W3C home > Mailing lists > Public > public-privacy@w3.org > July to September 2015

Re: Fingerprinting guidance update; responding to feedback, Note publication?

From: Joseph Lorenzo Hall <joe@cdt.org>
Date: Fri, 28 Aug 2015 15:13:00 -0400
Message-ID: <CABtrr-Xd=7210dbsOLMqXqCLqGXZrzM7Fceq0c5q302n28CpOA@mail.gmail.com>
To: David Singer <singer@apple.com>
Cc: Nicholas Doty <npdoty@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
That's a good point, we should check to see if there is a warning
about overly-precise API elements and add that if not. Nick, holler if
you want text! best, Joe

On Thu, Aug 27, 2015 at 11:24 PM, David Singer <singer@apple.com> wrote:
> Does this draft need to mention avoidance of enabling fingerprinting by excessive precision of an otherwise ‘innocuous’ API?  (E.g. I can differentiate batteries, and hence distinct visitors, by looking at precise measurements of batteries).
>
>
>> On Aug 27, 2015, at 22:54 , Joseph Lorenzo Hall <joe@cdt.org> wrote:
>>
>> It would be great to start the process to publish this as a draft PING note! The new changes look awesome, Nick.
>>
>> There are still some outstanding things in the document; those are ok for a draft note or do we need to try to close them out before we publish?
>>
>> The note in 1.2.1 seems to be dealt with by adding a blurb about how this is not distinct from unexpected correlation (although why 1.2.2 is not enough, I don't know) and clarifying that this practice can result in collapsing pseudonymous identities into linked personas or something like that.
>>
>> We should definitely reach out to the HTML WG to ask if the fingerprint warning indicia has been useful or helpful.
>>
>> I don't think I understand ISSUE 1... can we say anything about best practices across UA implementations that might require cooperation outside of the spec?
>>
>>
>>
>> On Sun, Aug 23, 2015 at 9:58 PM, Nick Doty <npdoty@w3.org> wrote:
>> I've revised the Fingerprinting Guidance for Web Specification Authors text, responding as best I can to comments from the TAG, the Tor Browser folks and other comments via mailing list.
>>
>> http://w3c.github.io/fingerprinting-guidance/
>>
>> Changes in particular include:
>> * moving feasibility question up earlier, emphasizing realism/pessimism
>> * clarifying some of the best practices, regarding unnecessary additions to fingerprinting surface
>> * additional examples and references (in particular, to the TAG finding on unsanctioned tracking)
>> * filling in to-do sections (and marking remaining ones with issue boxes)
>>
>> To clarify the status of this document and to gather wider review, I think it would be useful to publish this as a draft Interest Group Note. As a Process matter, that would consist of: the Interest Group deciding we want to publish it as an Interest Group Note; getting confirmation from the domain lead that we can use this name/shortname; publishing a snapshot on w3.org indicating its status as a draft Note; asking chairs and other groups for feedback.
>>
>> And in any case, I'd welcome further feedback, additions, subtractions and the like. I get the impression that specific examples from different specs/Working Groups would be the most welcome addition.
>>
>> Thanks,
>> Nick
>>
>>
>>
>> --
>> Joseph Lorenzo Hall
>> Chief Technologist
>> Center for Democracy & Technology
>> 1634 I ST NW STE 1100
>> Washington DC 20006-4011
>> (p) 202-407-8825
>> (f) 202-637-0968
>> joe@cdt.org
>> PGP: https://josephhall.org/gpg-key
>> fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
>>
>>
>
> David Singer
> Manager, Software Standards, Apple Inc.
>



-- 
Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe@cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
Received on Friday, 28 August 2015 19:13:48 UTC

This archive was generated by hypermail 2.3.1 : Friday, 28 August 2015 19:13:49 UTC