W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2012

skeleton draft regarding fingerprinting guidance

From: Nicholas Doty <npdoty@w3.org>
Date: Tue, 4 Dec 2012 17:21:58 -0800
Message-Id: <9235F930-7285-4110-A0BE-74CDF2C4B821@w3.org>
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Hi all,

Inspired by conversations at the TPAC breakout session on fingerprinting, I've started an outline/draft of a document for giving positive guidance to spec authors about what fingerprinting is exactly and how we might address it across specs.

As you can see, this is a mostly empty outline and obviously just a beginning, and I'm certainly not wedded to any of it. But I thought it might be a good basis for conversation, perhaps on this week's conference call, or just on the list. In particular, documenting the different threats or different levels of success sounded like it would be useful for spec authors who we hear are already thinking about this balancing act.

Thanks in advance for all your thoughts,
Nick

P.S. Written in Markdown, forgive me if you don't like this syntax. I'm happy to throw this on the wiki or on github if people would like to collaborate on it actively.


# Fingerprinting Guidance for Specification Authors

In short, browser fingerprinting is:
> the capability of a site to identify or re-identify a visiting user, user agent or device via configuration settings or other observable characteristics.

(A more detailed list of types of fingerprinting is included below.)

## Privacy threat models

Browser fingerprinting is a potential threat to privacy on the Web. This document does not attempt to provide a single unifying definition of privacy, but we note concerns about loss of anonymity and unexpected correlation of online activity.

Following from the practice of security threat model analysis, we note that there are distinct models of privacy threats for fingerprinting. Defenses against these threats differ, depending on the kind of user and concern.

* Personal safety and anonymous browsing:

> For some users, personal physical safety can be impacted if their online activities can be associated with their real-world identity -- for example, a political author under an unfriendly regime. Correlation of activity across sites (using a common fingerprint) might allow an attacker to connect a name to an online pseudonym. Such users might employ onion routing systems such as Tor to limit network-level linkability but still face the danger of browser-fingerprinting to correlate their Web-based activity.

* Unexpected correlation of browsing activity:

> Fingerprinting provides privacy concerns even when real-world identities are not implicated. Some users may be surprised or concerned that an online party can correlate multiple visits (on the same or different sites) to develop a profile or history of the user. This concern is heightened because tools such as clearing cookies do not prevent or "re-set" correlation done via browser fingerprinting.

There are also different levels of success in addressing browser fingerprinting:

* Decreased fingerprinting surface:
* Increased anonymity set: 
* Client-preventable fingerprinting: 
* Externally detectable fingerprinting: 

## Types of fingerprinting

### Passive

### Active

### Cookie-like (setting/retrieving local state)

## Mitigations and guidance

### Weighing increased fingerprinting surface

### A standardized profile?

### Do Not Track: a cooperative approach

## Research

[What are the key papers to read here, historically or to give the latest on fingerprinting techniques? What are some areas of open research that might be relevant?]

## References
Received on Wednesday, 5 December 2012 01:22:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 5 December 2012 01:22:06 GMT