- From: pes via GitHub <sysbot+gh@w3.org>
- Date: Tue, 25 Jun 2019 00:56:47 +0000
- To: public-css-archive@w3.org
1) Fingerprinting doesn't get solved until you start solving it :) saying "this isn't the *worst* vector, so lets not fix" seems like a sure fire way to make sure fingerprinting never gets better 2) font based finger printing actually is one of the worst FP methods thought! See the Panopticlick paper / project linked above, the [Beauty and the beast: Diverting modern web browsers to build unique browser fingerprints](https://hal.inria.fr/hal-01285470/document) paper, and many others (happy to provide links if you like). They all find the same thing: fonts are hugely identifying if you have anything but the default configuration (put differently: if you allow non-system fonts to be used, it will be hugely identifying in the cases where its useful, and not useful in the cases its not identifying) 3) You might consider the statement from PING regarding meta-standards for standards (e.g. ways to fix privacy in web standards). From the third section of the recent PING blog post, [Privacy Anti-Patterns In Standards](https://www.w3.org/blog/2019/06/privacy-anti-patterns-in-standards/), there being bigger problems elsewhere doesn't obviate the need for standards to address the privacy harm they introduce. (note: I wrote it, but its agreed to by the IG) 4) I think @AmeliaBR has the exactly right idea: fonts should give no more information away than "browser & OS & preferred language". So no argument against making the system fonts "the non-user installed fonts for the current system language." So not "all fonts for all languages", but something narrower than that. Would that address the concern? -- GitHub Notification of comment by snyderp Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/4055#issuecomment-505235082 using your GitHub account
Received on Tuesday, 25 June 2019 00:56:50 UTC