Naughty fonts, new graphics, and privacy

I’ve been working on some small graphics updates which turned into a much larger project than initially planned.

Word around the web dev community is that it’s best practice to make some graphics using “web fonts” instead of just using a jpg or gif image – so I embarked on the process to convert some of the little graphics that I think will make our menus a little sexier, and to convert our new logo style into an actual system font style instead of relying on a picture created in photoshop.

Now I have to wonder if all of our users will be able to see the graphics just fine, or if some devices will fail to load them due to various settings?

Before you click over to see if these font icons and script logos work, be aware that there has been a little debate about web fonts and system fonts being used to “browser fingerprint” people.

In short when you visit places around the web, even if you have certain privacy safeguards, it may be possible for someone to look at bits of info that our web browsers provide to web servers – things like “firefox, windows 7, ip addy, flash plugin, list of fonts on your computer” – it may be possible for agencies to identify who you are based on just a couple of those parameters, and I am not sure if our custom fonts being “cached” by your browser would make that situation worse. My quick research via the https://panopticlick.eff.org only shows my system installed fonts, and not the “web fonts” I have cached.. However if you were trying to hide your porn surfing at work using a vpn, it would simple for the tech people to dig into your cached images and fonts and determine if you have been to certain web sites – even if you clear your browsing history and such. I am not an expert on these things, but thought I should mention it as some will want to research these things further.

So if you are not paranoid about people finding out you visited scsc – then I’d like to ask that you check out this updated live sex chat page – and tell me if you do not see the graphics like they are supposed to appear.

scsc-fonts-missing-code-showing

scsc fonts missing – code showing, no cursive logo

scsc font updates sexy icons - cursive logo

scsc font updates sexy icons, cursive logo

I test with a couple of browsers – but I know we have people that visit using netbooks, ipads, and all sorts of browser / device combos. If the graphics are not working on a certain setup I’d like to know as soon as possible before I update the rest of the web site pages!

Making a new logo, and making it with fonts instead of gif images

Our old old logo was done as an image file, which back in the day it was the only way to get browsers to display text a little fancier than the standard Times / Arial / Verdana (group of a dozen or so “standard” fonts the web was stuck with) – things have changed and we are updating for the times. There has been talk about smaller screen not rendering logo images properly, and super hi res “retina” type displays making these image logos and others not look as intended either. So the idea is to convert your graphics into vector or svg type of fonts so that the web browser will be able to scale it to look sharp on small screen or hi rez devices, and large monitors.

emoji-working-in-peeps-posts

emoji now work in peeps blog posts

In related graphics site news

The peeps section now has some emoji options for those who have created their own site/blog there. There may also be an option for emoji keyboard entries and display when doing status updates and private messages to other peeps member’s profiles. I have not tested any of that yet, but hopefully it is working and we will see if we can get that option added to the mv chat system in the future.

More info about the fonts and icons we are starting to roll out site wide

Many of the icons and font letters were “mashed up” from various open-license fonts and icon sets. We have a list of these licenses posted on our humans/txt file, which is a work in progress, I hope to get some details about all that on our about us page when I get the new version of that uploaded. Some of the icons used were bought images and licenses for use by us. A few of the naughty icons I just ended up making with graphics software, as I could not find ones that worked quite right in the small line style that was needed.

The decision to pull some of these fonts onto our web site and web server was not quick. I had to debate things like privacy tradeoffs

It could be better to have our logo font simply hosted on google fonts, or another CDN service –
This usually means they would load very fast, and in some cases people have these already “cached” in their browser memory from visiting another web site that also uses the same font hosted by google.

When I first started reading about google fonts, I was under the impression that they did not track their usage – however I recently read the fonts terms of service, and I am not sure that what they are saying is they really do not track it’s usage. I was also disappointed to see that they set their “cache expiration” to be short (like a couple days I think) – which means even if someone had the font cached in the browser – it would be re-downloaded from googles servers every two days anyway. Of course that means if they updated a font it would be seen… but I think that decision was made to enhance the tracking – I mean some of the fonts there are more than a decade old – what are the odds there will be updates to them every two days?

