common features with cross-origin correlation possibility

Here are three common features or feature requests that have, in addition to other privacy issues, potential problems with correlation across origins, browsers or devices. I think we should establish guidance on these points in one of our common documents so that we can point people to it.

* Simultaneously-triggered events
APIs that allow for subscribing to events also introduce the possibility of correlating a user's activity across tabs, across origins or across browsers. (I've noted this before, apologies for repetition.) I believe the typical advice is to only trigger events for the front-most browsing context or to fuzz the timing; given that we have typical advice, we should have that written up somewhere.

* Access to sensors or device data
The Generic Sensor API is already getting into this, I believe. Since sensors typically give information about the world around the device, the data is inherently cross-origin and can enable unexpected correlations. Data on the device may be the same way -- in addition to the privacy issues with accessing my calendar appointments or my contact database, a site can also determine that I'm the same person if I share that information with more than one page.

* Permanent, hardware identifiers:
I think we should state that this is typically incompatible with the Web's privacy model. Access to an unchangeable identifier or hardware key means clearing cookies does not affect the capability of correlating user activity.

Greg, do we have these anywhere in the privacy questionnaire?

The permanent identifiers could also be discussed in the Mitigating Browser Fingerprinting doc, as we already have a section there on clearing local state, but it's been noted that that might be extending beyond fingerprinting, so perhaps it'll be moved to the more general privacy questionnaire anyway.


Received on Thursday, 28 July 2016 02:32:52 UTC