- From: Robin Berjon <robin@berjon.com>
- Date: Tue, 14 Jun 2011 16:41:33 +0200
- To: Olli Pettay <Olli.Pettay@helsinki.fi>
- Cc: Dominique Hazael-Massieux <dom@w3.org>, Harald Alvestrand <harald@alvestrand.no>, public-device-apis@w3.org
On Jun 14, 2011, at 15:59 , Olli Pettay wrote: > Even the current API allows a bit too much fingerprinting, I think. > The fact that web app can know that user is using 2G connection > is a quite strong hint (at least in some countries) that user is > somewhere in the countryside. (There are perhaps already other ways to > detect that, but this is a new way) > The connection type is yet more information about user and his devices > the web apps can get, and so it perhaps should be accessible only > if user gives the permission. Far from me to suggest that fingerprinting is not an important consideration — it most certainly is — but we can't just start using it systematically as DAP's Ockham's razor lest we do nothing at all! I think that we have to accept that there will be new information that can help fingerprint browsers (frankly, given the precision of current fingerprinting it's unclear how much any addition does indeed hurt — http://panopticlick.eff.org/ is a good demo). Putting everything behind a security prompt is not a good solution, it actually makes users care less about privacy. So while we should be very careful when we decide to expose information unprotected, I think we should be equally careful in not going too far in the other direction. It could be quite interesting if someone were to scare up a set of criteria for when something allows for too much fingerprinting and when it seems okay. -- Robin Berjon - http://berjon.com/ - @robinberjon
Received on Tuesday, 14 June 2011 14:42:07 UTC