- From: Andrew Mulholland <andrew@bash.sh>
- Date: Wed, 4 Mar 2015 14:43:37 -0500
- To: Sanel Mesinovic <sanel.mesinovic@ymc.ch>
- Cc: ietf-http-wg@w3.org
- Message-ID: <CA+JaFPjMqcvR=G=bQwjkUO71YguH2KRC7HDacQL0u=darmBqcQ@mail.gmail.com>
On 20 February 2015 at 10:36, Sanel Mesinovic <sanel.mesinovic@ymc.ch> wrote: > Hello, > > I found your email address here <https://httpwg.github.io/about/policies/>. > Have one small contribution / request to make to the new HTTP 2 protocol. > Already wrote an email long time ago to Tim Berners Lee however no reply. > Maybe someone already during this time already raised the issue. > > In my opinion the new protocol should introduce a better way to uniquely > identify the client. Currently it is not possible to uniquely identify a > user. IP identification is not reliable. There can be two or more users > behind the same IP. Session identification is even worse. > > There are many advantages of using better identification: > > a.) web analytics could track unique visitors per time period much more > accurately > b.) tracking user activity in apps e.g. not allowing the same user to like > the page if he has already clicked the Like / Vote button > c.) law enforcement could much easier prove who was the culprit behind the > criminal activity > d.) other reasons > > Whether or not these are advantages depends on your perspective. I'm not convinced that these are sufficiently good enough reasons to expose more data about an individual. > In my vision the protocol should allow the server side to ask or the > client side to send the system data to the server. There could be two > scenarios: > > 1.) The server could specify that the browser must provide the UNIQUE DATA > 2.) The client could send the UNIQUE DATA by using javascript. > Herein lies the flaw with such a setup. If you are trusting a remote system for which you have no control over to provide data that you use to define a trust relationship, or for identification purposes, then essentially you have no control over the data at all. Of course perhaps people with nothing to hide are exposing more than before, so it's not great for them from a privacy perspective. Perhaps I've something to hide, so through the use of a browser plugin,I ensure my browser returns random data for these, or perhaps spoofs the identity of another... Similarly perhaps I/you accidentally were to browse to a server hosted by an untrustworthy entity, who then sells lists of "unique data" which could be use by others to spoof identity. The existing ways are for sure not perfect, but they do not rely solely on user provided information to establish identity, and I fail to see how this 'Unique Data' can be any more accurate than a randomly generated UUID stored in a session cookie. best wishes Andrew
Received on Wednesday, 4 March 2015 19:44:11 UTC