- From: Olli Pettay <Olli.Pettay@helsinki.fi>
- Date: Wed, 15 Jun 2011 00:06:42 +0300
- To: Robin Berjon <robin@berjon.com>
- CC: Dominique Hazael-Massieux <dom@w3.org>, Harald Alvestrand <harald@alvestrand.no>, public-device-apis@w3.org
On 06/14/2011 05:41 PM, Robin Berjon wrote: > On Jun 14, 2011, at 15:59 , Olli Pettay wrote: >> Even the current API allows a bit too much fingerprinting, I >> think. The fact that web app can know that user is using 2G >> connection is a quite strong hint (at least in some countries) that >> user is somewhere in the countryside. (There are perhaps already >> other ways to detect that, but this is a new way) The connection >> type is yet more information about user and his devices the web >> apps can get, and so it perhaps should be accessible only if user >> gives the permission. > > Far from me to suggest that fingerprinting is not an important > consideration — it most certainly is — but we can't just start using > it systematically as DAP's Ockham's razor lest we do nothing at all! Yeah, I realize this is a problem. But we also can't just give up with privacy because no one has figured out a good way to inform or ask permission (in a scalable way) from user. > I think that we have to accept that there will be new information > that can help fingerprint browsers (frankly, given the precision of > current fingerprinting it's unclear how much any addition does indeed > hurt — http://panopticlick.eff.org/ is a good demo). Putting > everything behind a security prompt is not a good solution, it > actually makes users care less about privacy. So while we should be > very careful when we decide to expose information unprotected, I > think we should be equally careful in not going too far in the other > direction. > > It could be quite interesting if someone were to scare up a set of > criteria for when something allows for too much fingerprinting and > when it seems okay. Indeed >
Received on Tuesday, 14 June 2011 21:07:09 UTC