W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2012

[whatwg] Covert sharing of user agent state.

From: Fred Andrews <fredandw@live.com>
Date: Sat, 22 Sep 2012 08:27:34 +0000
Message-ID: <BLU002-W187C78A36CF239506DB203BAA980@phx.gbl>
To: "whatwg@lists.whatwg.org" <whatwg@lists.whatwg.org>



A proposal has been submitted to create a w3c community group to
engineer solutions to reduce covert sharing of user agent state.  One
more sponsor is currently needed to get this group started, so if this
issue if of interest to you then please see:
http://www.w3.org/community/groups/proposed/#pua

The goals of the group are largely technical and the motivation is
actually outside the scope of the work but some reasons to be
interested in this work are to reduce the fingerprint surface and to
draw a line between the open web and the privacy of our personal
computer.

Currently JS can access a lot of information that identifies our
online presence and can leak this out through a range of back
channels, and there are other sources of leaks.  This information
is being used to track our inline presence and solutions such as
DNT are only effective if respected.  This information could also
include a snapshot of your web page complete with the effects of
any local customizations or extensions - you webpage is hardly private.
With the web becoming a platform to deliver applications this leaky
design becomes an even great threat to our privacy.  Further new
web standards are being built on this leaky standard and have no
motivation for considering the covert sharing of UA state and are
just adding to it.  The technology to preserve our privacy is even
being patented which could have rediculious effects.

The burden on sponsors should be relatively low as the matters are
largely engineering and much of the work is expected to take place in
a public mailing list.

Developing the designs in public under the W3C Patent Policy may help
protect against patents on such technology and help bring better
awareness of the issues and solutions to other groups.  Help
sponsoring this group would be appreciated.

The new group will not be addressing privacy policy matters or
mechanisms for users to declare tracking or privacy preferences to
servers or content providers.

The group will focus on engineering solutions to reduce the covert
sharing of the UA state and it is expected that proposals will be
largely testable against their effectiveness at achieving this while
preserving functionality and convenience for users.

It would appear that these goals can not be achieved without some
restrictions which will inevitable cause some loss of functionality.
The development of designs and extensions to mitigate such loss is
proposed to be within the scope of the group.

Some examples of the approach I advocate as a starting point may help
you decide if they wish to be involved:

* Javascript has access to a wide range of information about the UA
and has access to communication channels to leak this information.
Limiting access to such information and/or limiting the back channels
will be explored.  For example, development could proceed by limiting
JS from access to any back channels.  This would result in a lot of
loss of functionality, but from this staring point we could develop
designs and extensions to mitigate some of the loss of functionality.
For example, exploring if any access can be reopened on account of
users having explicitly knowledge of the transmission of the
information.  An example extension might be a declared schedule of
resources to load that could replace JS that is currently used to load
images for sideshows or used to load resources for animated or
revolving advertising.

Such a restricted user agent could still support general browsing and
content consumption, online shopping and payment, online banking,
blogs, and a range of JS powered web apps.  It would certainly be more
functional than a UA with JS disabled.  Web apps that depend on JS
pulling in resources, such as AJAX designs, would not be supported
with such restrictions, however the group could explore extensions to
replace common patterns of lost functionality.

* CSS media queries can expose private UA information by selectively
loading resources. This could be solved by loading all resources
before media queries are applied and developing alternatives to media
queries.  For example, dependence on a media query for the selection
of high contrast or black and white images might be reduced by a CSS
extension to declare image color and contrast transforms that would
suit such devices.


There are obviously lots of other areas to address and scrutinize for
leaks, but this should gives some idea of the general approach.  If
you can help in some manner your participation would be welcomed.

cheers
Fred
Received on Saturday, 22 September 2012 08:28:01 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:45 UTC