Re: Canvas fingerprinting from Justin Brookman on 2014-07-25 (public-privacy@w3.org from July to September 2014)

From: Justin Brookman <jbrookman@cdt.org>
Date: Fri, 25 Jul 2014 10:04:59 -0400
To: Georg Koppen <gk@torproject.org>
Cc: public-privacy@w3.org
Message-Id: <2BC0E88A-1390-45CE-B395-AD10091F4355@cdt.org>

On Jul 23, 2014, at 11:22 AM, Georg Koppen <gk@torproject.org> wrote:

> Mike O'Neill:
>> If the response to canvas and other forms of fingerprinting is an arms-race
>> with browsers and their extensions, the web will turned into a war zone and
>> be ruined for everybody.
>> 
>> This is why we need a meaningful DNT that people trust.
> 
> No, DNT will not help. See the FPDetective paper
> https://www.cosic.esat.kuleuven.be/publications/article-2334.pdf and
> there especially section 7.3.
> 
> Fingerprinting is more and more framed in the context of fraud detection
> and prevention of abuse. Thus, it is getting more and more common to
> ignore DNT because fingerprinting is not used (or at least it is claimed
> so) to track users i.e. to invade their privacy. Rather, it is all about
> devices and end users' quality of service (that's at least the story
> those companies are trying to sell).
> 
> Georg

I think others may disagree about whether tracking for fraud prevention constitutes
any privacy concern.  A DNT signal is a request to sites not to collect data about
users across multiple sites — including for fraud/abuse prevention.  A server can
signal back that it doesn’t track at all, or that it tracks for a very limited set of (in the
server’s opinion) unobjectionable purposes.  Or it can signal back that it tracks for
advertising or doesn’t honor DNT requests at all  The user or user agent can then
make a determination about whether to allow the interaction or not, to disable
certain functionality for the server, or anything else it wants to do.

Justin

>>> -----Original Message-----
>>> From: Rigo Wenning [mailto:rigo@w3.org]
>>> Sent: 21 July 2014 17:43
>>> To: public-privacy@w3.org
>>> Subject: Canvas fingerprinting
>>> 
>>> https://securehomes.esat.kuleuven.be/~gacar/persistent/index.html
>>> 
>>> There was a lot of discussion around canvas and whether it was the right
>>> choice. It may also be the right choice for browser to give users the
>>> option to turn all those nice new features off if they do not want to be
>>> spied upon. To what extend do browsers trust the origin? I think we are
>>> in a field with lots of shades of gray.
>>> 
>>> Otherwise we are left surfing the Web with Amaya if we want privacy.
>>> Amaya knows no cookies, no javascript, no canvas. This can turn into an
>>> advantage..
>>> 
>>> --Rigo
>> 
>> 
>> 
>> 
> 
>

Received on Friday, 25 July 2014 14:06:35 UTC