- From: Ilya Grigorik <ilya@grigorik.com>
- Date: Wed, 18 Apr 2018 09:18:08 -0700
- To: Nick Doty <npdoty@ischool.berkeley.edu>
- Cc: Alex Russell <slightlyoff@google.com>, Eric Rescorla <ekr@rtfm.com>, TAG List <www-tag@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Message-ID: <CAKRe7JHgd4kBpuoN3cNcQVJJn3zzWPaV47QDR=vXvgHFEyEe-A@mail.gmail.com>
Hey folks. Think most of you are already aware of this, but just fyi..
- Current draft requires explicit opt-in from each origin (via
Accept-CH), and the opt-in is scoped to 1P only.
- For 3P, we determined that we want 1P to delegate permission: the
proposal is to tackle that via Feature Policy.
- Discussion in https://github.com/WICG/feature-policy/issues/129
Nick, re device capability hints are defined in:
- https://w3c.github.io/device-memory/
- https://wicg.github.io/netinfo/
On Tue, Apr 17, 2018 at 6:42 PM, Nick Doty <npdoty@ischool.berkeley.edu>
wrote:
> On Apr 13, 2018, at 5:17 PM, Alex Russell <slightlyoff@google.com> wrote:
>
> On Fri, Apr 13, 2018 at 1:02 PM, Nick Doty <npdoty@ischool.berkeley.edu>
> wrote:
>
>> On Apr 13, 2018, at 9:07 AM, Alex Russell <slightlyoff@google.com> wrote:
>> >
>> > Hi Nick, Eric:
>> >
>> > Thanks for the thoughtful comments.
>> >
>> > The analysis about opt-in free CH comes from turning the question
>> around slightly: if any origin can opt-in for subsequent top-level
>> navigations, and browsers wish not to provide that information to those
>> origins (selectively, or as a policy), isn't the recourse identical to the
>> recourse in the non-opt-in scenario?
>> >
>> > I.e., browsers will need to filter the list (perhaps to zero) to
>> maintain whatever privacy invariants they wish to maintain. To be
>> effective, this would also need to be paired with removing/modifying the
>> runtime behavior of web content (turning off media query support, blocking
>> various DOM APIs, disabling scripting, etc.).
>>
>> As a reminder, this doesn't apply just to top-level navigations, but also
>> to embedded content, which might be loading of an image that doesn't have
>> access to DOM APIs, JavaScript, or CSS.
>
>
> Understood, and this gets to a part of the design I'm somewhat uneasy
> about: it seems more risky for CH to be sent for x-origin sub-resources
> than for top-level navigations. I'd even support the opt-in being required
> to trigger CH header sending for sub-resources, whereas the argument for
> setting it on the top-level resource feels flimsy.
>
>
> There is an additional risk in sending Client Hints for cross-origin
> resources and for resources that don't have active content, because there
> may be cases where entirely new browser fingerprinting capability is
> introduced.
>
> However, even in the case of top-level resources (HTML, with JavaScript)
> making browser fingerprinting passive where it was previously active is a
> significant change, one that undermines existing mitigations. I'm not sure
> why that strikes you as flimsy.
>
> > Similarly, if browsers want to know what's being exfiltrated, they can
>> simply not support CH (always send a null list). If visibility of
>> script/active measures is the goal, this seems like the only way to achieve
>> it.
>> >
>> > The opt-in-CH-is-good position seems untenable as a result.
>>
>> I think this is the distinction between limiting fingerprinting surface
>> and making fingerprinting detectable.
>>
>> I agree that browsers that wish not to expose this fingerprinting surface
>> or to limit disclosure of this information to sites will not send the
>> client hint in any case, whether there's an opt-in request from the server
>> or not. But we're also especially interested in the ability for a client, a
>> researcher or some other observer to detect when a site might be gathering
>> information for the purpose of fingerprinting. If sites need to indicate
>> that they want this data, that provides a way for others to measure the
>> potential use of this data for fingerprinting users.
>>
>
> Perhaps we should get crisp about the threat model: are we primarily
> concerned with the behavior (and potential fingerprinting) by sites
> themselves? Or by embedded third-parties?
