Re: draft regarding fingerprinting guidance from Nicholas Doty on 2013-08-19 (public-privacy@w3.org from July to September 2013)

From: Nicholas Doty <npdoty@w3.org>
Date: Sun, 18 Aug 2013 22:32:02 -0700
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Cc: Christine Runnegar <runnegar@isoc.org>
Message-Id: <68A28ADB-AB0B-4994-BC66-53F5348E9F90@w3.org>

Hi all,

I've made some updates to the Fingerprinting Guidance draft, including new sections suggesting requirements for specification authors. Your review would be most welcome.

http://w3c.github.io/fingerprinting-guidance/

In particular, I've: proposed normative requirements regarding passive vs. active fingerprinting surface when writing new specs; added a definition of cookie-like fingerprinting and mitigations (citing Web Storage); incorporated some writing suggestions from Christine; fixed bugs and included more references.

Some comments inline below in response to individual feedback on this thread.
Thanks,
Nick

On Apr 25, 2013, at 1:30 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:

> Here is the description we have added to 
> http://tools.ietf.org/html/draft-iab-privacy-considerations-08
> in response to the feedback from EFF at the Internet Privacy workshop: 
> 
>    $ Fingerprint:   A set of information elements that identifies a
>       device or application instance.
> 
>    $ Fingerprinting:   The process of an observer or attacker uniquely
>       identifying (with a sufficiently high probability) a device or
>       application instance based on multiple information elements
>       communicated to the observer or attacker.  See [EFF].
>  
> I wonder whether you find these definitions useful. 

Thanks, Hannes. I think the definition I came up with here for browser fingerprinting is very similar to your fingerprinting definition except more specific to the Web layer. It may be that we can harmonize them even further though.

> Also, I am curious whether it makes sense to have a separate document purely on fingerprinting rather than incorporating the terms and potential recommendations in the privacy guidelines document. 

I think this is a good and open question. I'm suggesting continuing to write in this separate document while it seems useful, but we may indeed want a single (longer) substantive privacy guidance document by the end.

Regarding points from Georg and Fred:

On Dec 9, 2012, at 11:45 AM, Georg Koppen <g.koppen@jondos.de> wrote:
>> What is the purpose of including a few unqualified stories about personal safety?
> 
> Well, actually, I don't see any (unqualified) stories at all in the
> particular section you are probably alluding to. Rather, it is a quite
> abstract outline of a particular threat of a particular user group.
> But "## Privacy threat models" (note the plural) indicates that this is
> exactly the reason why this threat is mentioned there, not looking at
> the amount of people who are concerned about it.

I think Georg described my thinking fairly well in this thread, but I've tried to rework that section anyway to refer to different privacy impacts and different privacy threat models and thus the government observer / physical safety case is just an example of one threat model. Let me know if this is an improvement in this respect.

I've also added a couple references to recent fingerprinting work suggested by Fred and also Joe Hall. Thanks for the tips!

—Nick

Received on Monday, 19 August 2013 05:32:12 UTC