- From: Nick Doty <npdoty@ischool.berkeley.edu>
- Date: Thu, 29 Oct 2015 18:55:19 +0900
- To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Cc: Steven Englehardt <ste@cs.princeton.edu>
- Message-Id: <40D56AE6-8FBE-4C0A-BD2C-FA8973F99132@ischool.berkeley.edu>
With Steve's permission, sharing these comments/suggestions for the Fingerprinting Guidance document. I believe this academic work supports the notion that designing APIs to facilitate detection of fingerprinting can make a large difference. I've started an issues list with these and some other comments received on Github: https://github.com/w3c/fingerprinting-guidance/issues <https://github.com/w3c/fingerprinting-guidance/issues> Feedback is still welcome on this mailing list; I'm just using Github as a working mechanism to keep track. You can also comment or raise issues directly on Github if you prefer. Pull requests welcome! Cheers, Nick > Begin forwarded message: > > From: Steven Englehardt <ste@CS.Princeton.EDU> > Date: September 10, 2015 > Subject: Fingerprinting Guidance Spec > > Hello Nick, > > Great work on the fingerprinting guidance spec, I believe it will help reduce the fingerprinting surface of future APIs. There are two additional papers that I think are helpful to reference. > > The first paper is The Web Never Forgets: Persistant Tracking Mechanisms in the Wild <https://securehomes.esat.kuleuven.be/~gacar/persistent/>, a paper I co-authored. In it, we show how prevalent canvas fingerprinting, cookie respawning, and cookie syncing are on the web and evaluate the implications of the use of three three vectors in combination with each other. > > It is helpful as an example of detectability by academics, which you address several times in the spec. In general, it's a solid example of large scale measurement of two fingerprinting vectors, and of the impact a measurement study can have on the use of these APIs for fingerprinting. The two largest canvas fingerprinters stopped after we released our paper. Addressing issue #2 in Section 5.3, it's an example of how the design of the canvas API allowed us to detect the use of canvas for fingerprinting very accurately. > > The second is The Leaking Battery: A privacy analysis of the HTML5 Battery Status API <https://eprint.iacr.org/2015/616.pdf>. This paper shows how the design of the Battery Status API on Linux enabled fingerprintability. It highlights the importance of consistency across user agents (Section 5.2 Issue #1). It also shows that API designers should take care to expose the minimum amount of precision necessary for operation of a feature, a point that I think can be strengthened in the report. > > Thanks for your work on this! > > -Steve
Received on Thursday, 29 October 2015 09:56:02 UTC