>
>
> Browser fingerprinting used for unsanctioned tracking is a privacy concern
> both with top-level navigation sites and with embedded third parties.
>
> If the answer is "both", then we're sort of stuck; the need for active
> fingerprinting measures falls as the % of users are sending CH headers
> rises. That said, we have lots of experience with old/dead code from
> transition periods living *well* past it's expiration date (this has been
> a sizable part of my week!).
>
>
> I'm not sure what you mean by being stuck. Is there a concern that default
> CH headers are or will be sent in such numbers that changes can't be made?
> (That's not my understanding of current implementations.)
>
> If the answer is third parties, keeping the opt-in behavior for enabling
> this for x-origin requests (and perhaps iframes) satisfies the need.
>
> If the answer is first-parties, then do we have any faith that researchers
> will be able to understand this behavior at scale?
>
>
> Do you have some specific reason for skepticism about researchers? We have
> extensive research from multiple groups on detecting and measuring browser
> fingerprinting up to this point. Here's ten research papers and several
> browser vendor pages, although this list isn't exhaustive: https://w3c.
> github.io/fingerprinting-guidance/#research
>
> That's partly how we know about this practice at all, and how we've been
> able to evaluate both the capability of new APIs to be used for
> fingerprinting and the existence/prevalence of those practices. In order to
> use the alternative means that the TAG has suggested for discouraging
> unsanctioned tracking, I believe we need to rely on the ability of
> researchers (whether academics, data protection authorities, private
> companies or others) to understand this behavior.
>
> In some cases, as ekr is suggesting with the elsewhere-proposed
>> geolocation hint, that might be done by a single client who evaluates
>> whether it makes sense to share that data in that case. But even outside
>> the capabilities of a single client, the data on larger-scale use is only
>> available if servers have to provide some visible indication that they want
>> that data. Researchers can analyze after-the-fact whether those requests
>> are reasonable for content-negotiation or not; policymakers and enforcement
>> agencies can use that data to support cases, etc.
>>
>
> The balance of appropriateness is going to have a very interesting lens.
> Not providing information like DPR, network type, memory/cpu class, and
> other runtime factors dooms the users on the poorest connections to the
> worst overhead for getting to good experiences. That's deeply unfair.
>
>
> I'm not convinced that providing detailed information on user devices will
> always or typically benefit more vulnerable users. Privacy is often
> especially important to more vulnerable users either because they encounter
> particularly dangerous threats or because they're more likely to face
> discrimination or suffer consequences from a lack of privacy. (Might not
> sites sniff these headers and provide "not supported" pages to devices that
> don't have sufficiently advanced hardware or to users that aren't good
> advertising targets?) If there's a documented analysis on appropriateness
> or fairness of this work, I'd certainly appreciate a link to it. I know
> that the Human Rights Protocol Consideration group at the IRTF has some
> guidance for broader reviews that they're applying to IETF drafts.
>
> The draft in question does not explicitly include information on network
> type, device memory or CPU information -- are you referring to some other
> specification or capability?
>
> Other properties like, as you mention, geolocation, might not fit into
> such a neat bucket. I'd personally welcome proposals that tried to tease
> these apart, for 2 reasons:
>
> 1. If a default-provided CH list were small, it might allay concerns
> about header bloat and growth
> 2. If we're specifically concerned about some set of hints as being
> more sensitive than others, then this would provide an avenue to preserving
> opt-in for them.
>
> Don't know if that's ideal, but I think a direction worth exploring.
>
> Thoughts?
>
>
> Rather than splitting up headers into sensitive and
> maybe-not-so-sensitive, why not follow the principle of data minimization
> and let sites ask for the information that they need? That would both
> discourage bloat and maintain detectability of device fingerprinting.
> Alternatively, what is the case against preserving opt-in for all Client
> Hints? Is it that some developers may find it confusing to send "Accept-CH"
> as a response header?
>
> Thanks,
> Nick
>
Received on Thursday, 19 April 2018 16:16:23 UTC