- From: Matthew Wilcox <mail@matthewwilcox.com>
- Date: Tue, 7 Feb 2012 20:59:58 +0000
On 7 Feb 2012, at 20:19, Boris Zbarsky wrote: On 2/7/12 2:52 PM, Matthew Wilcox wrote: Reporting more information about the user's hardware and software to the server allows better fingerprinting and hence tracking. See https://www.eff.org/deeplinks/__2010/01/primer-information-__theory-and-privacy <https://www.eff.org/deeplinks/2010/01/primer-information-theory-and-privacy> and similar resources for details. Agreed. But this already happens. And browsers are working on mitigating the ways it already happens. Which means they're reluctant to add new fingerprinting surface. Fair enough. This then becomes a cost/benefit issue. But there's nothing to stop this working if the user's default is an opt out and a prompt is given to allow. In exactly the same way that things currently work for geo-location data. Right? Your point is the user must be able to opt in and out, as they might be turning off JS (which, frankly, how many non-webnerd people do?) Just wait until UAs start shipping with JS disabled for certain domains by default, just like they're already shipping with other capabilities turned on or off with certain domains by default. I browse with NoScript and regularly come across people that haven't coded site's responsibly (it drives me nuts). While I applaud this notion because it'll bring more attention to the issue - i highly doubt it'll have any impact on the larger spectrum of sites. JS is now relied on and if certain UA's deliver a broken web-page to users, the users are just going to blame the software, not the website. Why? Because the site works in every *other* browser, including their old ones... So you're saying the problem isn't the tech but the user control? Can we not give that to them? I'm saying that the _default_ behavior should ideally be as user-friendly as possible. That includes user privacy concerns. Absolutely agree. I'm all for this being disabled by default and opted-in as servers request. Or opted in via a user setting in the UA. There can be additional knobs to enable more privacy features, of course, but a lot of what goes on in the privacy space on the web right now basically depends on user ignorance about the information websites are getting out of them. When I actually describe the underlying technology to non-technical users, they're almost uniformly horrified? They should be. But at the same time a hell of a lot of people have read that FaceBook watches their every move, and yet happily continue to use it. Users don't weigh the issue in the same way we do. Point taken. Though it irks me no end that various technologies get canned because of how inept people can mis-use them. I'd rather see those inept people shoot themselves in the foot and pay the price. The problem is that the price ends up being paid by someone else. Classic example of externalities... If we could make people fully internalize the consequences of their own incompetence, a lot of things would ure be easier! Agreed! It's still my inclination to default to more permissive things though. If people build poor sites, users stop going, the site fails, and either the author learns (I hope) or switches to a job with less requirement on skill level. It's like in business - if you're not providing a decent product, you don't survive. The government doesn't just disallow people from making rubbish with the resources they have. Did you read my earlier mails with examples of devices that are shipping right now that violate the various assumptions people trying to create these "device class" bins are making? I don't believe we should ever use "classes" of device. We've been down that route, it's a fail in and of itself. We should be using actual data, not assumed data based on some other data. OK, good. We agree on that. :) Absolutely agree on "device class". I don't understand why screen-size is broken. Because half the people asking for it explicitly say they plan to use it as a proxy for other device characteristics. It's not broken per se, of course, just the way people plan to use it. In that case I completely agree. But the answer is educate them to test the right thing. The *only* reason they say that they'll use it that way right now is because that's what they *have* to do to guess the information. Classic case being CSS media queries, where screen size is a proxy for bandwidth and device processing power. It's a mentality they're in because there is no other solution. Let's provide one. My point is that we should perhaps be thinking about how to make things work when these device characteristics change while a page is loaded. Headers do NOT allow you to handle that, for obvious reasons. Ah, loaded as in mid-stream? That's a problem too, but a small one as you note. I was thinking "as in between when onload fires and when onunload fires". For some web pages, this time is typically measured in weeks for me (my web-based RSS reader, for example). Ooo, interesting. OK, doesn't SPDY allow pushing content and open connections? Can't we hijack that? And, given that any and all new info is triggered by a request of some sort, why wouldn't the browser send updated headers with those requests? (Again, may be a daft question, I am not familiar with how this stuff works on any real level of detail) See above. I don't see how just putting it in the headers helps. It just encourages websites to assume that the information won't be changing after the request is done. How does it encourage website that? That would involve using sessions to track the user and know which request had what data the last time. And manually writing some session tracking to do that. I see this as a per request thing. New data every time. My RSS reader loads its user interface precisely once over the course of several weeks. If it based this interface on device characteristics at time of load (which it actually does, by the way, insofar as it sniffs the UA string and then guesses as you point out), then it would be broken if I ever change those device characteristics (which I do, and it is). Interesting example. OK, how could this be fixed? Could hooks not be provided for JS so that the site author could watch for these changes and re-request as needed? It'd be nice if we could create something that would not lead the people writing the RSS reader to end up with exactly the setup they have now? While I agree, it's with a wry smile on my face that I note RSS is already dying. It's been decided it's "too confusing" for users and pulled from UI's on browsers. Discoverability of RSS is near zero in modern browsers. The only people who'll know to look are already au-fait with it. And that is a shame. -Boris
Received on Tuesday, 7 February 2012 12:59:58 UTC