- From: Nick Doty <npdoty@w3.org>
- Date: Mon, 23 Feb 2015 23:39:37 -0800
- To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Message-Id: <DE6E52A5-A6CB-44F8-9C2D-2AFCACBC7D83@w3.org>
Based on some of our discussions at TPAC, during recent calls and in using the fingerprinting doc as a guide for a review for HTML/a11y, I've made a series of updates to the Fingerprinting Guidance doc: * switch to best practices rather than should/must requirements * update references to highlight browser pages, especially Chromium document, and testing sites * anticipate behavior when functionality is disabled * describe cross-origin property of fingerprinting * add more TODOs As noted, there are still things to be written and revised, but I'm hope we're coming to the point where this can be practical advice for spec authors. Your feedback would be welcome and illustrative examples would be particularly useful. Also, we now have a short list of those practices. Do the following sound about right to you all? • Avoid any increase to the surface for passive fingerprinting. • Prefer functionally-comparable designs that don’t increase the surface for active fingerprinting. • Mark features that contribute to fingerprintability. • Specify orderings and non-functional differences. • Design APIs to access only the entropy necessary. • Anticipate disabled functionality for the fingerprinting-conscious. • Avoid new cookie-like local state mechanisms. • Highlight any local state mechanisms to enable simultaneous clearing. Full document available online here: http://w3c.github.io/fingerprinting-guidance/ <http://w3c.github.io/fingerprinting-guidance/> As discussed on the teleconference last month, there could be some things here that could be usefully merged with the privacy considerations document or with the checklist of security/privacy questions from Mike West. I should emphasize that I'm not wedded to any particular content or format. Cheers, Nick
Received on Tuesday, 24 February 2015 07:39:46 UTC