A Privacy Arms Race

I’m continually amazed how creative people can be. The news that Crashlytics is using custom fonts to track users is both fascinating and horrible. I think John Gruber does a good job of capturing the regular person response to this:

The basic fact remains: custom fonts, however they’re installed, are not meant to be used for tracking users.

Sure, custom fonts weren’t intended to provide this “feature” ( I use that term loosely ), but that is the essence of a neat hack ( in the old school traditional use of the word ). From a purely technical point view, it is impressive to see someone come up with a method to use an existing system in a way the original creators not only never intended, but never even imagined.

While part of me is impressed with the clever hack, over all, as a user, as a person, I find it tiring. This is yet one more thing to deal with. Each one by themselves is relatively small, but the sum of them together is awful. Death by a thousand paper cuts.

Apple has been trying to put a hard line on what they will and won’t allow, leaning on the side of making it possible for users to have some privacy controls. A good example of this is the Webkit Tracking Prevention Policy. That in turn has contributed to Firefox and Chrome taking action to do more regarding privacy options. None of them are perfect, but each are a definite course change from what we’ve seen in the last few decades.

A clever developer figured out how to exploit fonts, and Apple and others will respond by making that harder. Expect this to be an ongoing circle.

We are in the middle of a privacy arms race.