Re: Fingerprinting guidance update: reframe as best practices from Joseph Lorenzo Hall on 2015-03-04 (public-privacy@w3.org from January to March 2015)

From: Joseph Lorenzo Hall <joe@cdt.org>
Date: Wed, 4 Mar 2015 17:59:29 -0500
To: Nick Doty <npdoty@w3.org>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>, Greg Norcie <norcie@cdt.org>
Message-ID: <CABtrr-UJxZrSDZ9Jd490p7UZ4GagD3YuTODiX0nWdM89926PKg@mail.gmail.com>

Hey Nick and PING,

We review this today and it's very good. We especially like all the
work you've done to make it potentially more usable by spec authors.
Bravo!

We'd be happy to take a shot at the TODOs you have left in the doc.

best, Joe


On Tue, Feb 24, 2015 at 2:39 AM, Nick Doty <npdoty@w3.org> wrote:
> Based on some of our discussions at TPAC, during recent calls and in using
> the fingerprinting doc as a guide for a review for HTML/a11y, I've made a
> series of updates to the Fingerprinting Guidance doc:
>
> * switch to best practices rather than should/must requirements
> * update references to highlight browser pages, especially Chromium
> document, and testing sites
> * anticipate behavior when functionality is disabled
> * describe cross-origin property of fingerprinting
> * add more TODOs
>
> As noted, there are still things to be written and revised, but I'm hope
> we're coming to the point where this can be practical advice for spec
> authors. Your feedback would be welcome and illustrative examples would be
> particularly useful. Also, we now have a short list of those practices. Do
> the following sound about right to you all?
>
> • Avoid any increase to the surface for passive fingerprinting.
> • Prefer functionally-comparable designs that don’t increase the surface for
> active fingerprinting.
> • Mark features that contribute to fingerprintability.
> • Specify orderings and non-functional differences.
> • Design APIs to access only the entropy necessary.
> • Anticipate disabled functionality for the fingerprinting-conscious.
> • Avoid new cookie-like local state mechanisms.
> • Highlight any local state mechanisms to enable simultaneous clearing.
>
> Full document available online here:
> http://w3c.github.io/fingerprinting-guidance/
>
> As discussed on the teleconference last month, there could be some things
> here that could be usefully merged with the privacy considerations document
> or with the checklist of security/privacy questions from Mike West. I should
> emphasize that I'm not wedded to any particular content or format.
>
> Cheers,
> Nick



-- 
Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe@cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

Received on Wednesday, 4 March 2015 23:00:18 UTC