W3C home > Mailing lists > Public > public-web-perf@w3.org > September 2012

[NavigationTiming] Privacy and fingerprintability

From: Wendy Seltzer <wseltzer@w3.org>
Date: Tue, 11 Sep 2012 17:38:01 -0400
Message-ID: <504FAF39.109@w3.org>
To: public-web-perf@w3.org
I know it's late in the process, but I wanted to add a privacy concern
to the mix: Navigation timing can add to the fingerprintability of
browsers.  Even limited to same-origin, that origin's profiling of
browser latency could link multiple browsing sessions in unexpected
ways, hindering users' ability to browse anonymously. [0] (This is of
particular concern to the Tor Project [1], which aims to provide strong
anonymity through the Tor Browser Bundle [2] -- a uniformly
pre-configured browser and onion-routed anonymized network connections.)

Noting that several of the Web Performance specs have fingerprinting
implications, I wonder whether the group might consider the linking
attack, distinct from private information disclosure. For example, if
someone doesn't want a website to be able to correlate comments with a
login ID, he might log out, clear cookies, and write under a pseudonym,
but still be identifiable based on his browser timing connecting his
would-be-anonymous activity to previous sessions.

As a general response, then, should there be a way to disable response
to timing information requests? More broadly, might we consider a
standard profile for anonymous browsing (incognito mode, private
browsing) that disables uniquely identifying features (despite the
possible performance hit) to provide a larger anonymity set?

Thanks,
--Wendy
 
[0] See https://panopticlick.eff.org/ and
https://panopticlick.eff.org/browser-uniqueness.pdf
[1] https://www.torproject.org/
[2] https://www.torproject.org/projects/torbrowser.html.en and
https://www.torproject.org/torbutton/en/design/

-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
Received on Tuesday, 11 September 2012 21:38:04 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 11 September 2012 21:38:04 GMT