Of course hosting fonts on third party servers is popular with many web sites and theme designers. It sure sounds nice to offload some of the server load and put the blame on a third party if your fonts don’t load quickly. However I think people are not reading between the lines of the privacy implications and there is no guarantee that another companies servers will always be serving up your chosen resources in a timely manner – if at all in the future.

It’s certainly easier to add a line of code that uses the big G or another parties servers to handle new fonts and other tasks – however I think the long term trade offs are not worth it.

Those thoughts led into the browser fingerprinting thing mentioned above, and I had to weigh the privacy issue of G fonts vs custom fonts and what the risks / rewards of each – and decided it would be worth the extra work and tiny bit of our web server cpu to simply bundle and provide them ourselves.

From what I gather there are even stronger methods for browser fingerprinting – using something called canvas I think – and most likely your workplace, your ISP, and your guv agencies are already recoding every url you visit and storing that info for years – the real threat with “device fingerprinting” is the evil advertising agencies who want to unmask you all around the web and there may be more ways to do so than most think about. Your roommate is probably not going to check your cached fonts to see if you surf sex sites on their laptop.

Unfortunately not every web site or theme designer goes this deep in their thinking – and I wish there was an easy, automatic warnings system built in web browsers to automatically warn you when third party resources are loading into the page you are viewing.

If you read a news article about STDs (just read one that says there’s a new app for that!) – and the page has a facebook likes button, a twitter shares button, a pin this button, an “addthis”, “share this” or “add to any bar”, some google fonts and some double click ads or other third party resources, it would be nice to know that by viewing the page your personal info was just given to all these different companies and who knows who is getting that info from them or what they may use it for.

For some easy on the eyes details of how some of these things work against your privacy, and how they appear on some controversial sites and subjects, along with some thoughts on how your trail of surfing can be combined and used – see this article on Vice.com – looking-up-symptoms-online? these-companies-are-collecting-your-data

This is not always the case –

Not all web pages that show social sharing buttons are using scripts from third parties to display them.

We have some of these buttons on some pages on our site – but we go through a bit of effort to host as many of these resources on our own servers as possible. We will be working through to whittle it down even more. Right now most of the share buttons / icons we have around the site do not load from other places and give up the fact you visited here. If you were running a browser plugin like disconnect or ghostery you would likely see that most websites try to load a bunch of web page assets from other places (And most can be blocked with those plugins) – however I don’t think there is a notice for loading fonts, maybe one day that will change.

I have seen that firefox has an optional “settings” to prevent fonts from displaying as web pages instruct them to be, but nothing I found that is uber user friendly at the moment – like a pop up box that warns and explains, then lets you decide to allow them to load in or not.

Warning! If you click a link (like the one to developers G below) – when you click, the web site you visit automatically gets details about your web browser, your IP addy, and the referring page. In other words clicking the link below will tell google you were on sex chat sexchat / blog / post name.. if you want to avoid web sites getting an auto log of where you just came from, it would be better to copy the link, then go to a place like startpage.com (or any other site) – then past that link into your browser url bar… or do a search for the link on a non tracking place like duckduckgo search or something. This is how most of servers work automatically – it’s not something that is unique to google or anything.

The google fonts privacy statement does say they are limiting what data they collect and how they store the little bit they do – so it’s not as evil as say the google adwords / double-click tracking and data sharing policy; however the end of the privacy statement from https://developers.google.com/fonts/faq#what-does-using-the-google-fonts-api-mean-for-the-privacy-of-my-users – says that there is some data stored and although they limit access to that usage data, it’s there if some agency or department demanded it. At least that’s how I read it.

There is nothing saying these tracking terms do not change in the future either.

As I dig through this journey of web fonts I discovered that the standard wordpress install now includes google web fonts in the admin backend and with the basic packaged themes. WordPress powers about 25% of the web sites on the main internet? We use it to power this blog section, and parts of the peeps section as well. Come to find out the theme designers we used as a base to mod our designs for these section also incorporated other google fonts. So that means that visits to these sections of our site have been pinging the big G servers for requests. I am not happy about this, even though I have seen a few articles that say Google is not using the font servers for tracking, I remember a while back when facebook said they were not using embedded buttons for tracking – then changed that policy a year or so later (I think.. pretty sure I read that somewhere) – anyhow I am digging into the backend code to see how I can remove those third party font loads from those sections of the site just as being extra sensitive to privacy concerns more than anything.

