W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2015

Re: PING [call for consensus] - publish fingerprinting guidance as a Working Draft Interest Group Note

From: Nat Sakimura <sakimura@gmail.com>
Date: Tue, 20 Oct 2015 09:16:40 +0900
Message-ID: <CABzCy2Bz9nRZVsGLDND-FKJdAQE7+FXLjq+WmQRLzvLzF3vZAw@mail.gmail.com>
To: "Lukasz Olejnik (W3C)" <lukasz.w3c@gmail.com>
Cc: Wendy Seltzer <wseltzer@w3.org>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, Christine Runnegar <runnegar@isoc.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Yeah, but link is another vague and overused word.

IMHO, link is an extreme type of correlation that has close to 100%
accuracy, but I am not sure if that is the perception that many people has.
If we use the term like "link", we need to define it.

Re: fingerprinting v.s. identification/identifier

I guess fingerprinting is a technique for identification. What's bad from
the privacy point of view is that it is done without the knowledge of the
principal, and that many of them tend to be global. It is just a technique,
so if used correctly, it will help protect the subject's privacy as well.


2015-10-20 5:37 GMT+09:00 Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com>:

> Hi
> 2015-10-19 15:35 GMT+01:00 Nat Sakimura <sakimura@gmail.com>:
>> I am fine with publishing it.
> If it allows further work, then this is a good idea.
>> Re: first NOTE in the document, i.e., identification and correlation,
>> generally speaking, I have an impression that identification is an
>> inter-temporal correlation within a site, and "correlation" is the case
>> where cross-site/domain correlation is possible in addition. At least,
>> that's how I explain the pseudonymity and verinymity.
> I think it's just a matter of wording. Actually it could be simplified by
> replacing:
> "an online party can correlate multiple visits"
> with
> "an online party can link separate visits".
> Makes the matter clearer in my opinion.
> Additionally,
> "Browser fingerprinting provides privacy concerns even" I would replace
> "provides" with "brings" - again, just a matter of wording, although in the
> previous case it makes it much more clearer IMO.
> Additionally it might be extended a bit, for example why not including a
> discussion of other sources of identifiers, that can possibly change with
> time (even in short intervals).
> For some reason I also have an odd feeling sometimes "fingerprint(ing)"
> could be replaced with identification/identifiers.
> For example: "cookie-like fingerprinting". When we speak about setting and
> reading - is it still  fingerprinting? But if it is, then it is definitely
> active (because: setting"), so why not in this case merge it with 3.2.
> Please pardon me for my academic blurb ;)
> Best
> Lukasz

Nat Sakimura (=nat)
Chairman, OpenID Foundation
Received on Tuesday, 20 October 2015 00:17:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:49:31 UTC