RE: TPAC breakout session - Is user agent Fingerprinting a lost cause?

I feel this is a great topic to discuss in light of the DNT and EU cookie consent work happening. Both will limit the ability to use cookies to re-identify a returning user/computer to a website. If cookies are not viable it may push websites to use fingerprinting. I'm hoping this discussion will provide ideas for two big problems:

1. How to minimize the ability for browsers to be fingerprinted.
2. Providing a privacy-friendly way for users to build a relationship with trusted websites.

JC

-----Original Message-----

> From: Christine Runnegar [mailto:runnegar@isoc.org] 
> Sent: Sunday, October 21, 2012 7:09 AM
> To: public-privacy@w3.org mailing list)
> Cc: Hill, Brad
> Subject: TPAC breakout session - Is user agent Fingerprinting a lost cause?
> 
> As mentioned on our call on 18 October 2012, Brad Hill has kindly proposed a session entitled "Is user agent Fingerprinting a lost cause?".
> 
> The session description from the TPAC wiki is set out below.
> 
> http://www.w3.org/wiki/TPAC2012/SessionIdeas#Is_user_agent_Fingerprinting_a_lost_cause.3F
> 
> ------
> 
> As more features and functionality are added to the Web browser, the more risks we create in terms of privacy and security. As user agent complexity increases, and as they expose more "native" variation in the underlying platform, so does their ability to be uniquely identified (and users tracked) through capability analysis.
> 
> The EFF's Panopticlick project already tracks ~60 bits of identifying information available in the typical user agent and certainly a more determined effort could find more, in addition to information available through lower-layer technologies like TCP or side-channels like JavaScript performance profiling.
> 
> What responsibility do W3C WG's have to make their technologies passive-privacy friendly, and how is that to be balanced with discoverability and usability?
> 
> Topics:
> 
> - Is preventing fingerprinting a lost cause in the general purpose web user agent?
> - Where is the bar on trackability? Life-critical anonymity for political dissidents is different in what we can and must promise vs. "casual" anonymity for e.g. advertising
> - Lessons from Do Not Track on technical vs. policy-driven approaches
> - Lessons from anonymous / incognito browser modes
> - Should specs provide standard defaults for anonymous / incognito / Tor browser modes?

Received on Wednesday, 24 October 2012 15:31:21 UTC