Re: Protecting WebFonts

Me:
>> The first two can and will be hacked with relative ease. Furthermore, it
Gary Ruben:
>If Web security can be so easily hacked, why do major software vendors
>maintain a presence on the Web? Why do Symantec, Borland, Microsoft and
>others offer on-line acquisition of significant (and sometimes
>expensive) products? If security is so easy to circumvent, why aren't
>there floods of bootleg copies of MS-Word, or Symantec Cafe, or any
>other product available on-line, just floating around for the asking
Don't kid yourself. Anything you want floats around. Check 
alt.binaries.mac.games (or games.mac I forget) Most major application are 
available. There are similar groups for software for other platforms. 
Online distribution of software is something different as embedding of 
fonts in webdocuments, different goals, different methods. Furthermore, 
software is usually much more complex than a typeface: online distributed 
software can protect itself in a number of ways., demos with limited 
functionality could be given away to promote the full version of an app. 
This approach does not work type. 
It does not matter if it is only one user offering software or a font, 
powerful search engines will find it, and all webusers will have access 
to it. Such is the nature of the beast.

> Why isn't there a great hew and
>cry from companies about their livlihoods being stolen from their Web
>sites from under their noses?
Because the bigger companies have something to balance equal out the 
possible loss they make. Adobe hopes to sell more postscripts licenses, 
Microsoft hopes for more windows, Bitstream hopes to license trudoc. Many 
foundries don't have anything to gamble with except for their libraries. 
There just aren't that many typecompanies in the world to create your 
great hew, except for the ones that have been actively participating in 
this group. Though the  number of typecompanies is small, it's all there 
is, and making it difficult for these companies to make a living by 
making type is not a good idea in the 'information age' 

>> is unwise to believe in the possibility of secrets, and finally, the
>Security does not need to rely on secrets. A public key/private key
>encryption system uses published algorithms and has withstood the
>scrutiny of dozens, if not hundreds, of experts in cryptography.
>Everyone generally believes that the mechanism is as secure as we can
>possibly hope for - only governments have the resources required to
>break it.
A public key/private key encryption system only protects against 
eavesdroppers, not against abuse when the font is decrypted and ready for 
rasterisation.

>> integrity of users towards fonts has been thoroughly tested in the world
>> of personal computing already: every fontsale represents between 30 and
>> 50 copied fonts. If already *anything* that sits on a webserver has to be
>Do you have any hard evidence for this? Or is it just scare propaganda?
I wish it were propaganda. Unfortunately I have direct experience with 
the number of copies sold, and the number of actual users of my type. 
Neither gives me much reason to be optimistic about human nature or civic 
duties when font piracy comes to the web.

>> considered to be public and accessible to the world, why entertain such
>> vain hopes that it would be possible to keep something away from an user
>Perhaps because we do not see thousands upon thousands of users blithly
>stripping emmbeded TrueType fonts from the MS-Word documents that
>contain them?
That's because the topology of disseminating fonts in MS-Word documents 
(one to few) is different from webpages (one to many). Even if I were to 
give my fonts away to everyone I know, and encourage them to do the same, 
only a selected number of people will have access to them in a certan 
period. Publishing one document on the web will provide efficient instant 
parallel access to many people. It will much easier to get a font from a 
webpage than to ask your friends. 

>> on his own computer? When operating systems become browsers, keeping a
>> font exclusive to one app is a _very_ easy hack to get around, since
>Perhaps you would take the time to explain how this can be so easily
>hacked. Sure, there are some very clever programmers, or hackers who can
>find a way to perform this trick. But do you think that the vast
>majority of users can figure this out? Or that they even would bother?
All it needs one small app posted on a webpage to make it available to 
all. It Bitstream going to police it? is microsoft? 

