IE 4.0 leaves Web fonts vulnerable
Microsoft's Internet Explorer 4.0 browser is causing some type designers to worry that the Web fonts they create may be misappropriated by others.
Until now, Web designers have put "exotic" fonts--fonts that aren't standard on a user's system--into an image file, which added to a page's download time and made the text impossible to search and index. But the 4.0 browser lets users view "embedded" fonts, which are placed in the Web page similarly to an image but are searchable, like text. With IE 4.0, these embedded fonts reside on the server and download to the user's system as a separate file. And therein lies the problem.
It turns out that once these fonts download to the browser's cache, it is easy to identify them and, with a font authoring tool, replicate them. Since fonts are intellectual property owned by their designers, IE 4.0 is leaving private property open to theft, contends Daniel Will-Harris, a writer and designer who wrote about the problem last week in his column. Will-Harris is a member of TypeRight, a grassroots typographers' association.
Microsoft program manager Darryn Dieken admitted that the font retrieval and display system is "hackable," but he downplayed the security risk.
"Somebody smart can crack [the font file] and install it," Dieken said. "But the process to hack into the file is obscure at best."
Another TypeRight member disputed that claim.
"Anyone who has access to any of these pages will be able to grab the font off there," said Chris MacGregor, a Web designer and director of Union Type Supply. "It's easy to figure out--this is no hacker-type trick."
MacGregor was able to download and install embedded fonts from Microsoft's own typography Web page in "about two minutes," he said.
What a font thief can steal is limited to the actual characters on the Web page, but with a long text file, that could add up to a considerable percentage of a font set. Not many Web sites use embedded fonts yet, according to Will-Harris and MacGregor, but what they perceive as Microsoft's indifference is still of great concern to them.
"They don't think it's a huge problem, and that's the main problem," MacGregor said.
Microsoft acknowledges the problem, but contends it's the fault of the operating system and not the browser.
"As it's fixed down the road, it'll get fixed in the Windows code, not in the browser code," said a company spokeswoman.
[In response to the Justice Department lawsuit, Microsoft also contends that the browser is "integrated" into the operating system and shares much of the underlying code.]
What "down the road" means is unclear, but a higher level of security might not be added until the release of NT 5.0, the spokeswoman said.
Meanwhile, type designers could be reluctant to provide their fonts to IE 4.0-specific Web pages. Microsoft offers a software tool free of charge to create pages with such fonts. Will-Harris is calling for Microsoft to take the tool, now in beta, off its Web site, until it can fix the security problem.
As for the other 4.0 browser, Netscape Navigator uses a system called TrueDoc, designed by Bitstream, to display embedded fonts. Unlike Microsoft's system, TrueDoc fonts are rendered by the browser, not the operating system, which prevents end users from copying them and reusing them in spreadsheets, word processors, font authoring tools, or other programs on a user's system, according to Brad Chase, Bitstream director of new product marketing.
As with IE 4.0's new font technology, TrueDoc is just getting off the ground. A few HTML authoring tools currently allow designers to create TrueDoc pages, but greater availability should come later this year when Netscape adds a TrueDoc plug-in to the Composer component of Communicator.