Re: [w3ctag/design-reviews] Partial freezing of the User-Agent string (#467) from L. David Baron on 2020-02-04 (public-webapps-github@w3.org from February 2020)

From: L. David Baron <notifications@github.com>
Date: Tue, 04 Feb 2020 14:15:33 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/467/582142275@github.com>

> I fail to see how this would significantly impact privacy or fingerprinting since Client Hints will enable fingerprinting equivalent or even deeper than what User-Agent currently provides

I think the key point in terms of effect on fingerprinting is that `User-Agent` is [passive fingerprinting](https://www.w3.org/TR/fingerprinting-guidance/#passive-0) surface while Client Hints is [active fingerprinting](https://www.w3.org/TR/fingerprinting-guidance/#active-0) surface.  Moving the same information from being available via active fingerprinting rather than passive fingerprinting serves the goal of [making fingerprinting detectable](https://www.w3.org/TR/fingerprinting-guidance/#fingerprinting-mitigation-levels-of-success) (see the "Detectable Fingerprinting" item), which I think is a worthy one when the use cases for exposing the data are strong enough that it doesn't make sense to remove the data exposure completely.  (I'd also note that most of the information in the User-Agent string is detectable in other ways, e.g., through browser feature detection or other mechanisms, but those ways are less reliable, especially when applied to unknown future browsers or to smaller-share browsers that the author of the detection didn't consider.)

That said, there are other concerns raised here that I share:  it is clearly somewhat disruptive to existing practices (although it doesn't seem likely to break existing content directly), it's unclear what the effects on minority browsers will be (although I think it could be either positive or negative), and in the past I've expressed concerns with other aspects of Client Hints (although mostly focusing on whether particular features should or shouldn't be detectable through Client Hints, rather than the mechanism itself).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/467#issuecomment-582142275

Received on Tuesday, 4 February 2020 22:15:35 UTC