Elaborate the high-level threats section. #6
Conversation
|
@martinthomson, does https://pr-preview.s3.amazonaws.com/jyasskin/privacy-threat-model/pull/6.html#hl-recognition-same-site capture the high-level parts of your #1? (There's still more to flesh out in section 6 on this topic, so just focus on the high-level problem here. :) |
jyasskin
force-pushed
the
elaborate-high-level-threats
branch
2 times, most recently
from
bd13fec
to
111c8d6
Compare
There was a problem hiding this comment.
I think that what I had in mind was a framing of this capability as a platform capability that we wanted to preserve, albeit within bounds. This does a good job of establishing the threat though I would probably point more clearly at this being a core platform feature and that the risk only applies when the capability is present when not expected.
| * Explicitly clearing the site's cookies or storage. | ||
|
|
||
| This recognition is generally accomplished by either "supercookies" or [=browser | ||
| fingerprinting=]. |
There was a problem hiding this comment.
More often it is based on source IP. Not sure how useful that is in this context though.
There was a problem hiding this comment.
https://w3c.github.io/fingerprinting-guidance/#passive includes source IP in "browser fingerprinting", although I'm not attached to this sentence if there's a better way to summarize how unexpected recognition happens.
index.bs
Outdated
| user. | ||
|
|
||
| The attributes can be exposed as information about the user's device that is | ||
| otherwise benign (vs [[#hl-sensitive-information]]). For example: |
There was a problem hiding this comment.
"vs" is an abbreviation, so
| otherwise benign (vs [[#hl-sensitive-information]]). For example: | |
| otherwise benign (vs. [[#hl-sensitive-information]]). For example: |
or
| otherwise benign (vs [[#hl-sensitive-information]]). For example: | |
| otherwise benign (versus [[#hl-sensitive-information]]). For example: |
or even
| otherwise benign (vs [[#hl-sensitive-information]]). For example: | |
| otherwise benign (as opposed to [[#hl-sensitive-information]]). For example: |
index.bs
Outdated
|
|
||
| This occurs if a site can determine with high probability that a visit to that | ||
| site is coming from the same user as another earlier visit to the same site, and | ||
| the user expects not to be associated. |
There was a problem hiding this comment.
I would make it clearer here that this sort of correlation is entirely expected in most instantiations of the platform. But that the goal of the design is to ensure that users are in control over whether it is possible and numerous mechanisms exist that might be expected to break this sort of recognition. Then you can get into the list.
There was a problem hiding this comment.
Good point. I've added an initial paragraph to describe how the web platform makes recognition expected in most cases.
jyasskin
force-pushed
the
elaborate-high-level-threats
branch
from
9d1298f
to
ddc4e5d
Compare
jyasskin
force-pushed
the
elaborate-high-level-threats
branch
from
cba4738
to
0e990ba
Compare
I framed the threats that came out of the TPAC discussion as the web's interpretation of the general threats in RFC 6973. This explicitly describes same-site visit correlation as requested by w3cping#1, although it doesn't do so in the low-level goals section.
Using martinthomson's comments.
jyasskin
force-pushed
the
elaborate-high-level-threats
branch
from
0e990ba
to
e20ff7d
Compare
There was a problem hiding this comment.
This is good work to expand the high-level list of threats (with useful citations to previous standards work in RFC 6973) with some direct connections to the Web-specific privacy threats we're most used to. I think we could refine this a bit now (for example, I don't think we should rely too heavily on "unexpected"), but then merging it should be useful even if we're keeping an ongoing list of issues of how to add, define or detail threats.
index.bs
Outdated
| These threats combine into the particular concrete threats we want web | ||
| specifications to defend against, described in subsections here: | ||
|
|
||
| ## Unexpected same-site recognition ## {#hl-recognition-same-site} |
There was a problem hiding this comment.
I think "unexpected" may lead to some confusion over the privacy value and some unnecessary contention over analyzing threats and mitigations. I believe we typically mean that the privacy threat is unwanted same-site (or cross-site) recognition and that for those well-educated users who have strong control over their software settings unexpected recognition by the same or different sites is unexpected and a privacy violation because the user didn't want it and may have tried to protect against it and unexpectedly failed. Users who don't understand the intricacies of the platform may also suffer privacy violations of unwanted recognition, even some users who expect it to happen because they have given up any pretense of control.
That is, I don't think we could fully resolve this privacy threat by just increased education warning users that they may be strongly recognized all the time despite their best efforts. Making same-site or cross-site recognition universally expected does not provide all the advantages of privacy.
There was a problem hiding this comment.
I like changing this to "unwanted".
|
👍 |
I framed the threats that came out of the TPAC discussion as the web's interpretation of the general threats in RFC 6973.
This explicitly describes same-site visit correlation as requested by #1, although it doesn't do so in the low-level goals section.
Preview | Diff