[_8j50]

It's a tricky issue. I think you mean privacy implications,I don't see how this would add security risk.

For privacy,loading third party fonts like google fonts on your site allows the 3rd party(google) to track users. To avoid that,I try to load google fonts from my domain(and for performance when google is slow or unreachable). Arguably,if your site already uses google fonts,putting cloudflare between google and users reduces the amount of tracking users are exposed to. One might also say how privacy conscious site owners should avoid both google and cloudflare.

[Sylos]

To elaborate on how Google can track your users:

The user's browser downloads the font off of Google's server, which gives Google their IP address, and the browser also tells Google's server what webpage it's currently visiting, via the HTTP referer.

And given that almost every webpage ships something from Google, Google has an almost complete browsing history for every public IP. There's generally multiple devices behind one public IP, especially for corporate networks or VPNs, so they still have to demultiplex that with further tracking, e.g. Google Analytics, Chrome Sync, Android, but that's rarely a problem either, as even if you're carefully avoiding these, everyone else under your public IP using them would be enough to single you out.

[_8j50]

You're forgetting user agent strings as well. On mobile,They tell google the exact device make and model and in case of in-app browsers the specific app and version.

[Sylos]

Right, how did I forget about those? That even is exactly the type of data that will allow identifying specific devices underneath one public IP.

[skybrian]

Is this allowed under Google's privacy policy? How about the GDPR?

I mean, it's one thing to talk about what Google's technically capable of, and quite another for it to be legal.

[Sylos]

I don't know Google's privacy policy too well and I'm not a lawyer, but I think, this is still kind of uncharted legal territory.

No end user ever gets to see Google's privacy policy before their data is submitted to Google. Not even for Google Analytics, where I am pretty sure that Google does use the data, if the webpage owner isn't paying.

At the same time, Google will point to webpage owners, saying that they need to inform their users (which they do), but if Google wanted to "do the right thing", they would acknowledge that clearly webpage owners don't do that, and that therefore essentially any usage of Google Analytics data happens without user consent.

Under the GDPR, something like this would almost certainly not be legal and Google would be responsible, too, even if they're not the "controller", just the "processor", as the GDPR calls it.

Of course, we'll only know for sure once the lawsuits against Google have gone through.

[krageon]

It's not allowed under the GDPR. But let us get real; this is Google doing it, and anyone complaining about this practice would first need to prove that it happens (which is not easy). You can (and should) expect large American companies to always ignore as many laws as they can get away with.

[skybrian]

That's a caricature. In my experience, Google has lots of lawyers that are quite serious about making sure what they do is at least arguably legal, and company procedures to make sure that employees follow the rules. Not that it always works.

[_8j50]

Arguably legal thanks to FISA court orders that benefit Google and usgov? Where blame can be placed on "coercion" by US intel community?