As a designer I love web fonts and the power to have more than the dozen or so options that we were stuck with years ago. I think it makes the web a much prettier place. However I think some more transparency needs to be built in with web browsers, and web site designers, web site owners, and internet surfers should be more educated about the automatic tracking that occurs when pages pull from third party sites.

I personally email business owners and complain to them when they employ “share this” or “add to any” or similar third party sharing scripts. It’s not that hard to code these things (these days… back in the early days it was more of a challenge) as self hosted buttons, so there is little reason to sacrifice your visitors privacy and their surfing habits data chain to countless others in the name of fast and cheap deployment of something that is rarely used anyway.

For disclosure and transparency

I admit that I have deployed some of those easy to share button scripts using third parties on a couple of web sites in the past. As of this moment am still using those services there. It’s on my to do list to get those changed out – but likely it will be months, if ever, that I get to those rarely visited web sites. On some side projects we use double click and google adwords (non adult related) – so be aware that some of my opinions about some of these services are thoughts in relation to sites and activities that I think should be completely confidential (sex sites, medical sites, etc) – however I do use and (sometimes unfortunately) support and promote some of the services that I say do some bad things here, in other projects.

The social sharing buttons at the end of this post, and around the blog section are loaded from our servers – not pulled via assets or scripts from third parties. As with most of our site pages. However if you click over to the like us, love us, bookmarks us page – as of this moment, that page does pull info from google plus servers, and pinterest servers in order to enhance the usability of their shares / pins buttons. We may change this.

We are also working to limit the third party font loading that was bundled with wordpress updates and the base themes we use in the blog section and peeps section.

Wow – if you made it this far in this post then I really appreciate you going down these thought processes with me. I hope this info is helpful – albeit not complete. It should give you some things to research, perhaps using duckduckgo.com or startpage.com search engines 😉 – as always I listen to comments from anyone who posts them, so chime in if you like!

scsc – privacy is important to us, and we do what we can to help our visitors maintain privacy here, and hopefully elsewhere as well.

One Comment:

  1. I should of also mentioned that there are some easy methods for avoiding some of this browser fingerprinting and tracking… I’m not 100% sure that doing things in this manner will prevent the canvas type and some others.. but I have seen some suggestions from people who know about this stuff that just makes sense is nothing else for some added internet security.

    For one – it is probably best to use one browser for general internet surfing, and a different web browser for porn surfing, and a third browser that you use when doing something serious like online banking.

    Using three different web browsers will certainly help with some things, and that should be easy for most to do.

    For even more added security, it is possible to use a USB stick (or even an SD card in a USB adapter – that can run a portable version of firefox (or other browser) – there are some I have seen on the market and some packages you can simply download and run yourself. By doing this.. when you launch the browser from USB – it gets any cookies and crap like that.. and when you stop surfing – pull the stick and you take cached fonts and stuff with you.

    Doing that still gives up some of your info, but it does compartmentalize some things.

    If you are really paranoid about it – you can download a version of linux that can be run from a CD (not cd-rw – a burn once CD) – and run linux with firefox to surf either as the loaded OS or in a windows virtual container – this would limit the view-ablity of your main system fonts, and prevent web sites from adding cookies or caching fonts to your system.

    I’m guessing there are more things that could be done – and hopefully future web browsers and plugins will address these things better. For now there are a few more things you can research.

    Again these are some things I have seen around the web, please research them on your own and find trusted sources. Internet security changes, I am not an expert – and do not claim to know all the ways these evil advertising tracking mechanisms work.

    Oh – and the bottom of this article ->
    http://www.propublica.org/article/everything-we-know-about-what-data-brokers-know-about-you

    Are a few places listed where you can request what info some of these data brokers have stored on you 😉

Leave a Reply

Your email address will not be published. Required fields are marked *