W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2012

RE: TPAC breakout session - Is user agent Fingerprinting a lost cause?

From: JC Cannon <jccannon@microsoft.com>
Date: Wed, 24 Oct 2012 17:34:29 +0000
To: "rob@blaeu.com" <rob@blaeu.com>, "public-privacy@w3.org" <public-privacy@w3.org>
Message-ID: <BB17D596C94A854E9EE4171D33BBCC810160B799@TK5EX14MBXC239.redmond.corp.microsoft.com>
Rob,

Are you stating that fingerprinting is okay for tracking user consent?

Thanks,
JC

-----Original Message-----
From: Rob van Eijk [mailto:rob@blaeu.com] 
Sent: Wednesday, October 24, 2012 10:04 AM
To: public-privacy@w3.org
Subject: RE: TPAC breakout session - Is user agent Fingerprinting a lost cause?

Hi JC,

Fingerprinting is just like most cookies subject to article 5.3 of the e-privacy directive. A privacy risk that I see increasing as a consequence of DNT and EU cookie consent is that companies are most likely pushing towards a bypass of DNT, i.e. gaining out of band (server
based) consent and store that user choice in databases. Fingerprinting can be used in that usecase to identify a user and subsequently find out by querying the consent database whether a user has given consent.

Rob

JC Cannon schreef op 2012-10-24 17:29:
> I feel this is a great topic to discuss in light of the DNT and EU 
> cookie consent work happening. Both will limit the ability to use 
> cookies to re-identify a returning user/computer to a website. If 
> cookies are not viable it may push websites to use fingerprinting.
> I'm
> hoping this discussion will provide ideas for two big problems:
>
> 1. How to minimize the ability for browsers to be fingerprinted.
> 2. Providing a privacy-friendly way for users to build a relationship 
> with trusted websites.
>
> JC
>
> -----Original Message-----
>
>> From: Christine Runnegar [mailto:runnegar@isoc.org]
>> Sent: Sunday, October 21, 2012 7:09 AM
>> To: public-privacy@w3.org mailing list)
>> Cc: Hill, Brad
>> Subject: TPAC breakout session - Is user agent Fingerprinting a lost 
>> cause?
>>
>> As mentioned on our call on 18 October 2012, Brad Hill has kindly 
>> proposed a session entitled "Is user agent Fingerprinting a lost 
>> cause?".
>>
>> The session description from the TPAC wiki is set out below.
>>
>> 
>> http://www.w3.org/wiki/TPAC2012/SessionIdeas#Is_user_agent_Fingerprin

>> ting_a_lost_cause.3F
>>
>> ------
>>
>> As more features and functionality are added to the Web browser, the 
>> more risks we create in terms of privacy and security. As user agent 
>> complexity increases, and as they expose more "native" variation in 
>> the underlying platform, so does their ability to be uniquely 
>> identified (and users tracked) through capability analysis.
>>
>> The EFF's Panopticlick project already tracks ~60 bits of identifying 
>> information available in the typical user agent and certainly a more 
>> determined effort could find more, in addition to information 
>> available through lower-layer technologies like TCP or side-channels 
>> like JavaScript performance profiling.
>>
>> What responsibility do W3C WG's have to make their technologies 
>> passive-privacy friendly, and how is that to be balanced with 
>> discoverability and usability?
>>
>> Topics:
>>
>> - Is preventing fingerprinting a lost cause in the general purpose 
>> web user agent?
>> - Where is the bar on trackability? Life-critical anonymity for 
>> political dissidents is different in what we can and must promise vs.
>> "casual" anonymity for e.g. advertising
>> - Lessons from Do Not Track on technical vs. policy-driven approaches
>> - Lessons from anonymous / incognito browser modes
>> - Should specs provide standard defaults for anonymous / incognito / 
>> Tor browser modes?



Received on Wednesday, 24 October 2012 17:35:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 24 October 2012 17:35:36 GMT