Webfont hosting on MS Azure?

Andreas Stötzner

I deal with a client’s request for a webfont licence. It is an institute of an university. They stated that they use a Microsoft cloud server (Azure) for the hosting of their websites.

In my licence terms it reads “[allowed is:] to link the webfonts to websites which are owned and controlled by licencee”, and also: “licence does not permit storage of the webfonts in places or under conditions where unauthorized persons or third parties may gain access to the fonts, without being licencees“.

They ask me if the storage on their MS-Azure server would be conforming with those terms and I think, that such a storage (not in-house server, but still, an ‘owned’ cloude space) would comply with the terms. However, I wonder if in such a case there may be any pitfalls or if, in the long term, certain precautions need to be effected in order to prevent unauthorized access to the fonts.

Has anyone experience with such a matter?

James Puckett

It doesn’t matter what platform the server is on. Anyone who can access the web site can access the fonts no matter where they’re stored. That’s what wget is for.

Andreas Stötzner

wget

was is that?

James Puckett

Andreas Stötzner said:

wget

was is that?

wget is tool for downloading web sites. It can download files by type, so someone who wants the fonts can run “wget -r -A .woff http://site.with.fonts/url/” and download all the web fonts from a site. 

Andreas Stötzner

James Puckett said:

wget is tool for downloading web sites. It can download files by type, so someone who wants the fonts can run “wget -r -A .woff http://site.with.fonts/url/” and download all the web fonts from a site. 

Oh my god.

Does that mean, anybody who views a website with a special embedded webfont (for which the creator of that site has payed for a licence) can rip off those special fonts and get away with it?

KP Mawhood

Andreas Stötzner said:

Does that mean, anybody who views a website with a special embedded webfont (for which the creator of that site has payed for a licence) can rip off those special fonts and get away with it?

Yes, although a little technically advanced. It's easier to rip off desktop fonts. The latter happens all the time, accidentally. The former requires someone with an agenda.

Thomas Phinney

Yes.

There are other ways of embedding fonts. But basically none of them are secure.

Lots of folks in the type business had concerns about web fonts and piracy. In the end, what has happened is, there is no serious copy protection for web fonts; they can be ripped off by pirates if they wish to go to the trouble to do so. They may need to translate from WOFF to other formats, but that’s not difficult.

In my licence terms it reads “[allowed is:] to link the webfonts to websites which are owned and controlled by licencee”, and also: “licence does not permit storage of the webfonts in places or under conditions where unauthorized persons or third parties may gain access to the fonts, without being licencees“.

They ask me if the storage on their MS-Azure server would be conforming with those terms and I think, that such a storage (not in-house server, but still, an ‘owned’ cloude space) would comply with the terms. However, I wonder if in such a case there may be any pitfalls or if, in the long term, certain precautions need to be effected in order to prevent unauthorized access to the fonts.

Has anyone experience with such a matter?

Those terms seem… essentially contradictory, to me. No idea how a court would make sense of it.

KP Mawhood

Thomas Phinney said:

Those terms seem… essentially contradictory, to me. No idea how a court would make sense of it.

Although, someone has to "hack" the website – it's hardly authorised by the licensee. In the same way, fonts embedded in PDFs or apps can be hacked for unlicensed purposes.

Andreas Stötzner

Thomas Phinney said:

Those terms seem… essentially contradictory, to me. …

Interesting.

Would you care to explain, what exactly seems contradictory?

Thomas Phinney

You specifically allow the user to host the fonts for web use, which as far as I know, cannot be done without “storage of the webfonts in places or under conditions where unauthorized persons or third parties may gain access to the fonts, without being licencees”

Unless of course it is not a public web site, and the license covers all people with access to the site. But I assume not.

Florian Pircher

I would add that very few people/organizations are hosting a website all on their own. It is too much of a hassle to self-host a website, and so most websites are either hosted by one of the big players like Microsoft (Azure) or Amazon (AWS) or by one of the myriads of small players. All of these hosting providers have access to everything that their clients upload.

So, even if there were a way to protect font files served to the browser (like using Flash in the bad old days), the hosting provider still has access to all files, even the ones not served to browsers directly.

