W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2012

Re: TPAC breakout session - Is user agent Fingerprinting a lost cause?

From: Joanne Furtsch <jfurtsch@truste.com>
Date: Wed, 24 Oct 2012 10:08:09 -0700
To: "rob@blaeu.com" <rob@blaeu.com>
CC: "public-privacy@w3.org" <public-privacy@w3.org>
Message-ID: <67A32FE2-902D-40AC-A918-2FA3A6645132@truste.com>
I think this will be a great topic to discuss as we are seeing this technology being used more. 

Joanne 

Sent from my iPhone

On Oct 24, 2012, at 1:05 PM, "Rob van Eijk" <rob@blaeu.com> wrote:

> Hi JC,
> 
> Fingerprinting is just like most cookies subject to article 5.3 of the 
> e-privacy directive. A privacy risk that I see increasing as a 
> consequence of DNT and EU cookie consent is that companies are most 
> likely pushing towards a bypass of DNT, i.e. gaining out of band (server 
> based) consent and store that user choice in databases. Fingerprinting 
> can be used in that usecase to identify a user and subsequently find out 
> by querying the consent database whether a user has given consent.
> 
> Rob
> 
> JC Cannon schreef op 2012-10-24 17:29:
>> I feel this is a great topic to discuss in light of the DNT and EU
>> cookie consent work happening. Both will limit the ability to use
>> cookies to re-identify a returning user/computer to a website. If
>> cookies are not viable it may push websites to use fingerprinting. 
>> I'm
>> hoping this discussion will provide ideas for two big problems:
>> 
>> 1. How to minimize the ability for browsers to be fingerprinted.
>> 2. Providing a privacy-friendly way for users to build a relationship
>> with trusted websites.
>> 
>> JC
>> 
>> -----Original Message-----
>> 
>>> From: Christine Runnegar [mailto:runnegar@isoc.org]
>>> Sent: Sunday, October 21, 2012 7:09 AM
>>> To: public-privacy@w3.org mailing list)
>>> Cc: Hill, Brad
>>> Subject: TPAC breakout session - Is user agent Fingerprinting a lost 
>>> cause?
>>> 
>>> As mentioned on our call on 18 October 2012, Brad Hill has kindly 
>>> proposed a session entitled "Is user agent Fingerprinting a lost 
>>> cause?".
>>> 
>>> The session description from the TPAC wiki is set out below.
>>> 
>>> 
>>> http://www.w3.org/wiki/TPAC2012/SessionIdeas#Is_user_agent_Fingerprinting_a_lost_cause.3F
>>> 
>>> ------
>>> 
>>> As more features and functionality are added to the Web browser, the 
>>> more risks we create in terms of privacy and security. As user agent 
>>> complexity increases, and as they expose more "native" variation in 
>>> the underlying platform, so does their ability to be uniquely 
>>> identified (and users tracked) through capability analysis.
>>> 
>>> The EFF's Panopticlick project already tracks ~60 bits of 
>>> identifying information available in the typical user agent and 
>>> certainly a more determined effort could find more, in addition to 
>>> information available through lower-layer technologies like TCP or 
>>> side-channels like JavaScript performance profiling.
>>> 
>>> What responsibility do W3C WG's have to make their technologies 
>>> passive-privacy friendly, and how is that to be balanced with 
>>> discoverability and usability?
>>> 
>>> Topics:
>>> 
>>> - Is preventing fingerprinting a lost cause in the general purpose 
>>> web user agent?
>>> - Where is the bar on trackability? Life-critical anonymity for 
>>> political dissidents is different in what we can and must promise vs. 
>>> "casual" anonymity for e.g. advertising
>>> - Lessons from Do Not Track on technical vs. policy-driven 
>>> approaches
>>> - Lessons from anonymous / incognito browser modes
>>> - Should specs provide standard defaults for anonymous / incognito / 
>>> Tor browser modes?
> 
> 
Received on Wednesday, 24 October 2012 17:14:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 24 October 2012 17:14:19 GMT