Re: [csswg-drafts] [css-fonts] incorporate mitigations for font based fingerprinting (#4055) from Chris Lilley via GitHub on 2019-11-07 (public-css-archive@w3.org from November 2019)

From: Chris Lilley via GitHub <sysbot+gh@w3.org>
Date: Thu, 07 Nov 2019 18:07:37 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-551196974-1573150056-sysbot+gh@w3.org>

I have been carefully re-reading the [INRIA paper](https://hal.inria.fr/hal-01718234v2/document). 

It is notable that the study is restricted to 15 French websites (one weather page and one news page on each) so the comments by @hsivonen about European usage applies. In a French context, most users would be from France, Belgium, and then laces with large francophone populations such as Morocco, Algeria, etc.So I would expect some font variability based on some uses having more Arabic fonts for example.The cultural and geographic homogeneity is confirmed in the paper: " 97.7% of fingerprints present French as their first language" and " 98% of userspresent the same value for timezone, which corresponds to CentralEuropean Time Zone UTC+01:0". On the plus side, the test subjects were normal web users not, for example, subject specialists such as privacy or internationalization researchers.

In the study, font fingerprinting is the _third-largest_ source of entropy on desktop/laptop machines, but the _eighth-largest_ on mobile (phones, tablets, pads).

I note that they only probed for 66 fonts (each in serif, sans-serif and monospace, which seems odd), because (unlike the Flash situation which instantly returns a complete font list) each font has to be probed for one by one, rendering a text string and measuring metrics. I would assume then that a site which tested many thousands of fonts would be awfully slow? Unless it was very interesting, and the content above the fold displayed quickly, allowing the tracking script to run while the user actually reads the content.

The set of fonts probed for (to their credit, they give the complete list) seems drawn from Windows  for the most part, with some from MacOS, without specific probings for Android or iOS. The fonts are primarily Latin fonts; no specifically Arabic, Chinese, or Japanese fonts were probed for example.

> Andale Mono, AppleGothic, Arial, Arial Black, Arial Hebrew, Arial MT, Arial Narrow, Arial Rounded MT Bold, Arial Unicode MS,Bitstream Vera Sans Mono, Book Antiqua, Bookman Old Style, Calibri, Cambria, Cambria Math, Century, Century Gothic, Century Schoolbook, Comic Sans, Comic Sans MS, Consolas, Courier,Courier New, Garamond, Geneva, Georgia, Helvetica, HelveticaNeue, Impact, Lucida Bright, Lucida Calligraphy, Lucida Console ,Lucida Fax, LUCIDA GRANDE, Lucida Handwriting, Lucida Sans, Lucida Sans Typewriter, Lucida Sans Unicode, Microsoft Sans Serif, Monaco, Monotype Corsiva, MS Gothic, MS Outlook, MS PGothic, MS Reference Sans Serif, MS Sans Serif, MS Serif, MYRIAD, MYR-IAD PRO, Palatino, Palatino Linotype, Segoe Print, Segoe Script, Segoe UI, Segoe UI Light, Segoe UI Semibold, Segoe UI Symbol, Tahoma, Times, Times New Roman, Times New Roman PS, Trebuchet MS, Verdana, Wingdings, Wingdings 2, Wingdings 3

-- 
GitHub Notification of comment by svgeesus
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/4055#issuecomment-551196974 using your GitHub account

Received on Thursday, 7 November 2019 18:07:39 UTC