Re: DRAFT TAG feedback for fingerprinting from Melvin Carvalho on 2015-05-23 (www-tag@w3.org from May 2015)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sat, 23 May 2015 17:16:37 +0200
To: Mark Nottingham <mnot@mnot.net>
Cc: Public TAG List <www-tag@w3.org>, Nick Doty <npdoty@w3.org>
Message-ID: <CAKaEYh+Hqsb1hA01Z9VhX5C4WUfx90=PQevgSbTAHoEqb0iL=Q@mail.gmail.com>

On 22 May 2015 at 06:41, Mark Nottingham <mnot@mnot.net> wrote:

> … based on our discussion this week is here:
>
> https://github.com/w3ctag/spec-reviews/blob/master/2015/05/fingerprint.md
>
> Feedback / issues / pulls appreciated. Nick, CC:ing FYI, but realise that
> this isn't final yet.
>

"using the technology [is] against the interests of its users"

This makes a lot of sense, but I was wondering is this always the case?

As an author of client side apps, one thing I constantly find challenging
with is customizing a UI, to a user, in a personalized way.  This is useful
both for the app and for the users.  For example from a URI for a user, I
can pull in their name, their avatar, their friends list, where there
personal storage is, recent conversations, and a bunch of other nice things
that can show up in the user interface.

Generally when using an app for the first time, the user will have to type
a URI into a form, which identifies themselves, in order to get this
personalized user experience.  This is a UX that will lose you the vast
majority of your potential user base.

In an ideal world, browsers would be under the complete control of the
user, and the user could allow certain websites or apps, to know who they
were.  A slightly easier way to do this is to use localStorage, but this
suffers from cross origin constraints.  Another way is to use the identity
system built in to X.509 client side certificates, which is not cross
origin, but this has traditionally had usability issues.

What I've been thinking about lately is allowing a user to persist data
about who they are, globally, via fingerprinting.  Then they get a uniform
user experience across the web in exchange for a slight loss of privacy,
which hopefully will be responsibly managed.

I'd love to know if there is any kind of other solutions for persisting
cross origin data about a user (perhaps the upcoming credentials API?).
But if not, I was wondering if maybe fingerprinting could perhaps have some
uses for good, e.g. as indirect identifiers, and as a work around to
restrictive same origin policies?

>
> Cheers,
>
>
> --
> Mark Nottingham   https://www.mnot.net/
>
>

Received on Saturday, 23 May 2015 15:17:12 UTC