- From: Wendy Seltzer <wseltzer@w3.org>
- Date: Tue, 11 Sep 2012 17:38:01 -0400
- To: public-web-perf@w3.org
I know it's late in the process, but I wanted to add a privacy concern to the mix: Navigation timing can add to the fingerprintability of browsers. Even limited to same-origin, that origin's profiling of browser latency could link multiple browsing sessions in unexpected ways, hindering users' ability to browse anonymously. [0] (This is of particular concern to the Tor Project [1], which aims to provide strong anonymity through the Tor Browser Bundle [2] -- a uniformly pre-configured browser and onion-routed anonymized network connections.) Noting that several of the Web Performance specs have fingerprinting implications, I wonder whether the group might consider the linking attack, distinct from private information disclosure. For example, if someone doesn't want a website to be able to correlate comments with a login ID, he might log out, clear cookies, and write under a pseudonym, but still be identifiable based on his browser timing connecting his would-be-anonymous activity to previous sessions. As a general response, then, should there be a way to disable response to timing information requests? More broadly, might we consider a standard profile for anonymous browsing (incognito mode, private browsing) that disables uniquely identifying features (despite the possible performance hit) to provide a larger anonymity set? Thanks, --Wendy [0] See https://panopticlick.eff.org/ and https://panopticlick.eff.org/browser-uniqueness.pdf [1] https://www.torproject.org/ [2] https://www.torproject.org/projects/torbrowser.html.en and https://www.torproject.org/torbutton/en/design/ -- Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office) http://wendy.seltzer.org/ +1.617.863.0613 (mobile)
Received on Tuesday, 11 September 2012 21:38:04 UTC