- From: Koen Holtman <koen@win.tue.nl>
- Date: Sat, 13 Apr 1996 22:43:16 +0200 (MET DST)
- To: http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com
- Cc: Koen Holtman <koen@win.tue.nl>
The following issue, owned by Brian Behlendorf, is on the HTTP/1.1 issues list: * BB USERTRACKING Privacy from user tracking based on accept ([holtman 6.2, 6.3]) I mailed Brian for status about this on April 7, but he has not responded so far. I'll take over the issue until I hear from Brian. Below is proposed text for the 1.1 draft, adapted from [holtman 6.2, 6.3]. I'd like to close this issue in a few days: I do not think it is very controversial. If you have any comments on, or improvements for, the text below, please send them in private e-mail. I'll summarize on the list. Koen. ----snip---- [## Note: the text below could be in a separate section, but could also be added to the existing section 14.7 on `Privacy issues connected to Accept headers'.##] 14. Security Considerations 14.x User tracking based on accept headers Elaborate user-customized accept header fields sent in every request, in particular if these include quality values, can be used by servers as relatively reliable and long-lived user identifiers. Such user identifiers would allow content providers to do click-trail tracking, and would allow collaborating content providers to match cross-server click-trails or form submissions of individual users. Note that for many users not behind a proxy, the network address of the host running the user agent will also serve as a long-lived user identifier. In environments where proxies are used to enhance privacy, user agents should be conservative in offering accept header configuration options to end users. As an extreme privacy measure, proxies could filter the accept headers in relayed requests. General purpose user agents which provide a high degree of header configurability should warn users about the loss of privacy which can be involved. [End of text]
Received on Saturday, 13 April 1996 13:48:02 UTC