Re: Fingerprinting guidance update; responding to feedback, Note publication? from David Singer on 2015-08-28 (public-privacy@w3.org from July to September 2015)

From: David Singer <singer@apple.com>
Date: Fri, 28 Aug 2015 12:24:15 +0900
To: Joseph Lorenzo Hall <joe@cdt.org>
Cc: Nicholas Doty <npdoty@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-id: <C7D98D16-A310-4CE6-9422-BD7FD8CC05D4@apple.com>

Does this draft need to mention avoidance of enabling fingerprinting by excessive precision of an otherwise ‘innocuous’ API?  (E.g. I can differentiate batteries, and hence distinct visitors, by looking at precise measurements of batteries).


> On Aug 27, 2015, at 22:54 , Joseph Lorenzo Hall <joe@cdt.org> wrote:
> 
> It would be great to start the process to publish this as a draft PING note! The new changes look awesome, Nick.
> 
> There are still some outstanding things in the document; those are ok for a draft note or do we need to try to close them out before we publish?
> 
> The note in 1.2.1 seems to be dealt with by adding a blurb about how this is not distinct from unexpected correlation (although why 1.2.2 is not enough, I don't know) and clarifying that this practice can result in collapsing pseudonymous identities into linked personas or something like that.
> 
> We should definitely reach out to the HTML WG to ask if the fingerprint warning indicia has been useful or helpful.
> 
> I don't think I understand ISSUE 1... can we say anything about best practices across UA implementations that might require cooperation outside of the spec?
> 
> 
> 
> On Sun, Aug 23, 2015 at 9:58 PM, Nick Doty <npdoty@w3.org> wrote:
> I've revised the Fingerprinting Guidance for Web Specification Authors text, responding as best I can to comments from the TAG, the Tor Browser folks and other comments via mailing list.
> 
> http://w3c.github.io/fingerprinting-guidance/
> 
> Changes in particular include:
> * moving feasibility question up earlier, emphasizing realism/pessimism
> * clarifying some of the best practices, regarding unnecessary additions to fingerprinting surface
> * additional examples and references (in particular, to the TAG finding on unsanctioned tracking)
> * filling in to-do sections (and marking remaining ones with issue boxes)
> 
> To clarify the status of this document and to gather wider review, I think it would be useful to publish this as a draft Interest Group Note. As a Process matter, that would consist of: the Interest Group deciding we want to publish it as an Interest Group Note; getting confirmation from the domain lead that we can use this name/shortname; publishing a snapshot on w3.org indicating its status as a draft Note; asking chairs and other groups for feedback.
> 
> And in any case, I'd welcome further feedback, additions, subtractions and the like. I get the impression that specific examples from different specs/Working Groups would be the most welcome addition.
> 
> Thanks,
> Nick
> 
> 
> 
> -- 
> Joseph Lorenzo Hall
> Chief Technologist
> Center for Democracy & Technology
> 1634 I ST NW STE 1100
> Washington DC 20006-4011 
> (p) 202-407-8825
> (f) 202-637-0968
> joe@cdt.org
> PGP: https://josephhall.org/gpg-key
> fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
> 
> 

David Singer
Manager, Software Standards, Apple Inc.

Received on Friday, 28 August 2015 03:24:49 UTC