Re: DRAFT TAG feedback for fingerprinting from Mark Nottingham on 2015-05-23 (www-tag@w3.org from May 2015)

From: Mark Nottingham <mnot@mnot.net>
Date: Sat, 23 May 2015 14:45:11 +1000
To: "L. David Baron" <dbaron@dbaron.org>
Cc: Public TAG List <www-tag@w3.org>, Nick Doty <npdoty@w3.org>
Message-Id: <538BCF07-CE49-46AA-9BF5-DE7BB9A366B6@mnot.net>

> On 23 May 2015, at 2:16 pm, L. David Baron <dbaron@dbaron.org> wrote:
> 
> On Friday 2015-05-22 14:41 +1000, Mark Nottingham wrote:
>> … based on our discussion this week is here:
>>  https://github.com/w3ctag/spec-reviews/blob/master/2015/05/fingerprint.md
>> 
>> Feedback / issues / pulls appreciated. Nick, CC:ing FYI, but realise that this isn't final yet.
> 
> I'd like to see the opening make a stronger argument than falling
> back on "reasonably strong consensus in the industry".  Perhaps,
> though, that's feedback as to what the fingerprinting guidance
> document could say rather than what the TAG feedback on it could
> say.

Yep. I think we actually have a fair amount to work to do there; am going to start writing up a proposal for a Finding.


> It's a little unclear to me exactly *what* is believed to be a lost
> cause.  For example, is it:
> 
> * fingerprinting in today's browsers for a typical user, or
>   fingerprinting of a browser designed to mitigate fingerprinting
>   (and, say, over TOR) and attempting to keep up with mitigating
>   current fingerprinting techniques?  (Or fingerprinting in 2010's
>   browsers, which is different given that a number of the sources
>   of entropy in https://wiki.mozilla.org/Fingerprinting#Data have
>   been significantly reduced since then.)
> 
> * putting users in small-ish buckets (e.g., laptop model + OS
>   version + browser version) or identifying users down to the
>   individual?
> 
> If there are reasonably current data to cite that make the argument
> that fingerprinting is a lost cause, I think that would be far
> better than citing consensus.
> 
> Citing data also allows people who are interested in working on the
> problem to compare their possible solutions to sources of entropy to
> the magnitude of the problem.  (Some of the data I've seen seemed
> somewhat unconvincing because I thought a significant portion of the
> entropy could be avoided.)

All very good points. I don't want to rely on consensus in the Finding - just trying to reflect the TAG position for purposes of feedback.

Cheers,


--
Mark Nottingham   https://www.mnot.net/

Received on Saturday, 23 May 2015 04:45:42 UTC