W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2015

Re: PING [call for consensus] - publish fingerprinting guidance as a Working Draft Interest Group Note

From: Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com>
Date: Tue, 20 Oct 2015 07:42:42 +0100
Message-ID: <CAC1M5qq6eGPr4B3PRNuAP_9tEfj2ZmFF9gr5U1b1Bd5QygDsig@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
Cc: Wendy Seltzer <wseltzer@w3.org>, Hannes Tschofenig <hannes.tschofenig@gmx.net>, Christine Runnegar <runnegar@isoc.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
2015-10-20 1:16 GMT+01:00 Nat Sakimura <sakimura@gmail.com>:

> Yeah, but link is another vague and overused word.
>
> IMHO, link is an extreme type of correlation that has close to 100%
> accuracy, but I am not sure if that is the perception that many people has.
> If we use the term like "link", we need to define it.
>

Once again, just a type of wording. I would just use "link" as it sounds
more simpler here and both do not differ that much.

"Link" in this  case is just simply a connection between those "multiple,
separate visits". It isn't speaking about accuracy.


>
> Re: fingerprinting v.s. identification/identifier
>
> I guess fingerprinting is a technique for identification. What's bad from
> the privacy point of view is that it is done without the knowledge of the
> principal, and that many of them tend to be global. It is just a technique,
> so if used correctly, it will help protect the subject's privacy as well.
>


Correct. Identification aside, fingerprinting is putting them in context -
creation, setting, reading.

I agree, fingerprinting bring problems because they are not transparent,
and are not easily detectable or managable using current browser privacy
user interfaces.

Lukasz

>
> Nat
>
> 2015-10-20 5:37 GMT+09:00 Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com>:
>
>> Hi
>>
>> 2015-10-19 15:35 GMT+01:00 Nat Sakimura <sakimura@gmail.com>:
>>
>>> I am fine with publishing it.
>>>
>>
>> If it allows further work, then this is a good idea.
>>
>>
>>>
>>> Re: first NOTE in the document, i.e., identification and correlation,
>>> generally speaking, I have an impression that identification is an
>>> inter-temporal correlation within a site, and "correlation" is the case
>>> where cross-site/domain correlation is possible in addition. At least,
>>> that's how I explain the pseudonymity and verinymity.
>>>
>>
>>
>> I think it's just a matter of wording. Actually it could be simplified by
>> replacing:
>> "an online party can correlate multiple visits"
>> with
>> "an online party can link separate visits".
>>
>> Makes the matter clearer in my opinion.
>>
>> Additionally,
>>
>> "Browser fingerprinting provides privacy concerns even" I would replace
>> "provides" with "brings" - again, just a matter of wording, although in the
>> previous case it makes it much more clearer IMO.
>>
>>
>> Additionally it might be extended a bit, for example why not including a
>> discussion of other sources of identifiers, that can possibly change with
>> time (even in short intervals).
>>
>> For some reason I also have an odd feeling sometimes "fingerprint(ing)"
>> could be replaced with identification/identifiers.
>>
>> For example: "cookie-like fingerprinting". When we speak about setting
>> and reading - is it still  fingerprinting? But if it is, then it is
>> definitely active (because: setting"), so why not in this case merge it
>> with 3.2.
>>
>> Please pardon me for my academic blurb ;)
>>
>> Best
>> Lukasz
>>
>>
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
Received on Tuesday, 20 October 2015 06:43:13 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:49:31 UTC