Wordsmithing for 2025 #69
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tomrittervg
force-pushed
the
2025-01-17-tjr-wordsmithing
branch
from
beca6c7 to
37049b7
Compare
This was referenced Jan 17, 2025
npdoty
reviewed
Jan 28, 2025
- Strengthing wording to describe fingerprinting as a threat - Mentioning VPNs as a common privacy tool that does not help - Stripping mentions of plugins. - Mention advances in CSS-based fingerprinting - Mention the differences between client-side fingerprint calculation and server-side - Mention User Gesture - Various other small wordsmiths
tomrittervg
force-pushed
the
2025-01-17-tjr-wordsmithing
branch
from
37049b7 to
a5bdb3d
Compare
npdoty
approved these changes
Jan 28, 2025
jyasskin
approved these changes
Feb 6, 2025
| Permanent identifiers or other state (for example, identifiers or keys set in hardware) should typically not be exposed. Where necessary, access to such identifiers would require user permission (however, explaining the implications of such permission to users may be difficult) and limitation to a particular origin (however, server-side collusion between origins will be difficult to detect). | ||
| As a result, your design should not rely on saving and later querying data on the client beyond a user's clearing cookies or other local state. That is, you should not expect any local state information to be permanent or to persist longer than other local state. | ||
| Permanent identifiers or other state (for example, identifiers or keys set in hardware) should typically not be used. Where necessary, access to such identifiers would require user permission and limitation to a particular origin. However even heavy-weight mitigations are imperfect: explaining the implications of such permission to users may be difficult and server-side collusion between origins is typically impossible to detect. | ||
| As a result, your design should not rely on saving and later querying data on the client and expecting it to persist beyond a user clearing cookies or other local state. That is, you should not expect any local state information to be permanent or to persist longer than other local state. |
There was a problem hiding this comment.
No particular change needed in this PR, but we do have features that encourage some local state to persist longer than other state. Passwords in the password manager, especially, but also https://storage.spec.whatwg.org/#dom-storagemanager-persist and https://github.com/WICG/storage-buckets/blob/main/explainer.md help websites give different lifetimes to different state, and I think that's all consistent with privacy.
Co-authored-by: Jeffrey Yasskin <jyasskin@gmail.com>
chrisn
reviewed
Feb 7, 2025
| @@ -257,8 +263,9 @@ <h3 id="passive">Passive</h3> | |||
| </section> | |||
| <section> | |||
| <h3 id="active">Active</h3> | |||
| <p>For <dfn>active fingerprinting</dfn>, we also consider techniques where a site runs JavaScript or other code on the local client to observe additional characteristics about the browser, user, device or other context.</p> | |||
| <p>Techniques for active fingerprinting might include accessing the window size, enumerating fonts or plug-ins, evaluating performance characteristics, reading from device sensors, and rendering graphical patterns. Key to this distinction is that <a>active fingerprinting</a> takes place in a way that is potentially detectable on the client.</p> | |||
| <p>For <dfn>active fingerprinting</dfn>, we also consider techniques where a site runs JavaScript or other code on the local client to observe additional characteristics about the browser, user, device or other context. In recent years numerous techniques have ab(used) CSS features to perform fingerprinting on par with JavaScript.</p> | |||
There was a problem hiding this comment.
Suggested change
| <p>For <dfn>active fingerprinting</dfn>, we also consider techniques where a site runs JavaScript or other code on the local client to observe additional characteristics about the browser, user, device or other context. In recent years numerous techniques have ab(used) CSS features to perform fingerprinting on par with JavaScript.</p> | |
| <p>For <dfn>active fingerprinting</dfn>, we also consider techniques where a site runs JavaScript or other code on the local client to observe additional characteristics about the browser, user, device or other context. In recent years numerous techniques have (ab)used CSS features to perform fingerprinting on par with JavaScript.</p> |
| <p>Techniques for active fingerprinting might include accessing the window size, enumerating fonts or plug-ins, evaluating performance characteristics, reading from device sensors, and rendering graphical patterns. Key to this distinction is that <a>active fingerprinting</a> takes place in a way that is potentially detectable on the client.</p> | ||
| <p>For <dfn>active fingerprinting</dfn>, we also consider techniques where a site runs JavaScript or other code on the local client to observe additional characteristics about the browser, user, device or other context. In recent years numerous techniques have ab(used) CSS features to perform fingerprinting on par with JavaScript.</p> | ||
| <p>Techniques for active fingerprinting might include accessing the window size, enumerating fonts or connected devices, evaluating performance characteristics, reading from device sensors, and rendering graphical patterns. Key to this distinction is that <a>active fingerprinting</a> takes place in a way that is potentially detectable on the client.</p> | ||
| <p>Note that in some types of active fingerprinting, characteristics are combined on the client to produce a fingerprint. In most cases; however, the characteristics are sent en masse to a server, which can combine them in unobservable ways. The latter mechanism may be detectable, but the efficacy of fingerprinting mitigation techniques is much harder to measure in this scenario. |
There was a problem hiding this comment.
Suggested change
| <p>Note that in some types of active fingerprinting, characteristics are combined on the client to produce a fingerprint. In most cases; however, the characteristics are sent en masse to a server, which can combine them in unobservable ways. The latter mechanism may be detectable, but the efficacy of fingerprinting mitigation techniques is much harder to measure in this scenario. | |
| <p>Note that in some types of active fingerprinting, characteristics are combined on the client to produce a fingerprint. In most cases however, the characteristics are sent en masse to a server, which can combine them in unobservable ways. The latter mechanism may be detectable, but the efficacy of fingerprinting mitigation techniques is much harder to measure in this scenario. |
| @@ -319,23 +326,23 @@ <h2 id="identifying">Identifying fingerprinting surface and evaluating severity< | |||
| <p id="severity-list">For each identified feature, consider the severity for the privacy impacts described above (<a href="#privacy_threat_models"></a>) based on the following factors:</p> | |||
|
|
|||
| <dl> | |||
| <dt>entropy</dt><dd>How distinguishing is this new surface? Consider both the possible variations and the likely distribution of values. Adding 1-bit of entropy is typically of less concern; 30-some bits of entropy would be enough to uniquely identify every individual person. Different data sources may provide different distributions of variation; for example, some characteristics may reveal a common hardware class while other characteristics may reveal user configurations that vary between individual people.</dd> | |||
| <dt>entropy</dt><dd>How distinguishing is this new surface? Consider both the possible variations and the likely distribution of values. Adding 1-bit of entropy is typically of less concern; 30-some bits of entropy would be enough to uniquely identify every individual person. Different data sources may provide different distributions of variation; for example, even 1 bit of entropy can uniquely identify a user if they are the only one for whom it is true.</dd> | |||
There was a problem hiding this comment.
Suggested change
| <dt>entropy</dt><dd>How distinguishing is this new surface? Consider both the possible variations and the likely distribution of values. Adding 1-bit of entropy is typically of less concern; 30-some bits of entropy would be enough to uniquely identify every individual person. Different data sources may provide different distributions of variation; for example, even 1 bit of entropy can uniquely identify a user if they are the only one for whom it is true.</dd> | |
| <dt>entropy</dt><dd>How distinguishing is this new surface? Consider both the possible variations and the likely distribution of values. Adding 1 bit of entropy is typically of less concern; 30-some bits of entropy would be enough to uniquely identify every individual person. Different data sources may provide different distributions of variation; for example, even 1 bit of entropy can uniquely identify a user if they are the only one for whom it is true.</dd> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses #68
Some of these changes are more syntactic than semantic, I tried to limit those but a few still jumped out to me.