s all about metadata after all. By itself, on one single website, this may seem harmless. But by collecting and merging the metadata of several websites comprehensive tracking becomes possible. And not only that – the fact that the WordPress folks now embedded Open Sans only in the back-end allows Google to gain a valuable attribute – it finds out whether there is a working relationship between the account (the owner) and the website.

In his post Wolfgang sarcastically thanks the design team at WordPress for delivering his personal data to Google for a minimal gain in performance. He cannot really understand why web designers would embed Google webfonts without thinking twice, opening themselves up to possible privacy issues simply because it is so beautifully simple and the download file for the current theme is smaller. Or because others do it this way.

Because he also owns themes, plugins and programmed his own CMS, Wolfgang knows very well how little effort is needed. He doesn’t get why it would be so hard to simply offer the option instead of having Google webfonts download by default. One can use Google webfonts with confidence, but should do it consciously, and include the option to switch them off. He thinks it’s just plain laziness or incompetence from web designers/developers, because all it takes is a few lines of code to make Theme Options.

Google is not the ultimate bad guy. Yet it should stick to its motto “don’t be evil”. If some day in the future the NSA waltzes in with a warrant or if economic interests come to the fore. There have been other companies that once were “good”, but became less savoury due to changes in management.

Read the original article in German here.

Tags: , , , ,


  1. Nice post.

    Could you give some examples of “well-known” computer industry companies that once were “good” but became less savoury, from your point of view of course.

    I am looking for examples for a presentation I will have to do on free software and privacy.

    One which came in mind is Sun of course, but I need more illustrating examples.

    Posted by Bruno BEAUFILS on Jan. 22, 2014
  2. In WordPress, users with the ‘Subscriber’ role can modify their profile settings via /wp-admin/. Your assertion that Google will know who has posting abilities on a WordPress site based on metadata from the Font API is therefore false.

    Posted by Shane Gowland on Jan. 22, 2014
  3. Will FontFont be removing its fonts from all web font services and only allowing self-hosting? :)

    Posted by Dave on Jan. 22, 2014
  4. Bruno, many people considered “Gator Corporation” good. It would fill out web forms for you and make things so convenient – many, MANY years before this functionality would be built in to browsers. They quickly became ad-ware, installed along with other applications without people knowing, and THEN people found out that the ‘pre-filled-form’ data (like your address and phone number and even more) was being sold to advertisers.

    They have since changed their name and some of their business model.


    Shane, changing your personal settings away from the default behavior does not make his statement about the default behavior false. It just means that there is a workaround available.


    I do wonder if this behavior will be changed (fonts stored locally) in the next update to WordPress now that there have been the beginnings of a backlash?

    Posted by NuAngel on Jan. 22, 2014
  5. I argued against Google-hosted fonts in core on both and on Trac. Others chimed in sharing the same privacy concerns and we were all ignored and marginalized. This is a bigger deal than most people think it is… although “most people” don’t even realize it’s happening. They’re just people using the software that have no idea every single page load of their site is being reported to Google (and Automattic for that matter).

    Posted by John Parris on Jan. 22, 2014
  6. Thank you for your post

    I’ve coded a simple WordPress plugin to use your custom version of Open Sans and avoid Google Fonts :

    Posted by Darklg on Jan. 22, 2014
  7. Careful Dave, you may give the FontFont people ideas! They could decide to dedicate their considerable resources and legions of employees to start tracking, collecting and trading metadata. : P

    Of course they would need to stop producing fonts, because that happens to be their core business, not a mere aside that is eroding the type design industry.

    Posted by Yves Peters on Jan. 22, 2014
  8. i was curious and checked in the web inspector and i don’t see google web fonts sending any cookies at all. i do see it sending the useragent string and accept-language which is useful for font subsetting. the css you request from google is cached for a day, the woffs you load are edge-cached for a year. most people that aren’t clearing their caches every day probably request the actual font file once every few months and the css once a day. it’s ok to speculate about google’s motives, but i suspect you and i see the same thing in the web inspector. don’t lie about the data being collected though, it seriously damages your point.

    Posted by Marcos Ojeda on Jan. 22, 2014
  9. > the css you request from google is cached for a day
    That’s not true for me. Google’s answer sets “expires” to the request time in my case, so the CSS is immediately expired and will be not cached.

    I noticed the Google thing since I have a WP site locally running and sometimes have no inet connection. Every page call was horrible slow because of loading Gf with every request. Try it by yourself.