Thomas Phinney

KP Mawhood said:

Although, someone has to "hack" the website – it's hardly authorised by the licensee. In the same way, fonts embedded in PDFs or apps can be hacked for unlicensed purposes.

But the license says they can’t store “the webfonts in places or under conditions where unauthorized persons or third parties may gain access to the fonts, without being licencees.” It doesn’t stop at saying that the licensee shouldn’t authorize access.

You do not have to use anything external to, say, Google Chrome to get a WOFF font file out of a typical website. It is a dead-simple process. (At least, unless one adds more requirements; I suppose base64 encoded fonts are slightly harder, still.) The only caveat is, if you want to use the font on a Mac or Windows desktop, instead of as a web font, you do need to convert the WOFF. (What John Hudson referred to as the “garden fence” protection—doesn’t really stop anybody, but at least they have some reason to be aware that the file wasn’t meant for this usage.)

 At least with extracting fonts from PDFs you need to start off with some tool other than Acrobat or Apple’s Preview. Requiring an unusual or dedicated tool for a normal person to achieve the result is a more challenging case.

JoyceKetterer

This is very much an individual business decision.  Speaking only for myself, I did try to find ways to make webfonts secure, gave up, and have not seen any impact whatsoever on licensing violations.  It's still the case that most unauthorised webfont use comes from folks who have a basic license and their web developer converted the files on their own.  

JoyceKetterer

PS- a couple years ago we saw a big uptick in unauthorised self hosting from Adobe CC cloud customers who misunderstood the Adobe license and thought it permitted web embedding broadly (not via Typekit).  But that went away when Adobe clarified their messaging.

KP Mawhood

Thomas Phinney said:

KP Mawhood said:

Although, someone has to "hack" the website – it's hardly authorised by the licensee. In the same way, fonts embedded in PDFs or apps can be hacked for unlicensed purposes.

But the license says they can’t store “the webfonts in places or under conditions where unauthorized persons or third parties may gain access to the fonts, without being licencees.” It doesn’t stop at saying that the licensee shouldn’t authorize access.

You do not have to use anything external to, say, Google Chrome to get a WOFF font file out of a typical website. It is a dead-simple process. (At least, unless one adds more requirements; I suppose base64 encoded fonts are slightly harder, still.) The only caveat is, if you want to use the font on a Mac or Windows desktop, instead of as a web font, you do need to convert the WOFF. (What John Hudson referred to as the “garden fence” protection—doesn’t really stop anybody, but at least they have some reason to be aware that the file wasn’t meant for this usage.)

 At least with extracting fonts from PDFs you need to start off with some tool other than Acrobat or Apple’s Preview. Requiring an unusual or dedicated tool for a normal person to achieve the result is a more challenging case.

At a bare minimum - if someone seeks out the font's URL from the website, and downloads that file, is that not already jumping the garden fence? I would consider most people to understand that there are legal implications when trespassing on a property without permission or with an intent to do mischief.

Although it is very easy to "view source", it's quite another thing to steal the code. Image licensing has a greater challenge with the "save as" browser function.

Contradictions in font licenses are not uncommon. Having acquired a webfont license – even with this clause – a licensee would most likely be acting in good faith. 

Likewise, no idea how it would play out in court.

Andreas Stötzner

Thank you all very much for this elucidating discussion. It makes me aware of a kink in my licence wording and I shall overhaul that passage. It also helps explaining things to the client in question.

Of course the owner of a server / hosting service (e.g. MS) has ‘access to’ whatever the customer loads up. But under normal circumstances that should not be the problem since a provider is usually aware of the fact that all data stored are property of the customer, in general.

Piracy is another matter and I wonder, why it shouldn’t be feasable to create some effective gatekeeping for the fonts at the place where they are stored.

Florian Pircher

Andreas Stötzner said:

Piracy is another matter and I wonder, why it shouldn’t be feasable to create some effective gatekeeping for the fonts at the place where they are stored.

There is a thread discussing why fonts cannot be both protected and displayable at the same time: https://typedrawers.com/discussion/comment/54490/#Comment_54490