Re: Data motivating CH? (From PING)

Hey Pete,

On Wed, Feb 13, 2019 at 12:22 AM Pete Snyder <psnyder@brave.com> wrote:

> Hi All,
>
> I’m Pete Snyder from PING.  PING is interested in what data has been
> gathered / exists to motivate moving fingerprintable values into to
> passively collectable, log-able headers.


I'm sorry, but I have to reject your claims regarding "passively
collectable" as well as "log-able".
More details on why can be found on my reply to the issue you opened
<https://github.com/httpwg/http-extensions/issues/767#issuecomment-463154773>
.



> Given that the spec increases the risk of privacy-loss


Again, I have to reject that claim.


> (there is a subsection of the spec for this purpose)


All specifications nowadays have to include a "Security and Privacy
considerations" section. Are you implying that including such a
considerations section somehow proves that a proposal is less secure or
introduces privacy leaks?


> , we're interested in what data exists to show that this risk would be
> counter balanced by benefit to:
>
> 1. A significant portion of web users,
> 2. On a significant portion of web sites
>
> Does any such data exist? Any relevant information would be extremely
> useful as we continue considering the proposal.
>

Data specific to the real-world performance benefits of improved content
negotiation that CH provides can be found here
<https://cloudinary.com/blog/client_hints_and_responsive_images_what_changed_in_chrome_67>.
I believe we're still lacking data on the privacy benefits of using the CH
infrastructure to reduce passive fingerprinting, as this proposal is still
at an early phase.



>
> Best,
> Pete Snyder
>

Received on Wednesday, 13 February 2019 14:42:15 UTC