Re: privacywg call for consensus: Mitigating Browser Fingerprinting group note from Nick Doty on 2025-01-29 (public-privacy@w3.org from January to March 2025)

From: Nick Doty <ndoty@cdt.org>
Date: Wed, 29 Jan 2025 10:20:11 -0500
To: Mark Nottingham <mnot@mnot.net>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CA+tYtvELx6St1p454fJm7Cs+=skNC51qKTU+67MUZSEO=HU1Fw@mail.gmail.com>
Sure, I'll do my best, and W3C Team can help correct or provide more
context, as they've helped with both the technical mechanisms and rolling
this out to a lot more groups.

Autopublishing means that when changes are made (pull requests are merged)
into documents that the group has already made a decision to publish and
auto-publish, the new version will be (shortly) automatically republished
to the W3C Technical Reports page (w3.org/TR), at the same level of
maturity. When we decide to do this, it generally means that there is
little difference between an editor's draft and a working draft or group
note, and people who read the version at w3.org/TR won't see an out-of-date
version of the document.

The implementation system for this is Echidna, technical details and slide
deck explaining the system here:
https://github.com/w3c/echidna
https://www.w3.org/2021/03/18-echidna/

That puts some discretion in the hands of the editors to follow the
approach of getting reviews and implementing changes they believe fit with
the Working Group's consensus and direction; we could also formalize that
process on merging PRs if there is interest in doing that. The Working
Group in any case still has the ability to review any changes to
auto-published documents, and any questions or concerns can be raised with
the group which will continue to direct the editors. The Working Group
would have a formal call for consensus at any transition of a
Recommendation-track document. And we also concluded that we should review
the non-Rec-track documents (including the Security/Privacy Questionnaire
and documents like this proposed Mitigating Browser Fingerprinting Group
Note) as a group at least once a year, like at TPAC time.

Some discussion of this in notes from November 21:
https://github.com/w3c/privacywg/blob/main/minutes/privacywg-20241121.md#a-securityprivacy-questionnaire

Cheers,
Nick

On Tue, Jan 28, 2025 at 7:01 PM Mark Nottingham <mnot@mnot.net> wrote:

> Hi Nick,
>
> Could you please walk us through the details and implications of
> auto-publishing?
>
> Cheers,
>
>
> > On 29 Jan 2025, at 1:16 am, Nick Doty <ndoty@cdt.org> wrote:
> >
> > Hi Privacy WG,
> >
> > This is a call for consensus, to confirm on the list the proposed
> resolution that we had at the recent Privacy Working Group meeting, that
> the Privacy Working Group should publish a Group Note of the Mitigating
> Browser Fingerprinting document, that was previously published as a PING
> Group Note. Per our previous discussion, that would also configure
> auto-publishing of this document when updates are made, with ongoing review
> by the group and at least one formal review by the group at TPAC each year.
> >
> > Minutes from the 16 January call:
> https://github.com/w3c/privacywg/blob/main/minutes/privacywg-20250116.md#mitigating-browser-fingerprintinggithub---w3cfingerprinting-guidance-what-is-browser-fingerprinting-and-how-should-specification-authors-address-it
> > Editor's draft: https://w3c.github.io/fingerprinting-guidance/
> >
> > If you have an objection to this decision, please let us know on list by
> next Tuesday, February 4th.
> >
> > The W3C Team can help us with the actual details of
> publishing/autopublishing, which I also think will need to include
> reviewing and merging the open PR from Jeffrey Yasskin.
> >
> > We also heard interest from some volunteers in working on updates to
> that guidance document. Many thanks to Tom Ritter (Mozilla) for getting us
> started! Tom has already opened a PR and a couple of issues, including one
> open question that other implementers or researchers may want to answer: do
> we think Accept-CH response headers are providing in practice meaningful
> detectability of accessing fingerprinting surface?
> >
> > https://github.com/w3c/fingerprinting-guidance/issues/68
> > https://github.com/w3c/fingerprinting-guidance/pull/69
> > https://github.com/w3c/fingerprinting-guidance/issues/71
> >
> > Thanks all for your interest on this long-term but still very relevant
> privacy topic.
> >
> > —Nick, for the co-chairs
> >
> > --
> > Nick Doty | https://npdoty.name
> > Senior Technologist
> > Center for Democracy & Technology | https://cdt.org
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>
Received on Wednesday, 29 January 2025 15:20:28 UTC