>Why do *you* have such pessimistic expectations that everybody using a
>computer would rather steal your fonts than buy them, and that therefore
>the rest of us ought to just give up on trying to figure out how to keep
>that from happening, or at least to seriously reduce the ease with which
>it can be done?
I'm pessimistic because there are not many reasons to be optimistic. Font 
piracy has reached an impressive level without the help of speedy 
networks, powerful search engines and anonymous remailers. Introducing 
fonts on the web seems to only increase the exposure fonts have, and only 
increase the amount of illegal use. I don't assume users are willing to 
buy my fonts when they received them for free from some page the day 
before. I'm sure everybody is trying hard to make something that works, 
but as a small typemanufacturer I rely completely on what gets approved 
by microsoft and adobe. Even a good secure system of webfonts will 
increase exposure compared to not doing it at all. Don't get me wrong, 
I'm convinced that webfonts are necessary, but because of the number of 
users involved a small difference in security means a massive difference 
in exposure, and it is worthwile to make sure to get the possible 
possible solution.
I can try to smile when I say "it has to be better than that"

>> there are also fonts open to all apps available on the same system. Flip
>> a bit, find free font.
>Where is this magic bit? And how does changing a bit in an already
>available font on the system make those other, unseen fonts suddenly
>available? Are you now suggesting that even hacking the operating system
>is such a trivial task that any high-school VB programmer can do it at
>the drop of a hat?
Not *every* programmer, no. But some of them will, and some of them will 
provide these hacks to the general public in the same manner as the fonts 
will be available. 
As long as fonts cost *any* money there is an incentive for people to try 
to get them for free. The way fonts function within an operating system 
is very well documented. Fontformats are very clearly documented. Should 
a font be present in memory but kept separate from other fonts, it does 
not take much to build something that finds the font, and saves it on 
disk, no matter what restrictions the browser or OS have for other apps 
to use the fonts directly.
I have no doubt that tools to do these kinds of things will be available 
sooner or later, the idea of the web as a gigantic font warehouse is just 
too enticing. The absence of tools for unembedding now is not a measure 
for the incentive or experience for users to build them. It just wasn't 
interesting enough before.

>> Webfonts are things that primarily need to create bitmap images on
>Web fonts are things that primarily "need" to perform the tasks that we
>already expect in traditional type. Type is the tool that gives form to
>communication. 

>Bitmaps can stand in, but they're a poor substitute. They
>are hard to scale properly,
Have a browser order them  in the right resolution, or have the server 
decide what is appropriate.

> they look bad and read very poorly when they
>are seen on screens with different resolutions than they were designed
>for, 
Same.

>they cannot be searched for content, 
?? Come on! Images with text in them are a different thing from 
pixelbased webfonts. (BTW. portable documents embedded in webpages cannot 
be searched either)

>they will not reformat when
>the user changes the size of his browser window, and on, and on, and on.
?? same. I am acutely aware of the advantages of outlines, that is only 
one half of the equation. The other half is the risk of distributing 
these outlines. When the risks are too big, alternatives reasonable, the 
advantages of outlines alone are not enough.

>> screens across the world. Most usage will be on screen. Print is another
>> issue that can be solved seperately already.
>But users *do* print Web pages. They do it for many reasons - to keep a
>copy of the *information* for reference, or to read off-line because
>reading long passages on-line is tiring (because of poor typography,
>perhaps?), and all the other reasons why any other documents are
>printed. The Web does not inherently reduce the need or desire to print.
Neither does giving away outline fonts necessarily make it better to read 
on paper. Screen typography is a *different* thing from paper typography, 
and they deserve individual solutions. Automatic substitution is a good 
solution for printing avarage pages. Support A publisher of a webpage 
should be able to decide the amount of printing support. Perhaps 
information specifically suitable for printing can be provided in some 
portable document format.

>> Let's get the screen right before giving away the fonts. Critics say
>I think we can get the screen right with real fonts, and without giving
>them away. Nothing you have said in this discussion, or in your polemic
>on your Web page (which I printed out so I could re-read your breathless
>prose at my leisure), convinces me otherwise. 
I'm sure you can get the screen right with real fonts, this is not the 
point.

>So far you have not raised
>a single concrete reason why we should not be using real type on the
>Web, nor why we should not consider how to protect those fonts, except
>to say that fonts will be stolen no matter how hard we try to stop it.
There are problems with many of the proposals. I'm sorry I don't speak in 
academic papers or specsheets. I'm sure there are ways to accomplish 
secure embedding, but it is not yet there. I'm sorry I'm not smart enough 
to develop a secure embedding method myself, believe me I would have 
already if I could, and I wouldn't nag at y'all to get it right.

>> "screen resolution will increase, warranting outine fonts at the user
>> end". Typedesigner says "that will be some time in the future, and even
>> if it becomes a major issue (involving more than 20% of users) HTML will
>> be *several* generations further".
>The fact is that screen resolution is good enough *right now* to present
>type with *acceptible* quality for most users.
Read again, I don't say anything against or in favor of hires screens. I 
accept that they're there, and there are ways to deliver the right pixels 
to the right screen.

> "Typedesigner" may have
>higher standards than the average Joe, and looks down on us lowly slobs
>who think Garamond looks beautiful coming from my 300 dpi laser printer.
>I am sure that he also pities poor Mathew Carter for selling out, and
>designing fonts specifically for the screen, and wish that he would
>recant and rejoin the elite guild of "real typographers".
Pffff. You really think that this is what I'm saying?

>> Anything that's decided on as the webfonts standard will be obsolete in
>> two years anyway, just because the introduction of type is going to raise
>> the expectation of webtypography *so much* that current outline based
>> proposals have to be completely revamped anyway.
>Let's all hope that expectations will have been raised. But they cannot
>be raised unless we introduce type to the Web. 
Sure. But we know already so much about the way fonts are dealt with, 
that I wonder why you can be so optimistic about it all?

>We can wait two years
>because a standard we introduce today will be obsolute then anyway, but
>you can say the same thing again in two years - 'just wait, cause it'll
>be obsolete soon anyway'. Why will it be obsolete? Because we came up
>with something we thought would work, we tried it out, and learned how
>to improve it. We're not going to have anything better to offer in two
>years if we don't try something now.
Well, yeah sure. But your experiments put my type at risk, rather than 
your technology. During your leisurely trials and errors, the world will 
have gained access to all fonts anyway. At that time you can say "well, 
evertone has the fonts already, why bother improving security?" Can you 
understand my interest in this matter? When you've found out how to 
improve your technology, my type will be gone. Once someone has a font, 
there is no reason to get it again.

>Many people have pointed out to you
>ways in which your proposed solution fails to satisfy any number of
>requirements. But you have not explained how they are wrong, or how your
>solution could be fixed or improved to take account of their objections.
>This letter of yours is more of the same.
Mine is not a *solution*, it is an alternative, as I say time and time 
again. I am a *typedesigner*, not a webtechnology encryption wizard. But 
I know enough about programming and operating systems to know what can be 
done, and where the risks are. Being dependent on my work to pay the 
rent, I pay attention to risks to my type, and embedding is a risk. I 
have explained the risks of exposing fonts to a large audience over and 
over again. To shut me up is easy: make something that works.

[snip]
>A Webfonts system that allows publishers to pick the fonts and formats
>they feel most appropriate, without enabling general end-user access to
>the fonts is the best solution. And it includes the ability for you to
>use pixelfont graphics if you want.
Fine with me. But where is it?

>> solution for the time being. The fact that there are fonts at all will be
>> blast, and it leaves room for better technology to be developed.
>Better technology already has been developed - it promised to get even
>better in the future.
Fine with me also. But where is it?

>Erik, believe it or not, the people who are working to establish a
>standard for Webfonts understand your concerns about the safety of
>intellectual property, and are trying hard to address them in a new
>standard. I think we would all like your input on these issues, and your
>cooperation, rather than your stubborn and unproductive opposition.
That is good to hear. I'm sure that at some point there will be something 
we can all agree on. But in the mean time, in the gray area between what 
is possible, and what developers think is sufficient, a lot of progress 
can be made. That involves me being as vocal as I can because this is the 
time and the place (and the only chance) to influence the technology that 
will affect the way I can do my work, and many typepeople with me.
If typedesign and typography become disused disciplines because of 
something better, I can't do much about it. Steam engines and swords came 
and went and there will, no doubt, be a time when typedesign as we know 
it is no longer needed. But to be forced to stop typedesign because there 
was *too much* demand for type and typography, that would be unacceptable.


erik van blokland, LettError type & typography
Home of the Randomfonts, Trixie, BitPull & GifWrap.
   letterror http://www.letterror.com
   typelab   http://www.dol.com/TypeLab/

Received on Tuesday, 27 August 1996 13:22:06 UTC