Re: Privacy and fingerprintability

Thank you for raising this Wendy. 

This was one of the issues we discussed at our last call - how to usefully help other W3C WGs identify and address potential privacy concerns during the standards development process. As you point out, as early as possible is preferable. It certainly helps if PING members are already participating in the other WGs. 

I think there are many people in PING willing to help so it is more a question of how to constructively contribute that expertise.

Have you received any responses to your email? How is the Web Performance Group planning to address the issues you have raised?

Our next call is on 20 September 2012 at the usual time. Do you think it would be useful to invite the group to join our call to discuss these issues and possible solutions?

Christine


On Sep 11, 2012, at 11:54 PM, Wendy Seltzer wrote:

> On an earlier PING call [0], we discussed fingerprinting and linkability
> issues and the possibility of a uniform "anonymous-mode" profile.
> Seeing potential fingerprinting issues in the Navigation Timing draft
> [1], I sent a comment to the Web Performance group, below.
> 
> Is this the sort of review that PING might take up (preferably at an
> earlier stage of the process than this one, already at Proposed
> Recommendation)?
> 
> --Wendy
> 
> [0] http://www.w3.org/2012/06/14-privacy-minutes.html
> [1] http://www.w3.org/TR/navigation-timing/
> 
> -------- Original Message --------
> Subject: [NavigationTiming] Privacy and fingerprintability
> Date: Tue, 11 Sep 2012 17:38:01 -0400
> From: Wendy Seltzer <wseltzer@w3.org>
> Organization: W3C
> To: public-web-perf@w3.org
> 
> I know it's late in the process, but I wanted to add a privacy concern
> to the mix: Navigation timing can add to the fingerprintability of
> browsers.  Even limited to same-origin, that origin's profiling of
> browser latency could link multiple browsing sessions in unexpected
> ways, hindering users' ability to browse anonymously. [0] (This is of
> particular concern to the Tor Project [1], which aims to provide strong
> anonymity through the Tor Browser Bundle [2] -- a uniformly
> pre-configured browser and onion-routed anonymized network connections.)
> 
> Noting that several of the Web Performance specs have fingerprinting
> implications, I wonder whether the group might consider the linking
> attack, distinct from private information disclosure. For example, if
> someone doesn't want a website to be able to correlate comments with a
> login ID, he might log out, clear cookies, and write under a pseudonym,
> but still be identifiable based on his browser timing connecting his
> would-be-anonymous activity to previous sessions.
> 
> As a general response, then, should there be a way to disable response
> to timing information requests? More broadly, might we consider a
> standard profile for anonymous browsing (incognito mode, private
> browsing) that disables uniquely identifying features (despite the
> possible performance hit) to provide a larger anonymity set?
> 
> Thanks,
> --Wendy
> 
> [0] See https://panopticlick.eff.org/ and
> https://panopticlick.eff.org/browser-uniqueness.pdf
> [1] https://www.torproject.org/
> [2] https://www.torproject.org/projects/torbrowser.html.en and
> https://www.torproject.org/torbutton/en/design/
> 
> -- 
> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
> http://wendy.seltzer.org/        +1.617.863.0613 (mobile)
> 
> 
> 
> 
> 

Received on Wednesday, 12 September 2012 07:20:21 UTC