- From: Michael Bernstein <michael@cascadilla.com>
- Date: Tue, 27 Aug 1996 12:22:19 -0400 (EDT)
- To: Gary Ruben <gdr@cataneo.bitstream.com>, www-font@w3.org
Gary Ruben wrote, responding to Erik van Blokland: >> In all proposals, webfonts security relies on the integrity of browsers, >> the integrity of operating systems, some part of the process being kept >> secret, or best of all, the integrity of users. >Yes, security relies on the cooperation and integrity of all of the >components. But the potential for parties wroking outside of the system >to *deliberately* thwart the precautions taken should not be cause to >just give up the attempt to make the Web more secure. The Web, today, is >a relatively insecure medium. But that does not stop people and >companies from carrying on commerce on the Web. Nor should it stop >publishers and users from reaping the benefits of an improved >typographic diversity for electronic publishing on the Web. And that, right there in that pithy little paragraph, is exactly the core of Bitstream's misguided attitude towards web fonts. They refuse to recognize that fonts are intellectual property which do, in fact, have legal protection. When it comes to electronic commerce, the people who decide to proceed are the people at risk: the buyer and the seller. When it comes to electronic publishing, the people who Bitstream cares about are only the publisher and the user, not the font owner. The font owner has legal standing here, the font owner stands to lose a lot of money, and the font owner is not involved anywhere in Bitstream's thinking. Brad Chase from Bitstream has corresponded with me directly (thank you, Brad), and has completely failed to show how TrueDoc respects the rights of font owners. They're under the deluded impression that if they make something difficult to hack, they make it illegal to do so. That just ain't so. Bitstream has no way to enforce any license provisions on the people who receive TrueDoc font files. They can stop developers and publishers from doing anything wrong with strong license agreements, but they can't do anything to stop the typical user. And the user, no matter how immoral their intentions, has Bitstream's legal blessing (coupled with an ineffective moral curse) to do whatever they want with the TrueDoc font file. "It's wrong," Bitstream says, in the same breath as saying "it's legal." Thank you, Gary, for illustrating so clearly how blind Bitstream is to the legalities of fonts. It's not some nitpicking detail about copyright law. It's the foundation of copyright law. I made a font, and only I have the right to distribute it _unless_ I grant that right myself. Bitstream can't grant that right for me. My protection for text fonts in the US may be weak, but my protection for text fonts in Germany is strong, and my protection for dingbat fonts in the US is just fine. >If Web security can be so easily hacked, why do major software vendors >maintain a presence on the Web? Why do Symantec, Borland, Microsoft and >others offer on-line acquisition of significant (and sometimes >expensive) products? If security is so easy to circumvent, why aren't >there floods of bootleg copies of MS-Word, or Symantec Cafe, or any >other product available on-line, just floating around for the asking >(I'm not talking about the copies distributed by ignorant users, who >trade Fontographer like postage stamps)? Why isn't there a great hew and >cry from companies about their livlihoods being stolen from their Web >sites from under their noses? Because nobody is stupid enough to claim that those bootleg copies of "real" software are legal. But if TrueApp comes along, and says "use me, and give encrypted versions of your apps to your users, and those encrypted apps are unprotected by copyright law", then you will see an enterprising user say "gee, I can decrypt those apps and distribute them freely." Then you will have a web site full of apps, and it won't be shut down until a lawyer comes along and explains that it just ain't so. Again, the above paragraph illustrates how Bitstream refuses to recognize the rights of font vendors. Symantec can distribute Symantec Cafe over the web because Symantec owns the copyright to Symantec Cafe. But Symantec can't distribute my fonts along with its documentation unless I say it's ok. They can't legally decide that they'll take that risk on my behalf, unless I tell them that they can. >Security does not need to rely on secrets. A public key/private key >encryption system uses published algorithms and has withstood the >scrutiny of dozens, if not hundreds, of experts in cryptography. >Everyone generally believes that the mechanism is as secure as we can >possibly hope for - only governments have the resources required to >break it. My little brother can break it. (Disclaimer: my little brother is an expert on cryptography.) But in any case, it's not a question of the security of the font during transmission. It's a question of the security of the font after the end user has received it. The font isn't encrypted throughout the entire process, because printers don't have decryption chips. And by pretending to remove the copyright on the font, you've given carte blanche to the user to convert the TrueDoc font file back into an installable font and redistribute it to his heart's content. >Perhaps you would take the time to explain how this can be so easily >hacked. Sure, there are some very clever programmers, or hackers who can >find a way to perform this trick. But do you think that the vast >majority of users can figure this out? Or that they even would bother? >Why do *you* have such pessimistic expectations that everybody using a >computer would rather steal your fonts than buy them, and that therefore >the rest of us ought to just give up on trying to figure out how to keep >that from happening, or at least to seriously reduce the ease with which >it can be done? All it takes is one, courtesy of Bitstream's misleading advertising. One person converts the font file, and that person gives it to the world, telling them that it's free and clear of all legal restrictions. Bitstream has no hold over that person, unless that person happens to be a licensee of Bitstream and Bitstream's license actually prohibits such behavior. >> webfonts system that provides the possibility to deliver appropriate >> pixelfonts to the client, without enabling access to outlines is the best >A Webfonts system that allows publishers to pick the fonts and formats >they feel most appropriate, without enabling general end-user access to >the fonts is the best solution. And it includes the ability for you to >use pixelfont graphics if you want. Hello? Is anyone paying attention? The publisher doesn't have the right to pick the fonts he wants to distribute to the world. The font owner has that right. >> solution for the time being. The fact that there are fonts at all will be >> blast, and it leaves room for better technology to be developed. >Better technology already has been developed - it promised to get even >better in the future. Some of us just don't want to wait to use what we >already have. In other words: "Dammit, I want to steal this candy from this store and give it to all of my friends. I don't want to wait until I can afford to buy the candy, or get permission from the store owner, because I have the mentality of a six-year-old that can't separate right from wrong." On the question of bitmapped fonts, there's no reason that they can't work. Add the screen resolution to the environment variables which are passed from the browser to the server, and let the server respond with the appropriate bitmapped fonts. If you don't get the necessary information to do that, you leave out the fonts. That problem of dealing with older browsers which can't display frames, or which can't display tables, or which can't display graphics, has been here for quite a while. You simply maintain different versions of your site for different customers, or you give up on the customers who aren't using modern enough hardware and software, or you leave out the latest and fanciest features. These are all currently used solutions, and they apply just fine to using fonts on web pages as well. And bitmapped fonts have one tangible advantage -- they're legal for publishers to distribute. Yours, Michael Bernstein Cascadilla Press michael@cascadilla.com
Received on Tuesday, 27 August 1996 12:22:45 UTC