Are fonts embedded with sIFR safe from theft?

[Dan B.]

This topic was imported from the Typophile platform

I lack the necessary knowledge on the subject, so I thought I'd ask. I'm looking at buying Bryant Condensed from Process and an employee of the foundry explained that I can use sIFR on a website if the files are secure (she did mention this was the short answer!). I don't want to be in violation of the EULA. How do I make sure the files cannot be downloaded?

[bemerx25]

The actual font file is not downloaded or available if that's what you're asking. You can decompile SWFs but I don't think the font information (beyond the shape of the letters) is available even after such a decompilition.

[aluminum]

I don't think they know how sIFR works. It'd be akin to a PDF. There's enough information to render the shapes of the type within the file, but the actual font is not included.

[nina]

Tracking this. I've gotten a similar response from Underware in the past (regarding Dolly), and ended up doing server/PHP image generation instead since I wasn't sure how to "protect" sIFR.

[Si_Daniels]

With the introduction of OpenType support in the most recent Flash update I think the complete font can be included in the SWF.

I would be concerned signing anything saying any converted, embedded or encapsulated font is ever "secure".

[bemerx25]

sIFR is about as protective as using straight-up images - someone could theoretically trace your letter shapes from any posted image. With a SWF the only difference is that the vectors could potentially be decompiled from the SWF (or like someone running autotrace on your lettershapes). But no metrics would be available. And you can subset the amount of glyphs that are embedded within the SWF, thus reducing even more what could potentially be pulled out of the SWF. At any rate, anyone going through that much effort to "pull" a font from a SWF values their time much more differently then I would.

[andyclymer]

sIFR has documentation for taking a few small steps to protect the fonts that you've embedded in the .swf files that it uses:

http://wiki.novemberborn.net/sifr/Protecting+Commercial+Fonts

...the idea being to allow only your website to access the .swf file that contains the font so that other sites can't just point themselves to the file and use it too. These are very likely the security precautions that those foundries may have been talking about (but double check with them to be sure).

Andy

[Si_Daniels]

>At any rate, anyone going through that much effort to “pull” a font from a SWF values their time much more differently then I would.

That's not really the issue at hand. Dan is being asked to make a guarentee that the font will be secure, not that anyone in their right mind will not extract the font.

[aluminum]

Either way, the vagueness of it seems like an undue burden on the consumer.

[nina]

Not sure. Talking about your reference to PDFs, aren't at least a part of the "cracked" fonts floating around extracted from PDFs? I'm not sure I wouldn't share that measure of "paranoia" if I was publishing a font.

[Si_Daniels]

>Either way, the vagueness of it seems like an undue burden on the consumer.

True

>I’m not sure I wouldn’t share that measure of “paranoia” if I was publishing a font.

When you've been robbed blind, and see other folks being robbed you develop a sense of paranoia. For smaller foundries it's kind of like the guy running the small corner shop, who has a "no more than two school children at a time" sign. The larger vendors write off the thievery as part of the cost of doing business, which equals less paranoia.

[Dan B.]

Thank you all for your responses.
I guess I have to ask for the long answer concerning embedding with sIFR. I must say my position as consumer is rather frustrating. While their EULA did not seem overly limiting, it looks like it isn't clear enough either. With the current limitations of web typography, methods like sIFR (or @font-face) are a breath of fresh air. But are they secure? Here's the paragraph from the EULA that regulates embedding (Link).

>Embedding of the Fonts into web pages or digital documents is permitted only in a secured, read-only mode. You must ensure that recipients of such web pages or documents cannot extract, install or use the embedded Fonts. The creation of new documents using an embedded copy of the Font Software is expressly prohibited. You further agree not to change or alter the embedding bits or other restrictions of the embedding programs within the Font Software itself.

[Nicole Dotin]

I think I can clear this up.

First, thanks Dan for taking the time to understand our EULA and investigate whether it meets your needs before you purchase. That's really a best-case scenario.

If you are to follow the advice that Andy linked to about protecting the files/font, then you should be within the bounds of our EULA and we would have no issue with that usage.

Towards the notion of security. 'Secure' is difficult to define. There are few methods of font usage that are 100% secure, so we cannot expect a customer to keep our fonts 100% secure. Even in the print world, simply giving the file to a service bureau (which is allowed in our EULA) is not necessarily secure. But, we've tried to strike a balance between protecting our work from unreasonable, unlicensed distribution and giving customers usage rights that do not unduly burden their use of the fonts.

So, we don't expect a customer to 'guarantee' the security of the fonts, which is simply not possible, but we do expect that they take reasonable measures to protect the fonts when they use them in ways that potentially put them at risk of unlicensed distribution.

Nicole, Process Type Foundry

[Si_Daniels]

Hi Nicole,

So rather than requiring the impossible...

"You must ensure that recipients of such web pages or documents cannot extract, install or use the embedded Fonts."

Perhaps...

"You should use best efforts to ensure that recipients of such web pages or documents cannot extract, install or use the embedded Fonts."

...maybe?

[bemerx25]

But lawyers love absolute and precise terms...

[Dan B.]

Nicole,

Thank you for taking the time to help me yet again. I was going to contact you tonight (different time zones) concerning the link Andy provided. I have read it and will do what is necessary to protect the files.

I will be purchasing the font soon.

Dan

[Nicole Dotin]

Dan- thanks for that. You know where to find me if you need anything else!

Si- I understand where you're coming from. In a world where everyone respects EULAs, 'best efforts' makes sense, but we know that's not the world we live in. There is still so much room for interpretation in the phrase. My 'best effort' as a cyclist, for example, is not even in the same universe as Lance Armstrong's.

The EULA is written for the person who makes every effort to abide by its terms and those who willfully disregard it. It is not always an easy balance. We'll keep thinking about it though, especially since these issues are becoming more and more pressing by the day.