RE: TPAC breakout session - Is user agent Fingerprinting a lost cause? from Rob van Eijk on 2012-10-24 (public-privacy@w3.org from October to December 2012)

From: Rob van Eijk <rob@blaeu.com>
Date: Wed, 24 Oct 2012 19:04:04 +0200
To: <public-privacy@w3.org>
Message-ID: <c17fd0808eed37faea42f45075d0c5ac@xs4all.nl>

Hi JC,

Fingerprinting is just like most cookies subject to article 5.3 of the 
e-privacy directive. A privacy risk that I see increasing as a 
consequence of DNT and EU cookie consent is that companies are most 
likely pushing towards a bypass of DNT, i.e. gaining out of band (server 
based) consent and store that user choice in databases. Fingerprinting 
can be used in that usecase to identify a user and subsequently find out 
by querying the consent database whether a user has given consent.

Rob

JC Cannon schreef op 2012-10-24 17:29:
> I feel this is a great topic to discuss in light of the DNT and EU
> cookie consent work happening. Both will limit the ability to use
> cookies to re-identify a returning user/computer to a website. If
> cookies are not viable it may push websites to use fingerprinting. 
> I'm
> hoping this discussion will provide ideas for two big problems:
>
> 1. How to minimize the ability for browsers to be fingerprinted.
> 2. Providing a privacy-friendly way for users to build a relationship
> with trusted websites.
>
> JC
>
> -----Original Message-----
>
>> From: Christine Runnegar [mailto:runnegar@isoc.org]
>> Sent: Sunday, October 21, 2012 7:09 AM
>> To: public-privacy@w3.org mailing list)
>> Cc: Hill, Brad
>> Subject: TPAC breakout session - Is user agent Fingerprinting a lost 
>> cause?
>>
>> As mentioned on our call on 18 October 2012, Brad Hill has kindly 
>> proposed a session entitled "Is user agent Fingerprinting a lost 
>> cause?".
>>
>> The session description from the TPAC wiki is set out below.
>>
>> 
>> http://www.w3.org/wiki/TPAC2012/SessionIdeas#Is_user_agent_Fingerprinting_a_lost_cause.3F
>>
>> ------
>>
>> As more features and functionality are added to the Web browser, the 
>> more risks we create in terms of privacy and security. As user agent 
>> complexity increases, and as they expose more "native" variation in 
>> the underlying platform, so does their ability to be uniquely 
>> identified (and users tracked) through capability analysis.
>>
>> The EFF's Panopticlick project already tracks ~60 bits of 
>> identifying information available in the typical user agent and 
>> certainly a more determined effort could find more, in addition to 
>> information available through lower-layer technologies like TCP or 
>> side-channels like JavaScript performance profiling.
>>
>> What responsibility do W3C WG's have to make their technologies 
>> passive-privacy friendly, and how is that to be balanced with 
>> discoverability and usability?
>>
>> Topics:
>>
>> - Is preventing fingerprinting a lost cause in the general purpose 
>> web user agent?
>> - Where is the bar on trackability? Life-critical anonymity for 
>> political dissidents is different in what we can and must promise vs. 
>> "casual" anonymity for e.g. advertising
>> - Lessons from Do Not Track on technical vs. policy-driven 
>> approaches
>> - Lessons from anonymous / incognito browser modes
>> - Should specs provide standard defaults for anonymous / incognito / 
>> Tor browser modes?

Received on Wednesday, 24 October 2012 17:04:34 UTC