Re: deviceId and fingerprinting (or user tracking)

On 09/25/2014 06:21 PM, Shijun Sun wrote:
> Folks,
>
> I expect there is a consensus already in the WG on the topic.  I'd like to get some help to understand the mitigation mainly from the UA implementation perspective.
>
> The deviceId is currently defined as an identifier which must be *persistent* between application sessions.  So a website can get the same deviceId's when a user visits the website using the same system, calling gUM() or not.  Should we expect the deviceId's for any specific website be (largely) consistent across all systems?  Otherwise, in the worst case when the Id is unique to each system, the website can potentially track the user.

Can you clarify what you mean by "system" in this case? Web pages of the 
same origin?
If they have the same origin, they should see the same deviceId; if they 
have different origins, they should see different deviceIds.

Spec text:

"Devices have an identifier which/must/be unique to the application 
(un-guessable by another application) and persistent between application 
sessions (e.g., the identifier for a given source device/application 
must stay the same, but not be guessable by another application)."

Yes, a web site that can already track the user using cookies can 
already track the user, so there is no additional attack that we need to 
defend against by changing deviceId.

Yes, "re-randomize deviceId when cookies are cleared" was agreed to, and 
needs to be added to the spec. It's already implemented in Chrome, I 
believe.

Note to editors: The term "application" needs to be defined in the 
document, with the explanation that all pages of an application have the 
same origin.


>
> Appreciate any comment!
>
> Best, Shijun
>

Received on Friday, 26 September 2014 08:26:05 UTC