Re: common features with cross-origin correlation possibility from Greg Norcie on 2016-07-28 (public-privacy@w3.org from July to September 2016)

From: Greg Norcie <gnorcie@cdt.org>
Date: Thu, 28 Jul 2016 12:17:32 -0400
To: Nick Doty <npdoty@ischool.berkeley.edu>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CAMJgV7Zsb=M7RX-LSUOWwNpRBPjHw72t3RjuAaU+RxCN=u4A0A@mail.gmail.com>

I'll take a look, and if not craft some questions to make sure they're hit
on.


/********************************************/
Greg Norcie (norcie@cdt.org)
Staff Technologist
Center for Democracy & Technology
District of Columbia office
(p) 202-637-9800
PGP: http://norcie.com/pgp.txt

/*******************************************/

On Wed, Jul 27, 2016 at 10:32 PM, Nick Doty <npdoty@ischool.berkeley.edu>
wrote:

> Here are three common features or feature requests that have, in addition
> to other privacy issues, potential problems with correlation across
> origins, browsers or devices. I think we should establish guidance on these
> points in one of our common documents so that we can point people to it.
>
> * Simultaneously-triggered events
>
> APIs that allow for subscribing to events also introduce the possibility
> of correlating a user's activity across tabs, across origins or across
> browsers. (I've noted this before, apologies for repetition.) I believe the
> typical advice is to only trigger events for the front-most browsing
> context or to fuzz the timing; given that we have typical advice, we should
> have that written up somewhere.
>
>
> * Access to sensors or device data
>
> The Generic Sensor API is already getting into this, I believe. Since
> sensors typically give information about the world around the device, the
> data is inherently cross-origin and can enable unexpected correlations.
> Data on the device may be the same way -- in addition to the privacy issues
> with accessing my calendar appointments or my contact database, a site can
> also determine that I'm the same person if I share that information with
> more than one page.
>
>
> * Permanent, hardware identifiers:
>
> I think we should state that this is typically incompatible with the Web's
> privacy model. Access to an unchangeable identifier or hardware key means
> clearing cookies does not affect the capability of correlating user
> activity.
>
>
>
> Greg, do we have these anywhere in the privacy questionnaire?
>
> The permanent identifiers could also be discussed in the Mitigating
> Browser Fingerprinting doc, as we already have a section there on clearing
> local state, but it's been noted that that might be extending beyond
> fingerprinting, so perhaps it'll be moved to the more general privacy
> questionnaire anyway.
>
> Thanks,
> Nick
>

Received on Thursday, 28 July 2016 16:18:19 UTC