ISSUE-109: siteSpecificTrackingExceptions property has fingerprinting risks: is it necessary?

siteSpecificTrackingExceptions property has fingerprinting risks: is it necessary?

State:
CLOSED
Product:
Tracking Preference Expression (DNT)
Raised by:
Nick Doty
Opened on:
2012-01-06
Description:
The siteSpecificTrackingExceptions list property (for JavaScript querying of existing site-specific exceptions) enables even easier fingerprinting by any first or third party JavaScript. Could first parties instead rely on calling requestSiteSpecificTrackingException and receiving a true response if exceptions have already been granted?
Related Actions Items:
Related emails:
  1. Re: Agenda for July 18, 2012 DNT WG Call on TPE (from fielding@gbiv.com on 2012-07-18)
  2. Issues mentioned in the TPE document, or non-closed in the database and applying to TPE (from singer@apple.com on 2012-04-10)
  3. Re: A First-Party List API for Site-Specific Exceptions (ISSUE-59, ISSUE-109, ISSUE-111, ISSUE-113, ISSUE-114) (from npdoty@w3.org on 2012-03-23)
  4. RE: A First-Party List API for Site-Specific Exceptions (ISSUE-59, ISSUE-109, ISSUE-111, ISSUE-113, ISSUE-114) (from kevsmith@adobe.com on 2012-03-23)
  5. RE: A First-Party List API for Site-Specific Exceptions (ISSUE-59, ISSUE-109, ISSUE-111, ISSUE-113, ISSUE-114) (from kevsmith@adobe.com on 2012-03-23)
  6. Re: A First-Party List API for Site-Specific Exceptions (ISSUE-59, ISSUE-109, ISSUE-111, ISSUE-113, ISSUE-114) (from jmayer@stanford.edu on 2012-03-17)
  7. Re: A First-Party List API for Site-Specific Exceptions (ISSUE-59, ISSUE-109, ISSUE-111, ISSUE-113, ISSUE-114) (from jmayer@stanford.edu on 2012-03-17)
  8. Re: A First-Party List API for Site-Specific Exceptions (ISSUE-59, ISSUE-109, ISSUE-111, ISSUE-113, ISSUE-114) (from npdoty@w3.org on 2012-03-17)
  9. RE: A First-Party List API for Site-Specific Exceptions (ISSUE-59, ISSUE-109, ISSUE-111, ISSUE-113, ISSUE-114) (from kevsmith@adobe.com on 2012-03-15)
  10. Re: A First-Party List API for Site-Specific Exceptions (ISSUE-59, ISSUE-109, ISSUE-111, ISSUE-113, ISSUE-114) (from sid@mozilla.com on 2012-03-14)
  11. Re: A First-Party List API for Site-Specific Exceptions (ISSUE-59, ISSUE-109, ISSUE-111, ISSUE-113, ISSUE-114) (from jmayer@stanford.edu on 2012-03-14)
  12. Re: A First-Party List API for Site-Specific Exceptions (ISSUE-59, ISSUE-109, ISSUE-111, ISSUE-113, ISSUE-114) (from sid@mozilla.com on 2012-03-14)
  13. RE: A First-Party List API for Site-Specific Exceptions (ISSUE-59, ISSUE-109, ISSUE-111, ISSUE-113, ISSUE-114) (from kevsmith@adobe.com on 2012-03-14)
  14. A First-Party List API for Site-Specific Exceptions (ISSUE-59, ISSUE-109, ISSUE-111, ISSUE-113, ISSUE-114) (from jmayer@stanford.edu on 2012-03-14)
  15. Re: ISSUE-111 - Exceptions are broken (from jmayer@stanford.edu on 2012-03-13)
  16. RE: set of exceptions (from wileys@yahoo-inc.com on 2012-03-06)
  17. Re: set of exceptions (from npdoty@w3.org on 2012-03-06)
  18. How can a server understand the site-specific exceptions that are stored in a user agent (was: Work ahead; volunteers?) (from mts@zurich.ibm.com on 2012-03-06)
  19. Issue Cleanup for TPE Document (from mts@zurich.ibm.com on 2012-03-06)
  20. JS Exception API (from tom@mozilla.com on 2012-02-29)
  21. Action-91: Write text on fingerprinting risk (ISSUE-109, ISSUE-114), with Nick Doty (from andyzei@microsoft.com on 2012-02-29)
  22. diff of TPE editing since the FPWD (from fielding@gbiv.com on 2012-01-10)
  23. tracking-ISSUE-109: siteSpecificTrackingExceptions property has fingerprinting risks: is it necessary? [Tracking Preference Expression (DNT)] (from sysbot+tracker@w3.org on 2012-01-06)

Related notes:

2012-03-05: Proposed text by Andy Zeigler; By storing a client-side configurable state and providing functionality to learn about it later, this API may facilitate user fingerprinting and tracking. User agent developers should consider the possibility of fingerprinting during implementation and might consider rate limiting requests or using other heuristics to mitigate fingerprinting risk. User agents should consider clearing stored site-specific exceptions when the user chooses to clear cookies or other client-side state.

Matthias Schunter, 5 Mar 2012, 13:13:20

2012-03-06: A need for servers obtaining exception information from a user agent has been stated by Shane Wiley. This discussion is now continued as ISSUE-111.
I changed the ISSUE-109 to closed.

Matthias Schunter, 6 Mar 2012, 15:29:33

2012-03-14: Changed to closed (no objections against closing:
http://www.w3.org/mid/4F5607C5.50208@zurich.ibm.com

Matthias Schunter, 14 Mar 2012, 10:06:35

Display change log ATOM feed

Chair, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 109.html,v 1.1 2019/02/01 09:32:26 vivien Exp $