Just In Time 4 Tech justintime4tech.fyi ← all guides

Privacy & Sovereignty

Your fonts are phoning home

A typeface is just a shape. But the way most sites load one quietly sends every visitor's IP address to a server in another country — before a single word appears on screen. Nobody chose that. It came with the template.

Just In Time 4 Tech · A field guide, not a sales pitch

Here is a thing almost no one knows about their own website: the moment a visitor's page begins to load, their browser may reach out to Google and announce itself — not to fetch your content, but to ask for a font. That request carries the visitor's IP address with it. It happens silently, on every visit, before anything is read or clicked.

The font itself is harmless. The fetching of it is the problem. And it's one of the most common surveillance leaks on the small-business web, precisely because nobody installs it on purpose. It arrives bundled inside a theme, a page builder, a "free fonts" snippet someone pasted in years ago.

What actually happens when a font loads

When your stylesheet points at Google's font servers, every visitor's browser opens a connection to fonts.googleapis.com and hands over the data any web request carries: their IP address, and signals about their browser and device. You can watch it happen in your own network tab.

What the browser sends · every visit, before render

GET /css2?family=Inter&display=swap
Host: fonts.googleapis.com
↳ visitor IP address: 203.0.113.47  → leaves your site
↳ user-agent, referer, device hints  → leaves your site

The visitor came to read about your services. Without ever being asked, they introduced themselves to a third party they never heard of. Multiply that by every page, every visit, every day.

Why a court decided this matters

This isn't a hypothetical. A German court looked at exactly this pattern and ruled against the site owner. The reasoning is the part worth keeping: because the same font can be served from your own server without ever contacting Google, there was no necessity to send the visitor's IP address abroad — and so no lawful basis for doing it.

The damages in that first case were small. The precedent was not. It established that an IP address is personal data, that handing it to a third party without consent is a violation, and — the sharp part — that the existence of a free, local alternative is itself the reason the convenient version isn't defensible. Across Europe, similar rulings have followed, and warning letters have gone out to sites in the thousands.

The fonts were never the issue. It's the data trail they leave when you let someone else serve them.

You don't have to be in Europe for the logic to land. The principle is universal and it's the same one that runs through everything here: if a thing can be done without surveilling the people who visit you, then doing it with surveillance was a choice — usually one you didn't know you were making.

What it costs, beyond the legal risk

Set the law aside for a moment. The hosted-font habit costs you on three fronts, and the first one surprises people most.

Slower

Every hosted font means a fresh DNS lookup and a new connection to Google's servers before text can paint. Self-hosted fonts skip that round trip entirely.

Leaky

Every visitor's IP and device signals go to a third party, on every visit, for the privilege of a typeface you could have served yourself.

Liable

It's a disclosable data transfer you almost certainly never disclosed — a quiet, standing risk sitting in a stylesheet.

That first one is the irony worth sitting with. People reach for hosted fonts believing the big CDN is faster. For fonts, self-hosting is usually quicker, because the file comes from the same place as the rest of your page — no detour, no handshake with a stranger.

The fix is smaller than the problem

This is the rare leak with a clean, permanent, ten-minute remedy. There are two honest paths, and neither asks you to give anything up.

  • Self-host the font. Download the font files, drop them on your own server, and point your stylesheet at them. The fonts are open — you're allowed to do this. From then on, no request ever leaves for a font company, and the look is identical.
  • Or use the fonts already on every device. The system font stack — the same families your operating system ships with — needs no download at all. Zero requests, instant render, and it looks native everywhere. This very page uses it.

Either way, the third party is simply gone. Not blocked, not consented-to, not buried under a banner. Gone — because there was never anything load-bearing there to begin with.

See it for yourself, right now

You don't need permission to look. On any site you own:

  1. Open your browser's developer tools (right-click → Inspect, or F12).
  2. Click the Network tab and reload the page.
  3. Filter by Font, or just search the request list for googleapis.
  4. If you see a request leaving for a font server, that's your visitors' IP addresses leaving with it.

If it's there, that's not a disaster — it's just information. And it's the first, smallest thread to pull in taking your site back.

When you're ready

Want this done for you?

Finding what's quietly leaking — fonts, scripts, pixels — and handing you back a clean, fast site you fully own is exactly the work I do. Self-hosted or system fonts, no calls home, verifiable in your own network tab.

See privacy & hardening services →

The whole field guide · one thesis, five threads

01Your fonts are phoning home 02You can measure traffic without surveilling people 03The cookie banner confession 04Who owns your website? 05Fast is a privacy feature