Re: Privacy review for issue 176 from Pete Snyder on 2025-11-05 (public-privacy@w3.org from October to December 2025)

From: Pete Snyder <psnyder@brave.com>
Date: Wed, 5 Nov 2025 12:39:06 -0800
To: Ted Hardie <ted.ietf@gmail.com>
Cc: public-privacy@w3.org
Message-ID: <CABVK1nD3YogRUuRUHrAk1tyr4kGDi6z-6Uf1wAZpa7=vi0vPkA@mail.gmail.com>

Howdy Ted,

Apologies for the delay in the reply.  I think this review looks great. The
next steps are as follows:

   - if you're free, it'd be terrific if you could discuss your findings on
   the PrivacyWG call tomorrow (on Thursday, Nov 6). That would just be
   briefly talking about the functionality and behavior of the spec you
   reviewed, and any privacy concerns you found. If you cannot attend the
   PrivacyWG call tomorrow, no problem, I (or another chair) can present your
   findings too
   - file issues in the spec's repo for any / each issue you found, and
   label each either "privacy", or "privacy-needs-resoution", depending on
   whether you think the issue is more advisory (your bringing the issue to
   the attention of the spec's authors, but dont think any changes are
   required for things to move forward) or "privacy-needs-resolution" (the
   issue you identified is critical enough that you think changes are needed
   before the spec moves forward)
   - leave a comment in privacy-request issue
   <https://github.com/w3cping/privacy-request/issues/176>, linking to any
   issues you filed in the spec's org

And then, all good to close that privacy-request issue (or, if you'd
prefer, I or the other chairs can handle that too).

Thanks again for your time and expertise Ted, and (if you can make it)
looking forward to hearing your review tomorrow,
Pete

On Wed, Oct 15, 2025 at 2:19 AM Ted Hardie <ted.ietf@gmail.com> wrote:

> Howdy,
>
> This is my first privacy review, so I wanted to send something in advance
> of  the meeting, so folks could let me know what I might be missing.  The
> relevant issue is found here:
> https://github.com/w3cping/privacy-request/issues/176 .
>
> The set of changes is very small, so I am including it inline here:
>
>    1. Removed special handling of color() fallback system colors, since
>    the feature was removed from [CSS-COLOR-4]. (Issue 7007)
>    2. Added emulation support for improved testing of forced colors mode.
>    (Issue 11824)
>    3. Updated the properties that apply in forced colors mode to more
>    generically apply to the <color> components of all properties, with
>    specific known properties moved to a note. (Issue 11857)
>    4. Added font emoji fallback logic for forced colors mode. (Issue 8064)
>
> I concur with the self-review that the only significant change is that the
> use of forced colors can now be detected without querying for forced-colors
> mode.  None of the other changes appear to change the fingerprinting
> surface or expose PII.  Since that is a change in how the data is available
> to the observer, rather than a change in what data is available to the
> observer, my assessment is that this change requires no additional changes
> to maintain privacy equivalent to that available prior to the update.
>
> best regards,
>
> Ted Hardie
>
>

Received on Wednesday, 5 November 2025 20:39:23 UTC