Stop using Google Fonts, which track users' browsing.
Protonmail.com uses Google Fonts on various pages, such as the support knowledge base, company blog, etc. The fonts are served directly from Google servers into users' browsers. Google provides this service "for free" to speed up page load times, but with the cost of surveilling the activity on websites that use it. ProtonMail should stop using Google Fonts in order to prevent Google from analyzing user activity on Protonmail.com.
For example, here's a line of HTML code from https://protonmail.com/support that loads the Open Sans font from Google. There are many, many other pages that have the same code (but not every page).
<link rel='stylesheet' id='ht-google-font-css' href='//fonts.googleapis.com/css?family=Open+Sans:400italic,400,600,700' type='text/css' media='all' />
I switched from Gmail to ProtonMail for a reason. I do NOT want Google knowing anything about my use of ProtonMail, including how often I use it, from where, which ProtonMail pages I'm visiting, or the fact that I use ProtonMail at all.
It's not necessary for these fonts to be hosted by Google, they could instead be hosted by Protonmail.com for greater privacy. With proper cache times set up, they'd only need to be downloaded on the user's first page view, not every time, so page load times would hardly be affected.
More info about the privacy problems with Google Fonts:
Please disable Google Fonts! Thanks!
@Jason Wait a minute, this has not been fully completed! Thanks for removing the Google fonts from the support portal, but they are still all over the blog. For example, on https://protonmail.com/blog/ there are these lines of code:
<link rel='stylesheet' id='csbtnsFont-css' href='//fonts.googleapis.com/css?family=Indie+Flower&ver=4.3.1' type='text/css' media='all' />
<link rel='stylesheet' id='proton-blog-fonts-css' href='https://fonts.googleapis.com/css?family=Roboto%3A300%2C300italic%2C400%7COpen+Sans%3A100%2C400%2C700%2C400italic%2C300italic%2C300%2C700italic'; type='text/css' media='all' />
I hope you still see this comment after the post has been marked completed...
We didn't put as much effort into our support portal as our blog or main application and this was an oversight. I've removed this reference to Google Fonts.
Wow, yeah, this definitely needs to be removed! This is not ok!
This is not cool. Does Protonmail feel it's okay to embed random 3rd party content, especially Google content of all things? Protonmail may not keep logs but google sure does. Hopefully it was a mistake and they'll avoid this sort of thing in the future. It basically amounts to a CSS injection security vulnerability: Google's code is loaded onto Protonmail's site and Google is free to change their code at any time, even under government pressure. The only difference is Protonmail put it there themselves.