Re: Working Group Decision on ISSUE-131 caret-location-api from Jonas Sicking on 2011-04-29 (public-html@w3.org from April 2011)

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 28 Apr 2011 19:34:01 -0700
To: Maciej Stachowiak <mjs@apple.com>, Richard Schwerdtfeger <schwer@us.ibm.com>
Cc: HTMLWG WG <public-html@w3.org>
Message-ID: <BANLkTikuofcXq7wyzbHFoUHobKu_5KRNrw@mail.gmail.com>

Hi WG and WG Charis,

I have some new information that I think is relevant to this decision.

Specifically, this decision calls for adding a feature which allows a
webpage to ask the UA for the cursor blink period of the platform that
the user is currently using. This API has two problems:

A) This is a actively harmful API in that it allows fingerprinting the
user. I.e. a webpage could use this information, in combination with a
lot of other information to with high statistical probability identify
a user. There are already many such APIs, however several browser
vendors are going through great pain to try to remove such APIs as to
reduce the ability to fingerprint a user.

B) I don't think it will be possible to get all commonly used browsers
to implement this feature. Specifically, I think it's unlikely that
we'd implement it in Firefox. This for the following reasons:

1. I don't want people to write text editors using canvas. They are
bound to get a lot of things resulting in worse user experience for
users. *Especially* for users that use AT.
2. It's not worth the engineering time needed. Weeding through the
various platform APIs on which firefox runs to try to get at this
information is non-trivial. The time could be spent on features that
help users more.
3. The fact that it can be used for fingerprinting as described in A
above. Especially given that the value of the API is relatively low.
At worst the cursor would blink at a different rate on some webpages
compared to elsewhere in the users environment. This isn't a loss of
functionality or usability. At the most it is an annoyance. So the
privacy-cost vs. value ratio is very bad here.

If this new API is still added to the spec, we'd likely make firefox
always return 500ms or some similar constant as this removes the
ability to fingerprint, while still allowing the page to work. However
before that we'd likely hold off implementing the feature completely
and hope that it's removed from future drafts.

Note that as usual, I'm not speaking for all of the mozilla project.
However I am speaking as someone that works a lot on our scripting
APIs, as well as someone that takes part in a lot of our security and
privacy reviews.

/ Jonas

Received on Friday, 29 April 2011 02:34:58 UTC