    And so sorry about this, but: obviously the whole thing is part of global spying on user data. Even every theme WP ships with core comes with Googlefonts enabled. That’s not by accident.


    Posted by Frank on Mar. 24, 2014
  10. Nice made post buddy. I also don’t like idea of using google fonts in website (admin interface). Either for privacy or performance issues. I wrote an article about it

    Posted by Jasom on Apr. 7, 2014
  11. Great post.

    Open Sans should definitely be abandoned for as long as it has to be loaded from Google’s CDN. WordPress’s core values are (or should be) completely irreconcilable with Google’s when it comes to privacy and personal data.

    The thinking on this matter has been completely the wrong way around. Open Sans (yes, it’s a gorgeous font – but get over it people! Looks aren’t everything, right?! How perfectly a Google-loaded Open Sans shows how shallow beauty can be…) should never have been considered until it could be served up from within WordPress itself.

    And the argument I’ve seen saying “Well, anyone who doesn’t like it can use a plugin like Disable Google Fonts” is really weak. It’s the old “Well you can opt out if you don’t like it” argument. Most people don’t want to be wasting their precious time having to check if their WordPress website is sending a load of personal information to a third party like Google. They instead would assume that – what with WordPress’s core values and all – OF COURSE WordPress doesn’t do that, does it?

    The WordPress team should be taking a much more protective role towards its users. It should be saying “We’ll do everything we can to protect the personal data of anyone visiting your site, and make sure nothing leaks out to any third parties. We’ll do this so you don’t have to waste time checking this yourself”.

    I should stress that I don’t want to sound ungrateful to everyone behind WordPress. I love WordPress and think everyone who’s helped build and develop it has done an amazing job, but I think in the area of privacy and protecting personal data, a different attitude is needed. I’m always disappointed to see that almost everything I read online about using Google Analytics on a WordPress website never mentions the enormous privacy issue this causes.

    Anyway, I think I need to go for a lie-down now…

    Posted by Daniel on Apr. 10, 2014
  12. Thanks. Great post

    Posted by on Apr. 27, 2014
  13. Thanks for this. I’m working in China and using Googlefonts can cause a web site to slow to unusable speeds. Works a treat.

    Posted by iain on Jun. 8, 2014
  14. Posted by Dave on Aug. 2, 2014
  15. The plugin, mentioned by Darklg is now available on

    Posted by David on Oct. 29, 2014
  16. If you’re logged in and have the admin toolbar enabled (on by default) then the font is loaded on _every_ page view, even on the front-end.

    Posted by Allan Kenneth on Feb. 20, 2015
  17. Unfortunately, even the plugin won’t stop the remote fonts from being called on the database upgrade and install pages, where plugins can’t prevent it.

    Posted by bluedauber on Feb. 20, 2015
  18. Oh the irony. Viewing this page causes requests to be send to:

    And that is a small list compared to most other sites. Yes google fonts is one of path by which we leak our visits, but it’s far from being the only one.

    Posted by Eric Muller on Feb. 21, 2015
  19. All google fonts does is link to a stylesheet. There’s no cookie tracking or script injection. If you’re that paranoid every google service is spying on you then remove google analytics from this site and serve your own damn scripts instead of hot linking to

    Posted by Donald on Feb. 23, 2015

Post a comment:


The FontFeed

The FontFeed is a daily dispatch of recommended fonts, typography techniques, and inspirational examples of digital type at work in the real world. Eat up.

  • Easy Hand
  • Bulletto
  • Skog Sans
  • TF The Fest
  • Gluck
  • Veotec
  • Grottel
  • Roadster Script
  • Decize
  • Poeta
  • JH Fares
  • 35-FTR
  • Stena
  • YWFT Soaka
  • YWFT Lollop
  • Meow
  • Biwa™
  • Zin Slab
  • Melts Script
  • Diploma Script
  • Jasan™

Popular Fonts

  • Morl
  • Merlod
  • TT Backwards
  • TT Travels
  • Vodka™
  • Proxima Nova
  • Rosella™
  • Brandon Grotesque
  • Nexa Rust™
  • Cenzo Flare
  • Helvetica Neue®
  • Bourton
  • Gilroy™
  • Heading Pro
  • Aromatica
  • TT Norms
  • Nexa
  • Selfie
  • Good Karma
  • Avenir®
  • Moments