-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Elaborate the high-level threats section. #6
Conversation
@martinthomson, does https://pr-preview.s3.amazonaws.com/jyasskin/privacy-threat-model/pull/6.html#hl-recognition-same-site capture the high-level parts of your #1? (There's still more to flesh out in section 6 on this topic, so just focus on the high-level problem here. :) |
bd13fec
to
111c8d6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that what I had in mind was a framing of this capability as a platform capability that we wanted to preserve, albeit within bounds. This does a good job of establishing the threat though I would probably point more clearly at this being a core platform feature and that the risk only applies when the capability is present when not expected.
* Explicitly clearing the site's cookies or storage. | ||
|
||
This recognition is generally accomplished by either "supercookies" or [=browser | ||
fingerprinting=]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More often it is based on source IP. Not sure how useful that is in this context though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://w3c.github.io/fingerprinting-guidance/#passive includes source IP in "browser fingerprinting", although I'm not attached to this sentence if there's a better way to summarize how unexpected recognition happens.
index.bs
Outdated
user. | ||
|
||
The attributes can be exposed as information about the user's device that is | ||
otherwise benign (vs [[#hl-sensitive-information]]). For example: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"vs" is an abbreviation, so
otherwise benign (vs [[#hl-sensitive-information]]). For example: | |
otherwise benign (vs. [[#hl-sensitive-information]]). For example: |
or
otherwise benign (vs [[#hl-sensitive-information]]). For example: | |
otherwise benign (versus [[#hl-sensitive-information]]). For example: |
or even
otherwise benign (vs [[#hl-sensitive-information]]). For example: | |
otherwise benign (as opposed to [[#hl-sensitive-information]]). For example: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I used "as opposed to".
index.bs
Outdated
|
||
This occurs if a site can determine with high probability that a visit to that | ||
site is coming from the same user as another earlier visit to the same site, and | ||
the user expects not to be associated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would make it clearer here that this sort of correlation is entirely expected in most instantiations of the platform. But that the goal of the design is to ensure that users are in control over whether it is possible and numerous mechanisms exist that might be expected to break this sort of recognition. Then you can get into the list.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. I've added an initial paragraph to describe how the web platform makes recognition expected in most cases.
9d1298f
to
ddc4e5d
Compare
cba4738
to
0e990ba
Compare
I framed the threats that came out of the TPAC discussion as the web's interpretation of the general threats in RFC 6973. This explicitly describes same-site visit correlation as requested by w3cping#1, although it doesn't do so in the low-level goals section.
Using martinthomson's comments.
0e990ba
to
e20ff7d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is good work to expand the high-level list of threats (with useful citations to previous standards work in RFC 6973) with some direct connections to the Web-specific privacy threats we're most used to. I think we could refine this a bit now (for example, I don't think we should rely too heavily on "unexpected"), but then merging it should be useful even if we're keeping an ongoing list of issues of how to add, define or detail threats.
index.bs
Outdated
These threats combine into the particular concrete threats we want web | ||
specifications to defend against, described in subsections here: | ||
|
||
## Unexpected same-site recognition ## {#hl-recognition-same-site} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think "unexpected" may lead to some confusion over the privacy value and some unnecessary contention over analyzing threats and mitigations. I believe we typically mean that the privacy threat is unwanted same-site (or cross-site) recognition and that for those well-educated users who have strong control over their software settings unexpected recognition by the same or different sites is unexpected and a privacy violation because the user didn't want it and may have tried to protect against it and unexpectedly failed. Users who don't understand the intricacies of the platform may also suffer privacy violations of unwanted recognition, even some users who expect it to happen because they have given up any pretense of control.
That is, I don't think we could fully resolve this privacy threat by just increased education warning users that they may be strongly recognized all the time despite their best efforts. Making same-site or cross-site recognition universally expected does not provide all the advantages of privacy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like changing this to "unwanted".
👍 |
I framed the threats that came out of the TPAC discussion as the web's interpretation of the general threats in RFC 6973.
This explicitly describes same-site visit correlation as requested by #1, although it doesn't do so in the low-level goals section.
Preview | Diff