[NavigationTiming] Privacy and fingerprintability

I know it's late in the process, but I wanted to add a privacy concern
to the mix: Navigation timing can add to the fingerprintability of
browsers.  Even limited to same-origin, that origin's profiling of
browser latency could link multiple browsing sessions in unexpected
ways, hindering users' ability to browse anonymously. [0] (This is of
particular concern to the Tor Project [1], which aims to provide strong
anonymity through the Tor Browser Bundle [2] -- a uniformly
pre-configured browser and onion-routed anonymized network connections.)

Noting that several of the Web Performance specs have fingerprinting
implications, I wonder whether the group might consider the linking
attack, distinct from private information disclosure. For example, if
someone doesn't want a website to be able to correlate comments with a
login ID, he might log out, clear cookies, and write under a pseudonym,
but still be identifiable based on his browser timing connecting his
would-be-anonymous activity to previous sessions.

As a general response, then, should there be a way to disable response
to timing information requests? More broadly, might we consider a
standard profile for anonymous browsing (incognito mode, private
browsing) that disables uniquely identifying features (despite the
possible performance hit) to provide a larger anonymity set?

[0] See https://panopticlick.eff.org/ and
[1] https://www.torproject.org/
[2] https://www.torproject.org/projects/torbrowser.html.en and

Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Received on Tuesday, 11 September 2012 21:38:04 UTC