Re: `Accept-CH` header is weird from Alex Russell on 2018-04-13 (public-privacy@w3.org from April to June 2018)

From: Alex Russell <slightlyoff@google.com>
Date: Fri, 13 Apr 2018 11:12:38 -0700
To: "Mike O'Neill" <michael.oneill@baycloud.com>
Cc: Eric Rescorla <ekr@rtfm.com>, Nick Doty <npdoty@ischool.berkeley.edu>, TAG List <www-tag@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CANr5HFWVNFiNKyH_-RXbJhv6BrUWcVVypuRG34AVcfzH_rdkKg@mail.gmail.com>
Again, the question here isn't "*do you view sending this data as a good or
bad thing?*", it's "*how will browsers who want to not send it react?*". If
the answer is "*they won't send it under any `Accept-CH` value*" (the
logical outcome), then implementing Client HInts *at all* looks suspect,
and the question regarding opt-in vs. automatic CH value transmission is
moot.

Regards

On Fri, Apr 13, 2018 at 10:27 AM, Mike O'Neill <michael.oneill@baycloud.com>
wrote:

> I agree with Nick and Eric. Fingerprinting will become more popular as a
> tracking technique as browsers implement more privacy features such as
> third-party cookie partitioning. The web, and people’s trust in it, will be
> damaged if the only recourse is to remove functionality by content blocking
> or wholesale feature removal.
>
>
>
> There has to be a simple standardised way for a user to find out if a
> site, or embedded third-party, is fingerprinting. The procedure might have
> to err on the side of caution, but the challenge of minimising false
> positives would be a competitive differentiator between UAs. Anything that
> the UAr finds will tend to have to be clearly explained in sites’ privacy
> declaration. An automatic link to such explanations would be even better!
>
>
>
> Mike
>
>
>
> *From:* Eric Rescorla <ekr@rtfm.com>
> *Sent:* 13 April 2018 17:24
> *To:* Alex Russell <slightlyoff@google.com>
> *Cc:* Nick Doty <npdoty@ischool.berkeley.edu>; TAG List <www-tag@w3.org>;
> public-privacy (W3C mailing list) <public-privacy@w3.org>
> *Subject:* Re: `Accept-CH` header is weird
>
>
>
>
>
> On Fri, Apr 13, 2018 at 9:07 AM, Alex Russell <slightlyoff@google.com>
> wrote:
>
> Hi Nick, Eric:
>
>
>
> Thanks for the thoughtful comments.
>
>
>
> The analysis about opt-in free CH comes from turning the question around
> slightly: if any origin can opt-in for subsequent top-level navigations,
> and browsers wish not to provide that information to those origins
> (selectively, or as a policy), isn't the recourse identical to the recourse
> in the non-opt-in scenario?
>
>
>
> I.e., browsers will need to filter the list (perhaps to zero) to maintain
> whatever privacy invariants they wish to maintain. To be effective, this
> would also need to be paired with removing/modifying the runtime behavior
> of web content (turning off media query support, blocking various DOM APIs,
> disabling scripting, etc.).
>
>
>
> Similarly, if browsers want to know what's being exfiltrated, they can
> simply not support CH (always send a null list).  If visibility of
> script/active measures is the goal, this seems like the only way to achieve
> it.
>
>
>
> The opt-in-CH-is-good position seems untenable as a result.
>
>
>
> What am I missing?
>
>
>
> I'm not sure if you're missing anything, but I have a slightly different
> analysis. If the site has to take active measures to record a piece of
> client information then the clients are able to determine when the site is
> asking for it and if that request is reasonable. However, if the posture is
> that the browser always sends it, then the user has no way of knowing.
>
>
>
> Take as an example, the (not in the current spec, but suggested)
> Geolocation hint. Currently, the browser knows when that happens and can
> show the user if it's in use, as in, for instance, "I'm actually using a
> map on this site". However, if there is a Geolocation client hint, then
> that doesn't work, because the site is always getting the data whether or
> not they are using it. The same is true, though to a lesser extent, with
> other hints.
>
>
>
> Yes, of course, the browser has the recourse to not support CH, but the
> question at hand is whether it's good for the Web to standardize this kind
> of functionality at all.
>
>
>
> -Ekr
>
>
>
>
>
>
>
> Regards
>
>
>
>
>
>
>
> On Fri, Apr 13, 2018 at 6:51 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
>
>
> On Thu, Apr 12, 2018 at 7:41 PM, Nick Doty <npdoty@ischool.berkeley.edu>
> wrote:
>
> Hi TAG folks,
>
>
>
> I'm concerned to read the TAG's feedback on the Client-Hints draft [0] as
> suggesting that the feature should only go forward if it's done in a way
> that adds undetectable passive browser fingerprinting surface, after
> previous discussions had come up with a design that explicitly created a
> visible server opt-in for this setting. Apologies if I'm just
