Reduce fingerprinting related to Web payments

[ianbjacobs]

Hi all,

Can we find ways to reduce (JavaScript in particular) fingerprinting? Should we have a workshop on this?

Ian

[samuelweiler]

The Privacy IG (PING) is looking at ways to reduce fingerprinting surface. We're starting with font enumeration. I encourage joining PING.

Workshopping would be good once we collect a motivated group of people. Who do you think should be involved?

[ianbjacobs]

I want to note that the Web Payment Security IG is holding conversations on this topic.

[ianbjacobs]

I've narrowed the focus of this particular issue to Web payments (e.g., 3-D Secure and risk assessment)

[samuelweiler]

There were some interesting discussions about this at the WPSIG mtg at TPAC2019. Fingerprinting, more generally, was discussed in an invite-only workshop in early September 2019.

[ianbjacobs]

WPSIG and PING have begun conversations about how emerging technologies (e.g., trust tokens, EATs, token binding, and possibly others) could help address this issue.

[dontcallmedom]

Secure Payment Confirmation seems to be the proposed approach to this need - it probably ought to be considered in incubation or evaluation at this stage

[ianbjacobs]

SPC might play a role here, but it is not yet clear that it will in the following sense:

• In the case of 3DS, I think the main usage of SPC will be during the "challenge flow," which means after a data-gathering phase.
• Independently we are interested in understanding "what is the account identifier for this user?" which is typically stored in a cookie today. We have been having discussions about how to get an answer to this question with user consent through a streamlined UX.

[ianbjacobs]

A new AntiFraud CG may contribute to progress on this.
https://www.w3.org/community/antifraud/

[ianbjacobs]

The Antifraud CG will discuss some of its emerging proposals [1] at TPAC 2022 in a joint meeting with WPWG, WPSIG, and WebAuthn.

[1] https://github.com/antifraudcg/proposals/issues