W3C home > Mailing lists > Public > public-privacy@w3.org > July to September 2015

Re: Fingerprinting guidance update; responding to feedback, Note publication?

From: Robin Wilton <wilton@isoc.org>
Date: Sat, 29 Aug 2015 14:55:48 +0000
To: Joseph Lorenzo Hall <joe@cdt.org>
CC: David Singer <singer@apple.com>, Nicholas Doty <npdoty@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <6899680D-91EE-466F-8A6B-1259DAB8C702@isoc.org>
Worth, in that case, talking to some geolocation folks, as they have lots of experience of adjusting the precision of the data accessible via an API...

R

Robin Wilton

Technical Outreach Director - Identity and Privacy

On 28 Aug 2015, at 20:16, "Joseph Lorenzo Hall" <joe@cdt.org> wrote:

> That's a good point, we should check to see if there is a warning
> about overly-precise API elements and add that if not. Nick, holler if
> you want text! best, Joe
> 
> On Thu, Aug 27, 2015 at 11:24 PM, David Singer <singer@apple.com> wrote:
>> Does this draft need to mention avoidance of enabling fingerprinting by excessive precision of an otherwise ‘innocuous’ API?  (E.g. I can differentiate batteries, and hence distinct visitors, by looking at precise measurements of batteries).
>> 
>> 
>>> On Aug 27, 2015, at 22:54 , Joseph Lorenzo Hall <joe@cdt.org> wrote:
>>> 
>>> It would be great to start the process to publish this as a draft PING note! The new changes look awesome, Nick.
>>> 
>>> There are still some outstanding things in the document; those are ok for a draft note or do we need to try to close them out before we publish?
>>> 
>>> The note in 1.2.1 seems to be dealt with by adding a blurb about how this is not distinct from unexpected correlation (although why 1.2.2 is not enough, I don't know) and clarifying that this practice can result in collapsing pseudonymous identities into linked personas or something like that.
>>> 
>>> We should definitely reach out to the HTML WG to ask if the fingerprint warning indicia has been useful or helpful.
>>> 
>>> I don't think I understand ISSUE 1... can we say anything about best practices across UA implementations that might require cooperation outside of the spec?
>>> 
>>> 
>>> 
>>> On Sun, Aug 23, 2015 at 9:58 PM, Nick Doty <npdoty@w3.org> wrote:
>>> I've revised the Fingerprinting Guidance for Web Specification Authors text, responding as best I can to comments from the TAG, the Tor Browser folks and other comments via mailing list.
>>> 
>>> http://w3c.github.io/fingerprinting-guidance/
>>> 
>>> Changes in particular include:
>>> * moving feasibility question up earlier, emphasizing realism/pessimism
>>> * clarifying some of the best practices, regarding unnecessary additions to fingerprinting surface
>>> * additional examples and references (in particular, to the TAG finding on unsanctioned tracking)
>>> * filling in to-do sections (and marking remaining ones with issue boxes)
>>> 
>>> To clarify the status of this document and to gather wider review, I think it would be useful to publish this as a draft Interest Group Note. As a Process matter, that would consist of: the Interest Group deciding we want to publish it as an Interest Group Note; getting confirmation from the domain lead that we can use this name/shortname; publishing a snapshot on w3.org indicating its status as a draft Note; asking chairs and other groups for feedback.
>>> 
>>> And in any case, I'd welcome further feedback, additions, subtractions and the like. I get the impression that specific examples from different specs/Working Groups would be the most welcome addition.
>>> 
>>> Thanks,
>>> Nick
>>> 
>>> 
>>> 
>>> --
>>> Joseph Lorenzo Hall
>>> Chief Technologist
>>> Center for Democracy & Technology
>>> 1634 I ST NW STE 1100
>>> Washington DC 20006-4011
>>> (p) 202-407-8825
>>> (f) 202-637-0968
>>> joe@cdt.org
>>> PGP: https://josephhall.org/gpg-key
>>> fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
>>> 
>>> 
>> 
>> David Singer
>> Manager, Software Standards, Apple Inc.
>> 
> 
> 
> 
> -- 
> Joseph Lorenzo Hall
> Chief Technologist
> Center for Democracy & Technology
> 1634 I ST NW STE 1100
> Washington DC 20006-4011
> (p) 202-407-8825
> (f) 202-637-0968
> joe@cdt.org
> PGP: https://josephhall.org/gpg-key
> fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
> 
Received on Saturday, 29 August 2015 14:56:22 UTC

This archive was generated by hypermail 2.3.1 : Saturday, 29 August 2015 14:56:24 UTC