Re: Fingerprinting Guidance Spec

Dear Nick, Steve,

Thanks for your input. I realize we know both of these works by now (and
thanks to all of their authors)!

So the actionable insight might be: to compel browsers to count particular
uses of APIs and function calls. This is providing great and rich context,
which could then be:
- either interpreted by a browser privacy UI.
or
- interpreted by an extension

But the point is to have standard hooks to make the data easily available.

Another point is to provide even more context by marking what calls (and
how many times) were made by specific scripts (i.e. make the script URL
easily available).

It does not necessarily need to be a matter of making it easier to detect
fingerprinting - one  could imagine this to be part of a side
standard/note/recomendation.

Kind regards
Lukasz Olejnik

2015-10-29 9:55 GMT+00:00 Nick Doty <npdoty@ischool.berkeley.edu>:

> With Steve's permission, sharing these comments/suggestions for the
> Fingerprinting Guidance document. I believe this academic work supports the
> notion that designing APIs to facilitate detection of fingerprinting can
> make a large difference.
>
> I've started an issues list with these and some other comments received on
> Github:
> https://github.com/w3c/fingerprinting-guidance/issues
>
> Feedback is still welcome on this mailing list; I'm just using Github as a
> working mechanism to keep track. You can also comment or raise issues
> directly on Github if you prefer. Pull requests welcome!
>
> Cheers,
> Nick
>
> Begin forwarded message:
>
> *From: *Steven Englehardt <ste@CS.Princeton.EDU <ste@cs.princeton.edu>>
> *Date: *September 10, 2015
> *Subject: **Fingerprinting Guidance Spec*
>
> Hello Nick,
>
> Great work on the fingerprinting guidance spec, I believe it will help
> reduce the fingerprinting surface of future APIs. There are two additional
> papers that I think are helpful to reference.
>
> The first paper is The Web Never Forgets: Persistant Tracking Mechanisms
> in the Wild <https://securehomes.esat.kuleuven.be/~gacar/persistent/>, a
> paper I co-authored. In it, we show how prevalent canvas fingerprinting,
> cookie respawning, and cookie syncing are on the web and evaluate the
> implications of the use of three three vectors in combination with each
> other.
>
> It is helpful as an example of detectability by academics, which you
> address several times in the spec. In general, it's a solid example of
> large scale measurement of two fingerprinting vectors, and of the impact a
> measurement study can have on the use of these APIs for fingerprinting. The
> two largest canvas fingerprinters stopped after we released our paper.
> Addressing issue #2 in Section 5.3, it's an example of how the design of
> the canvas API allowed us to detect the use of canvas for fingerprinting
> very accurately.
>
> The second is The Leaking Battery: A privacy analysis of the HTML5
> Battery Status API <https://eprint.iacr.org/2015/616.pdf>. This paper
> shows how the design of the Battery Status API on Linux enabled
> fingerprintability. It highlights the importance of consistency across user
> agents (Section 5.2 Issue #1). It also shows that API designers should take
> care to expose the minimum amount of precision necessary for operation of a
> feature, a point that I think can be strengthened in the report.
>
> Thanks for your work on this!
>
> -Steve
>
>

Received on Thursday, 29 October 2015 23:13:10 UTC