Fwd: Fingerprinting Guidance Spec

With Steve's permission, sharing these comments/suggestions for the Fingerprinting Guidance document. I believe this academic work supports the notion that designing APIs to facilitate detection of fingerprinting can make a large difference.

I've started an issues list with these and some other comments received on Github:
https://github.com/w3c/fingerprinting-guidance/issues <https://github.com/w3c/fingerprinting-guidance/issues>

Feedback is still welcome on this mailing list; I'm just using Github as a working mechanism to keep track. You can also comment or raise issues directly on Github if you prefer. Pull requests welcome!

Cheers,
Nick

> Begin forwarded message:
> 
> From: Steven Englehardt <ste@CS.Princeton.EDU>
> Date: September 10, 2015
> Subject: Fingerprinting Guidance Spec
> 
> Hello Nick,
> 
> Great work on the fingerprinting guidance spec, I believe it will help reduce the fingerprinting surface of future APIs. There are two additional papers that I think are helpful to reference.
> 
> The first paper is The Web Never Forgets: Persistant Tracking Mechanisms in the Wild <https://securehomes.esat.kuleuven.be/~gacar/persistent/>, a paper I co-authored. In it, we show how prevalent canvas fingerprinting, cookie respawning, and cookie syncing are on the web and evaluate the implications of the use of three three vectors in combination with each other.
> 
> It is helpful as an example of detectability by academics, which you address several times in the spec. In general, it's a solid example of large scale measurement of two fingerprinting vectors, and of the impact a measurement study can have on the use of these APIs for fingerprinting. The two largest canvas fingerprinters stopped after we released our paper. Addressing issue #2 in Section 5.3, it's an example of how the design of the canvas API allowed us to detect the use of canvas for fingerprinting very accurately.
> 
> The second is The Leaking Battery: A privacy analysis of the HTML5 Battery Status API <https://eprint.iacr.org/2015/616.pdf>. This paper shows how the design of the Battery Status API on Linux enabled fingerprintability. It highlights the importance of consistency across user agents (Section 5.2 Issue #1). It also shows that API designers should take care to expose the minimum amount of precision necessary for operation of a feature, a point that I think can be strengthened in the report.
> 
> Thanks for your work on this!
> 
> -Steve

Received on Thursday, 29 October 2015 09:56:02 UTC