Re: fyi: Fingerprinting risk

> On May 5, 2017, at 0:43 , Matthias Schunter (Intel Corporation) <mts-std@schunter.org> wrote:
> 
> Hi Folks,
> 
> I would like to elaborate why I changed my mind and why I now believe
> that the fingerprinting risk has been mitigated ;-)
> 
> MY PAST MISUNDERSTANDING
> - I assumed that users can do fine-grained choosing what subset of an
> exception to accept and what to block
> - The subset of blacklisted domains could be fairly individual
> - Reporting back the list of blocked domains (the intersection between
> the used third parties and the blacklist of a user) would be very
> individual too
> - As a consequence, reporting back this list would identify individual users
> 
> MY CURRENT THINKING
> - Exceptions are all-or-nothing and sites may publish a list of known
>  third parties
> - None of the domains listed shall be blocked

The DNT spec. is silent about blocking. What it talks about is what headers you send and what they mean, and indeed exceptions are granted or denied as units. 

> - All the domains not listed shall be blocked and returned
> - The list of domains that are blocked almost only depend on the
>  site (i.e. what stuff it is including) and not on user specifics.
> - As a consequence, the list of blocked sites should not allow
>  identifying users.
> 
> [The only exception could be cases where the unknown sites loaded depend
> on the user; e.g. an ad auction that pulls in unknown sites based on
> user cookies. I hope that those are rare corner cases.]
> 
> Regards,
> matthias
> 
> 
> 

Dave Singer

singer@mac.com

Received on Friday, 5 May 2017 17:16:13 UTC