> misunderstanding the TAG issue comments, but this seemed like a significant
> change away from previous discussion on the public-privacy list [1], in the
> httpwg [2] and at the recent IETF meeting.
>
>
>
> We remain unconvinced by privacy arguments regarding
> opt-in-free Client-Hints. Perhaps for environments that aren't the web,
> this would be a meaningful distinction, but for HTML, the reality of CSS
> media queries, DOM APIs, and other side-channels for determining this
> information at runtime ensure that there's no net privacy benefit (aside
> from requiring that fingerprinting parties do so actively and thus visibly,
> a situation the can be re-created by removing support for Client-Hints).
>
>
>
> You mention that with a visible opt-in fingerprinting parties would do so
> "actively and thus visibly" as an aside, and I'm not sure why. Making
> fingerprinting detectable or observable is a key mitigation, not a
> parenthetical one. Detectability is a mitigation that is often feasible in
> the design of the Web platform, as it is in this case. Following the TAG's
> guidance that technical prevention mechanisms are unlikely to be entirely
> effective, detectability of fingerprinting is essential for using other
> means, including policy means, to discourage widespread browser
> fingerprinting, an example of tracking outside of user awareness and
> control [3].
>
>
>
> I have to agree with Nick here. There are a number of widespread
> fingerprinting techniques that we know about largely because they are
> active. See, for instance, http://randomwalker.info/publi
> cations/OpenWPM_1_million_site_tracking_measurement.pdf
>
>
>
> -Ekr
>
>
>
>
>
>
>
>
>
> In addition, encouraging data to be sent by default on every request does
> not following the principle of data minimization, and makes it more likely
> that such fingerprinting would become "normal", an outcome that the TAG
> indicated should be the focus of prevention [3]. Here that data
> minimization design it seems to align well with the position of
> implementers not interested in sending data on every request.
>
>
>
> A unique case is reflection of data that's not trivially available
> otherwise (e.g. Save-Data), but given that this information is available
> via origin opt-in under Accept-CH.
>
>
>
> I might not understand this sentence. Was something left out? Maybe the
> suggestion is that a privacy benefit would only exist for previously
> private data that is newly disclosed in these headers, but that the privacy
> benefit doesn't exist if an origin can opt-in to receiving it? In addition
> to fingerprinting surface, it is also useful to require sites to ask for
> the user data they need, in order to improve detection and to allow sites
> that don't need additional info not to receive it.
>
>
>
> I'm reminded that while much fingerprinting surface is currently
> accessible to parties using HTML, CSS and JavaScript, this additional
> fingerprinting surface / information about the user's device/window would
> also be provided in the loading of images (1x1 gifs, for example), a
> particular intentional use case. So I would say that there certainly is
> disclosure of data not trivially available otherwise and that the analogy
> you draw to, for example, CSS media queries may not capture all usage.
>
>
>
> We therefore recommend that UAs revisit the decision to require
> the  opt-in at their earliest convenience (again, acknowledging that
> non-web environments or restricted contexts like a "private browsing" mode
> may choose to set defaults very differently, up to and including
> disabling Client-Hints entirely).
>
>
>
> It's good to recognize that some UAs and some modes of browsing will
> continue to restrict information even if a spec requires it to be sent with
> no opt-in. But I don't think we should cabin off all privacy considerations
> just for private browsing modes or privacy-specific browsers. Concepts like
> data minimization are meaningfully applied throughout the Web platform, so
> that there doesn't need to be a large gulf in functionality-privacy
> trade-offs between default modes and private browsing modes.
>
>
>
> I've CCed the Privacy Interest Group list and hope that public-privacy@
> would be a group of people to consult when the TAG finds privacy arguments
> unconvincing or otherwise has questions about privacy implications of
> particular designs.
>
>
>
> Cheers,
>
> Nick
>
>
>
> [0] https://github.com/w3ctag/design-reviews/issues/206#issu
> ecomment-379422513
>
> [1] https://lists.w3.org/Archives/Public/public-privacy/
> 2016OctDec/0060.html
>
> [2] https://github.com/httpwg/http-extensions/issues/284
>
> [3] Unsanctioned Web Tracking
>
> https://www.w3.org/2001/tag/doc/unsanctioned-tracking/
>
>
>
>
>
>
>
>
>
Received on Friday, 13 April 2018 18:13:51 UTC