Fwd: Privacy and fingerprintability

• From: Wendy Seltzer <wseltzer@w3.org>
• Date: Tue, 11 Sep 2012 17:54:52 -0400
• To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
• Message-ID: <504FB32C.9040002@w3.org>

On an earlier PING call [0], we discussed fingerprinting and linkability
issues and the possibility of a uniform "anonymous-mode" profile.
Seeing potential fingerprinting issues in the Navigation Timing draft
[1], I sent a comment to the Web Performance group, below.

Is this the sort of review that PING might take up (preferably at an
earlier stage of the process than this one, already at Proposed
Recommendation)?

--Wendy

[0] http://www.w3.org/2012/06/14-privacy-minutes.html
[1] http://www.w3.org/TR/navigation-timing/

-------- Original Message --------
Subject: [NavigationTiming] Privacy and fingerprintability
Date: Tue, 11 Sep 2012 17:38:01 -0400
From: Wendy Seltzer <wseltzer@w3.org>
Organization: W3C
To: public-web-perf@w3.org

I know it's late in the process, but I wanted to add a privacy concern
to the mix: Navigation timing can add to the fingerprintability of
browsers.  Even limited to same-origin, that origin's profiling of
browser latency could link multiple browsing sessions in unexpected
ways, hindering users' ability to browse anonymously. [0] (This is of
particular concern to the Tor Project [1], which aims to provide strong
anonymity through the Tor Browser Bundle [2] -- a uniformly
pre-configured browser and onion-routed anonymized network connections.)

Noting that several of the Web Performance specs have fingerprinting
implications, I wonder whether the group might consider the linking
attack, distinct from private information disclosure. For example, if
someone doesn't want a website to be able to correlate comments with a
login ID, he might log out, clear cookies, and write under a pseudonym,
but still be identifiable based on his browser timing connecting his
would-be-anonymous activity to previous sessions.

As a general response, then, should there be a way to disable response
to timing information requests? More broadly, might we consider a
standard profile for anonymous browsing (incognito mode, private
browsing) that disables uniquely identifying features (despite the
possible performance hit) to provide a larger anonymity set?

Thanks,
--Wendy

[0] See https://panopticlick.eff.org/ and
https://panopticlick.eff.org/browser-uniqueness.pdf
[1] https://www.torproject.org/
[2] https://www.torproject.org/projects/torbrowser.html.en and
https://www.torproject.org/torbutton/en/design/

-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Received on Tuesday, 11 September 2012 21:54:54 UTC