W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2012

RE: TPAC breakout session - Is user agent Fingerprinting a lost cause?

From: Rob van Eijk <rob@blaeu.com>
Date: Wed, 24 Oct 2012 19:57:57 +0200
To: <public-privacy@w3.org>
Message-ID: <91ecd428d6274171b863d10ce436707d@xs4all.nl>
Hi JC,

No, the opposite, it is not ok. It is important to distinguish between 
active and passive fingerprinting though. Active fingerprinting (scripts 
in the browser) is subject to the same rules as cookies are in the EU 
(e-Privacy Directive).

For passive fingerprinting which, to my knowledge but correct me if I 
am wrong, takes place on the server(ip adres, http header info like UA, 
referrer etc.), the Directive would kick in. It would in (most) EU 
countries be considered a processing of personal data.

Rob

JC Cannon schreef op 2012-10-24 19:34:
> Rob,
>
> Are you stating that fingerprinting is okay for tracking user 
> consent?
>
> Thanks,
> JC
>
> -----Original Message-----
> From: Rob van Eijk [mailto:rob@blaeu.com]
> Sent: Wednesday, October 24, 2012 10:04 AM
> To: public-privacy@w3.org
> Subject: RE: TPAC breakout session - Is user agent Fingerprinting a
> lost cause?
>
> Hi JC,
>
> Fingerprinting is just like most cookies subject to article 5.3 of
> the e-privacy directive. A privacy risk that I see increasing as a
> consequence of DNT and EU cookie consent is that companies are most
> likely pushing towards a bypass of DNT, i.e. gaining out of band
> (server
> based) consent and store that user choice in databases.
> Fingerprinting can be used in that usecase to identify a user and
> subsequently find out by querying the consent database whether a user
> has given consent.
>
> Rob
>
> JC Cannon schreef op 2012-10-24 17:29:
>> I feel this is a great topic to discuss in light of the DNT and EU
>> cookie consent work happening. Both will limit the ability to use
>> cookies to re-identify a returning user/computer to a website. If
>> cookies are not viable it may push websites to use fingerprinting.
>> I'm
>> hoping this discussion will provide ideas for two big problems:
>>
>> 1. How to minimize the ability for browsers to be fingerprinted.
>> 2. Providing a privacy-friendly way for users to build a 
>> relationship
>> with trusted websites.
>>
>> JC
>>
>> -----Original Message-----
>>
>>> From: Christine Runnegar [mailto:runnegar@isoc.org]
>>> Sent: Sunday, October 21, 2012 7:09 AM
>>> To: public-privacy@w3.org mailing list)
>>> Cc: Hill, Brad
>>> Subject: TPAC breakout session - Is user agent Fingerprinting a 
>>> lost
>>> cause?
>>>
>>> As mentioned on our call on 18 October 2012, Brad Hill has kindly
>>> proposed a session entitled "Is user agent Fingerprinting a lost
>>> cause?".
>>>
>>> The session description from the TPAC wiki is set out below.
>>>
>>>
>>> 
>>> http://www.w3.org/wiki/TPAC2012/SessionIdeas#Is_user_agent_Fingerprin
>>> ting_a_lost_cause.3F
>>>
>>> ------
>>>
>>> As more features and functionality are added to the Web browser, 
>>> the
>>> more risks we create in terms of privacy and security. As user 
>>> agent
>>> complexity increases, and as they expose more "native" variation in
>>> the underlying platform, so does their ability to be uniquely
>>> identified (and users tracked) through capability analysis.
>>>
>>> The EFF's Panopticlick project already tracks ~60 bits of 
>>> identifying
>>> information available in the typical user agent and certainly a 
>>> more
>>> determined effort could find more, in addition to information
>>> available through lower-layer technologies like TCP or 
>>> side-channels
>>> like JavaScript performance profiling.
>>>
>>> What responsibility do W3C WG's have to make their technologies
>>> passive-privacy friendly, and how is that to be balanced with
>>> discoverability and usability?
>>>
>>> Topics:
>>>
>>> - Is preventing fingerprinting a lost cause in the general purpose
>>> web user agent?
>>> - Where is the bar on trackability? Life-critical anonymity for
>>> political dissidents is different in what we can and must promise 
>>> vs.
>>> "casual" anonymity for e.g. advertising
>>> - Lessons from Do Not Track on technical vs. policy-driven 
>>> approaches
>>> - Lessons from anonymous / incognito browser modes
>>> - Should specs provide standard defaults for anonymous / incognito 
>>> /
>>> Tor browser modes?
Received on Wednesday, 24 October 2012 17:58:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 24 October 2012 17:58:31 GMT