Re: [privacy-request] Issue: User Timing 2021-06-02 > 2021-06-23 (#43) marked as REVIEW REQUESTED from Carine Bournez on 2021-06-03 (public-privacy@w3.org from April to June 2021)

From: Carine Bournez <carine@w3.org>
Date: Thu, 3 Jun 2021 10:32:03 +0000
To: Rigo Wenning <rigo@w3.org>
Cc: public-privacy@w3.org
Message-ID: <20210603102003.8f851d03-2870-4bf4-9f07-4bf869517db5.carine@w3.org>

On Thu, Jun 03, 2021 at 11:25:15AM +0200, Rigo Wenning wrote:
> Carine, 
> 
> just skimming through it and knowing that the specification is not
> addressing that use case particularly, let me note that the time -
> action relation, if linked to an ID, can be used for very precise user
> tracking. 
> 
> Unfortunately, neither the past nor the present specification text
> contain any text in respect to this. But maybe I'm missing something as
> I just skimmed through the spec. 

Hi Rigo,
If it's already linked to a user ID, tracking can of course happen.
High resolution timing does not bring anything interesting to
that "use case", it does not make it easier nor harder to track.
The important aspect is to avoid possible third-party attacks 
through the timing APIs, that could leak information on user actions
only.

> 
> On Wed, 2021-06-02 at 14:44 +0000, caribouW3 via GitHub wrote:
> > caribouW3 has just labeled an issue for
> > https://github.com/w3cping/privacy-request as "REVIEW REQUESTED":
> > 
> > == User Timing 2021-06-02 > 2021-06-23 ==
> > - name of spec to be reviewed: User Timing 
> > - URL of spec: https://w3c.github.io/user-timing/ 
> > 
> > - What and when is your next expected transition? 
> > https://github.com/w3c/transitions/issues/338#issuecomment-850636248
> > Wide review was already done for level 2. The WG wants to drop levels
> > and merge level 3 in it.
> > The Director is requesting a formal wide review with the most recent
> > horizontal review process.
> > 
> > - What has changed since any previous review? 
> > In level 3, addition of ability to execute marks and measures across
> > arbitrary timestamps and
> > support for reporting arbitrary metadata along with marks and
> > measures.
> > 
> > - Does your document have an in-line Privacy Considerations section,
> > separate from Security Considerations?  If not, corrrect that before
> > proceeding further.
> > https://w3c.github.io/user-timing/#privacy-security
> > 
> > - Please point to the results of your own self-review (see
> > https://w3ctag.github.io/security-questionnaire/ ,
> > https://w3c.github.io/fingerprinting-guidance/,
> > https://tools.ietf.org/html/rfc6973)
> > https://w3c.github.io/perf-security-privacy/
> > 
> > - Where and how to file issues arising?
> > https://github.com/w3c/user-timing/issues/
> >  
> > - Pointer to any explainer for the spec? 
> > https://w3c.github.io/user-timing/#introduction
> > 
> > Other comments:
> > 
> > 
> > See https://github.com/w3cping/privacy-request/issues/43
> > 
> > 
> 
> 

-- 
Carine Bournez /// W3C Europe

Received on Thursday, 3 June 2021 10:32:17 UTC