W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2015

Re: Improved Client Identification

From: Andrew Mulholland <andrew@bash.sh>
Date: Wed, 4 Mar 2015 14:43:37 -0500
Message-ID: <CA+JaFPjMqcvR=G=bQwjkUO71YguH2KRC7HDacQL0u=darmBqcQ@mail.gmail.com>
To: Sanel Mesinovic <sanel.mesinovic@ymc.ch>
Cc: ietf-http-wg@w3.org
On 20 February 2015 at 10:36, Sanel Mesinovic <sanel.mesinovic@ymc.ch>
wrote:

> Hello,
>
> I found your email address here <https://httpwg.github.io/about/policies/>.
> Have one small contribution / request to make to the new HTTP 2 protocol.
> Already wrote an email long time ago to Tim Berners Lee however no reply.
> Maybe someone already during this time already raised the issue.
>
> In my opinion the new protocol should introduce a better way to uniquely
> identify the client. Currently it is not possible to uniquely identify a
> user. IP identification is not reliable. There can be two or more users
> behind the same IP. Session identification is even worse.
>
> There are many advantages of using better identification:
>
> a.) web analytics could track unique visitors per time period much more
> accurately
> b.) tracking user activity in apps e.g. not allowing the same user to like
> the page if he has already clicked the Like / Vote button
> c.) law enforcement could much easier prove who was the culprit behind the
> criminal activity
> d.) other reasons
>
>
Whether or not these are advantages depends on your perspective.
I'm not convinced that these are sufficiently good enough reasons to expose
more data about an individual.


> In my vision the protocol should allow the server side to ask or the
> client side to send the system data to the server. There could be two
> scenarios:
>
> 1.) The server could specify that the browser must provide the UNIQUE DATA
> 2.) The client could send the UNIQUE DATA by using javascript.
>

Herein lies the flaw with such a setup.
If you are trusting a remote system for which you have no control over to
provide data that you use to define a trust relationship, or for
identification purposes, then essentially you have no control over the data
at all.

Of course perhaps people with nothing to hide are exposing more than
before, so it's not great for them from a privacy perspective.

Perhaps I've something to hide, so through the use of a browser plugin,I
ensure my browser returns random data for these, or perhaps spoofs the
identity of another...

Similarly perhaps I/you accidentally were to browse to a server hosted by
an untrustworthy entity, who then sells lists of "unique data" which could
be use by others to spoof identity.

The existing ways are for sure not perfect, but they do not rely solely on
user provided information to establish identity, and I fail to see how this
'Unique Data' can be any more accurate than a randomly generated UUID
stored in a session cookie.


best wishes


Andrew
Received on Wednesday, 4 March 2015 19:44:11 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC