W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2012

RE: TPAC breakout session - Is user agent Fingerprinting a lost cause?

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Wed, 24 Oct 2012 18:54:27 +0100
To: "'Mike O'Neill'" <michael.oneill@baycloud.com>
Cc: <public-privacy@w3.org>
Message-ID: <074001cdb210$9ce0ee20$d6a2ca60$@baycloud.com>
Hi Rob,

Surely if you get user consent then it would be fine to use  either cookies or any other method to do that. It would be better to use cookies because fingerprinting could be misused by bad actors to identify users without consent, and we should have browsers that minimise that risk (by making fingerprinting as near to impossible as we can get). It is relatively simple to detect cookies that have been placed without agreement.

Mike


-----Original Message-----
From: Rob van Eijk [mailto:rob@blaeu.com]
Sent: 24 October 2012 18:04
To: public-privacy@w3.org
Subject: RE: TPAC breakout session - Is user agent Fingerprinting a lost cause?

Hi JC,

Fingerprinting is just like most cookies subject to article 5.3 of the e-privacy directive. A privacy risk that I see increasing as a consequence of DNT and EU cookie consent is that companies are most likely pushing towards a bypass of DNT, i.e. gaining out of band (server
based) consent and store that user choice in databases. Fingerprinting can be used in that usecase to identify a user and subsequently find out by querying the consent database whether a user has given consent.

Rob

JC Cannon schreef op 2012-10-24 17:29:
> I feel this is a great topic to discuss in light of the DNT and EU 
> cookie consent work happening. Both will limit the ability to use 
> cookies to re-identify a returning user/computer to a website. If 
> cookies are not viable it may push websites to use fingerprinting.
> I'm
> hoping this discussion will provide ideas for two big problems:
>
> 1. How to minimize the ability for browsers to be fingerprinted.
> 2. Providing a privacy-friendly way for users to build a relationship 
> with trusted websites.
>
> JC
>
> -----Original Message-----
>
>> From: Christine Runnegar [mailto:runnegar@isoc.org]
>> Sent: Sunday, October 21, 2012 7:09 AM
>> To: public-privacy@w3.org mailing list)
>> Cc: Hill, Brad
>> Subject: TPAC breakout session - Is user agent Fingerprinting a lost 
>> cause?
>>
>> As mentioned on our call on 18 October 2012, Brad Hill has kindly 
>> proposed a session entitled "Is user agent Fingerprinting a lost 
>> cause?".
>>
>> The session description from the TPAC wiki is set out below.
>>
>> 
>> http://www.w3.org/wiki/TPAC2012/SessionIdeas#Is_user_agent_Fingerprin
>> ting_a_lost_cause.3F
>>
>> ------
>>
>> As more features and functionality are added to the Web browser, the 
>> more risks we create in terms of privacy and security. As user agent 
>> complexity increases, and as they expose more "native" variation in 
>> the underlying platform, so does their ability to be uniquely 
>> identified (and users tracked) through capability analysis.
>>
>> The EFF's Panopticlick project already tracks ~60 bits of identifying 
>> information available in the typical user agent and certainly a more 
>> determined effort could find more, in addition to information 
>> available through lower-layer technologies like TCP or side-channels 
>> like JavaScript performance profiling.
>>
>> What responsibility do W3C WG's have to make their technologies 
>> passive-privacy friendly, and how is that to be balanced with 
>> discoverability and usability?
>>
>> Topics:
>>
>> - Is preventing fingerprinting a lost cause in the general purpose 
>> web user agent?
>> - Where is the bar on trackability? Life-critical anonymity for 
>> political dissidents is different in what we can and must promise vs.
>> "casual" anonymity for e.g. advertising
>> - Lessons from Do Not Track on technical vs. policy-driven approaches
>> - Lessons from anonymous / incognito browser modes
>> - Should specs provide standard defaults for anonymous / incognito / 
>> Tor browser modes?
Received on Wednesday, 24 October 2012 17:55:23 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 24 October 2012 17:55:23 GMT