- From: Jason A. Novak <jnovak@apple.com>
- Date: Wed, 03 Oct 2018 00:30:11 -0700
- To: Christine Runnegar <runnegar@isoc.org>, "public-privacy@w3.org" <public-privacy@w3.org>
- Message-id: <B61DB56D-2FCC-4EB9-9157-31F4C2FE1711@apple.com>
Regarding: > 1. Privacy considerations of the Device Memory API Given the proliferation of Accept-CH headers (device memory here, network information previously discussed), it seems like there’s a significant addition of fingerprinting surface area being exposed over time through this feature. As the Accept-CH feature overall seems to be focused on providing an origin with a sense of the processing capabilities of a device, might it instead make more sense to create larger classes of devices + year (and therefore revealing less individuating information) e.g. Desired-Content-Profile: Heavyweight 2018 (for a high-end smartphone) or Desired-Content: Lightweight 2018. This could be derived from hardware constraints or a user preference. For what it’s worth, some organizations already do so <https://code.fb.com/android/year-class-a-classification-system-for-android/>, which suggests there may be a path forward for this approach. There’s also a discussion of exposing the amount of currently available memory to a site; I think that we should advise against doing so given the side channel attacks that this sort of access has been shown to enable (for example http://web.cse.ohio-state.edu/~zhang.834/papers/ndss18a.pdf <http://web.cse.ohio-state.edu/~zhang.834/papers/ndss18a.pdf>). Finally, I note that this specification allows for this information to be sent either as a header or in response to a JS call. In previous Accept-CH discussions, we’ve flagged that making this information available as a header makes it harder for fingerprinting to be detected by third parties / researchers / consumer advocates and / or combated by a UA; l think that we should continue to flag this risk here. Best, Jason > On Oct 2, 2018, at 1:24 PM, Christine Runnegar <runnegar@isoc.org <mailto:runnegar@isoc.org>> wrote: > > Hello everyone, > > Please note that PING will NOT be meeting this week, instead, we will be meeting on Thursday 11 October 2018 at the usual time. > > We will be joined by members of the Web Performance WG to discuss the privacy considerations of the Device Memory API. > > Link to draft spec: https://www.w3.org/TR/2018/WD-device-memory-1-20180925/ <https://www.w3.org/TR/2018/WD-device-memory-1-20180925/> (First Public WD). > > The WG has already identified some privacy concerns related to fingerprinting and the Client-Hints opt-in model, and has changed the draft specification to address some of those concerns, namely: > > * Client-Hints' opt-in model was revised so that opt-ins only include the same-origin. An explicit cross-origin opt-in mechanism is still being defined. > * The values exposed are now truncated to a single MSB bit (so values are rounded to the lower power of 2, significantly reducing the fingerprinting surface). > * UAs are free to set the lower and upper bound of the value range, as to reduce the fingerprinting surface even further, while making sure that the use-cases are addressed. > > Agenda for the call > > 1. Privacy considerations of the Device Memory API > 2. TPAC > 3. Updating security and privacy questionnaire > 4. AOB > > WebEx meeting > https://www.w3.org/2018/08/ping-webex.html <https://www.w3.org/2018/08/ping-webex.html> (W3 login will be needed to access Webex call details) > > Please also join us on IRC on the #privacy channel: > > Server: irc.w3.org <http://irc.w3.org/> > Username: <your name> > Port: 6667 or 6665 > Channel: #privacy > > Calendar invite to follow. > > If you have any issues retrieving the Webex call details, please feel free to contact me off list. > > Christine
Received on Wednesday, 3 October 2018 07:30:47 UTC