W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2014

Re: does accessKeyLabel expose user data?

From: Joseph Lorenzo Hall <joe@cdt.org>
Date: Wed, 10 Dec 2014 10:06:29 -0500
Message-ID: <54886175.60508@cdt.org>
To: chaals@yandex-team.ru, W3C Privacy IG <public-privacy@w3.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


On 12/9/14, 9:45 PM, chaals@yandex-team.ru wrote:
> The concern is that this enables fingerprinting, or determining something about what systems (especially extensions and assistive technology) the user has installed, which in turn exposes personal information about the user.
> 
> Is this a real problem we should consider?

Sounds like how a browser will make this decision is a UA-land issue,
yes? (i.e., unspecified by whatever part of the HTML spec that
establishes accesskey)

It does seem like it would allow a site to potentially gain more
information about the user and their computing environment than
available through other sources already. The most narrow case seems to
be on platforms like Mac OS or Linux that allow the user to configure
somewhat arbitrary keyboard shortcuts (if you know a certain user or
group of users reserve a specific keyboard shortcut, you can segment
(divide into buckets) those users by suggesting that shortcut in
accesskey and then reading the DOM to see if the browser chose a
different one.)

I'm wondering if there isn't a solution like an origin-specific "allow
access to information about the keyboard and keyboard shortcuts" that
the spec could recommend browser vendors implement here to mitigate this
increased fingerprinting risk. HTML WG's scope may preclude making
statements like that, I suspect.

best, Joe

- -- 
Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe@cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)

iQIcBAEBCAAGBQJUiGF1AAoJEF+GaYdAqahxJucP/ieJjGb043qDF42xUHJnpwtQ
17zDSak6EQvFYLTYfp5c+mVPgh4aSmoDhc+m2r9leajxCsk/kzJsBheHKotgD2Fw
xF4baq5jDyrRp8qsJn9MH9O4GTdUo0suXSyJfFW1p6qqbHnE7MNFHUqDURg9jj8e
s91kIDqN06pqBupW2xZZteNwD4VmRaMkCMe+KuK8G3CWa3NA2ZefEA5Rfl53d1ND
RIbGJI2GG38a4d2dA+nrPVpQe+jqqA1PLhwQJbgI/l1eTxIMOtK/nXhA9VZTu+il
usNkXi0xDl9zxaeIc6KtOFPQEN01hLHNoq7SIdKN1o0KuW5yLYtY9vgo4NAelhgg
CeUXLRitf3sT8tnaDAHuSaNAAfXTYP9oYy6EXTffKNE/vKXOatYLeP+75puBwjN6
0N1p4eFROEjtk1/plaDgoXS+2CFrLQHiYzt25PO9B4QdPP2t/gAoHzkY8/Uy9xrw
ClidN9yJ6nbl4O+/0sFVY6oY8qFmoU/Pu0QsuPbgFQpj+U1sVOGo6VxBV9VDPv7g
3/3MTa/u/3L2i7ZPgTN1TlZZx7rhUKp6I3MbHaC570apyPYmF66RmGzvTE4ewRyq
i7q/CTS0w1H860kggLv2wpsDiguDYieKyg/zlnwKxHK2CYYxt7ZNvi7/cXFCvqaZ
UqXid2aCW6p5+rb2hOwX
=PAdc
-----END PGP SIGNATURE-----
Received on Wednesday, 10 December 2014 15:07:05 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:49:28 UTC