Re: privacywg call for consensus: Mitigating Browser Fingerprinting group note from Mark Nottingham on 2025-01-30 (public-privacy@w3.org from January to March 2025)

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 30 Jan 2025 12:24:44 +1100
To: Nick Doty <ndoty@cdt.org>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <3135193F-834B-40D1-9BD4-8CE418F55539@mnot.net>
Thanks, Nick.

The risk here is that the published document doesn't reflect WG consensus. At a minimum, then, it would be wise to have some written, agreed-to guidelines for the editors about what they may and may not include in such edits.

At a higher level, though, it would be good to carefully consider the tradeoff being made. If the document is truly uncontroversial and the publication process is onerous, streamlining it like this makes sense. If either condition isn't true, I wonder whether the potential for (or even appearance of) compromising the consensus process is wise.

Cheers,


> On 30 Jan 2025, at 2:20 am, Nick Doty <ndoty@cdt.org> wrote:
> 
> Sure, I'll do my best, and W3C Team can help correct or provide more context, as they've helped with both the technical mechanisms and rolling this out to a lot more groups.
> 
> Autopublishing means that when changes are made (pull requests are merged) into documents that the group has already made a decision to publish and auto-publish, the new version will be (shortly) automatically republished to the W3C Technical Reports page (w3.org/TR), at the same level of maturity. When we decide to do this, it generally means that there is little difference between an editor's draft and a working draft or group note, and people who read the version at w3.org/TR won't see an out-of-date version of the document.
> 
> The implementation system for this is Echidna, technical details and slide deck explaining the system here:
> https://github.com/w3c/echidna
> https://www.w3.org/2021/03/18-echidna/
> 
> That puts some discretion in the hands of the editors to follow the approach of getting reviews and implementing changes they believe fit with the Working Group's consensus and direction; we could also formalize that process on merging PRs if there is interest in doing that. The Working Group in any case still has the ability to review any changes to auto-published documents, and any questions or concerns can be raised with the group which will continue to direct the editors. The Working Group would have a formal call for consensus at any transition of a Recommendation-track document. And we also concluded that we should review the non-Rec-track documents (including the Security/Privacy Questionnaire and documents like this proposed Mitigating Browser Fingerprinting Group Note) as a group at least once a year, like at TPAC time.
> 
> Some discussion of this in notes from November 21: 
> https://github.com/w3c/privacywg/blob/main/minutes/privacywg-20241121.md#a-securityprivacy-questionnaire
> 
> Cheers,
> Nick
> 
> On Tue, Jan 28, 2025 at 7:01 PM Mark Nottingham <mnot@mnot.net> wrote:
> Hi Nick,
> 
> Could you please walk us through the details and implications of auto-publishing? 
> 
> Cheers,
> 
> 
> > On 29 Jan 2025, at 1:16 am, Nick Doty <ndoty@cdt.org> wrote:
> > 
> > Hi Privacy WG,
> > 
> > This is a call for consensus, to confirm on the list the proposed resolution that we had at the recent Privacy Working Group meeting, that the Privacy Working Group should publish a Group Note of the Mitigating Browser Fingerprinting document, that was previously published as a PING Group Note. Per our previous discussion, that would also configure auto-publishing of this document when updates are made, with ongoing review by the group and at least one formal review by the group at TPAC each year.
> > 
> > Minutes from the 16 January call: https://github.com/w3c/privacywg/blob/main/minutes/privacywg-20250116.md#mitigating-browser-fingerprintinggithub---w3cfingerprinting-guidance-what-is-browser-fingerprinting-and-how-should-specification-authors-address-it
> > Editor's draft: https://w3c.github.io/fingerprinting-guidance/
> > 
> > If you have an objection to this decision, please let us know on list by next Tuesday, February 4th.
> > 
> > The W3C Team can help us with the actual details of publishing/autopublishing, which I also think will need to include reviewing and merging the open PR from Jeffrey Yasskin.
> > 
> > We also heard interest from some volunteers in working on updates to that guidance document. Many thanks to Tom Ritter (Mozilla) for getting us started! Tom has already opened a PR and a couple of issues, including one open question that other implementers or researchers may want to answer: do we think Accept-CH response headers are providing in practice meaningful detectability of accessing fingerprinting surface?
> > 
> > https://github.com/w3c/fingerprinting-guidance/issues/68
> > https://github.com/w3c/fingerprinting-guidance/pull/69
> > https://github.com/w3c/fingerprinting-guidance/issues/71
> > 
> > Thanks all for your interest on this long-term but still very relevant privacy topic.
> > 
> > —Nick, for the co-chairs
> > 
> > -- 
> > Nick Doty | https://npdoty.name
> > Senior Technologist
> > Center for Democracy & Technology | https://cdt.org
> 
> --
> Mark Nottingham   https://www.mnot.net/
> 

--
Mark Nottingham   https://www.mnot.net/
Received on Thursday, 30 January 2025 01:24:52 UTC