This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 27166 - All identifiers associated with a user should be clearable in the same way cookies are
Summary: All identifiers associated with a user should be clearable in the same way co...
Alias: None
Product: HTML WG
Classification: Unclassified
Component: Encrypted Media Extensions (show other bugs)
Version: unspecified
Hardware: PC Windows NT
: P2 normal
Target Milestone: ---
Assignee: David Dorwin
QA Contact: HTML WG Bugzilla archive list
Whiteboard: Privacy, TAG
: 27270 (view as bug list)
Depends on: 27268
  Show dependency treegraph
Reported: 2014-10-24 21:40 UTC by Domenic Denicola
Modified: 2014-12-09 00:34 UTC (History)
8 users (show)

See Also:


Description Domenic Denicola 2014-10-24 21:40:47 UTC
As discussed in, some DRM implementations---for Silverlight, at least---bring along semi-permanent client IDs.

It would be ideal if we required that clearing ones cookies, history, etc. also cleared any such identifiers. I am unsure this is possible for robustness reasons, and as such filed bug #27165 to explore mitigating strategies, but if there is even a chance of requiring they be clearable that would be much better, and would love to have that discussion in this bug.
Comment 1 Philippe Le Hegaret 2014-10-31 16:56:04 UTC
For example, see also:
Comment 2 David Dorwin 2014-10-31 17:03:32 UTC
Mark to look into addressing the discussion at TPAC, including making part of the privacy and security sections normative (like webstorage) and adding a series of SHOULDs. Note that we are probably going to tackle identifiers in general here (i.e. no identifiers, clearable identifiers, per-origin identifiers).
Comment 3 Mark Watson 2014-10-31 17:31:45 UTC
In the F2F discussion it seems there is general agreement that unique identifiers should be clearable.

There is already text in the Privacy section:

This is very similar (identical?) to text in Web Storage, for example:

Our text is informative. The Web Storage text is normative, but doesn't contain requirements language (SHOULD, MUST).

What aspects of this text should be make normative and what level of requirements ?
Comment 4 Joe Steele 2014-11-07 01:05:27 UTC
This is related bug 27168. I believe Henri has some text he is planning to propose which should resolve this as well.
Comment 5 David Dorwin 2014-11-10 22:52:56 UTC
We also have bug 27270. Maybe we should merge the two, possibly bringing the proposed text from that bug here.
Comment 6 David Dorwin 2014-12-01 18:45:10 UTC
{The following is Bug 27270's description by Henri Sivonen.}

In order to give users the opportunity to cause a discontinuity in the ability of a site, third parties who scripts the site includes or a network MITM who injects EME usage into a non-https site to track the user across time, please require that distinctive identifiers be forgettable and regeneratable.

(Start proposed spec text for a *normative* section) 

Implementations MUST ensure that the user may request distinctive identifiers to be forgotten such that new different distinctive identifiers are generated in the place of the old ones when distinctive identifiers are needed subsequently. It is RECOMMENDED that users be able to request that distinctive identifiers be forgotten on a per-site basis, particularly as part of a "Forget about this site" feature that forgets cookies, databases, etc. associated with a particular site in an operation that is sufficiently atomic to prevent "cookie resurrection" type of recorrelation of a new identifier with the old by relying on another type of locally stored data that did not get cleared at the same time.

Note: The most obvious way to meet this requirement is to ensure that the salt contemplated in the above note (actually in bug 27269) be forgettable such that a new salt is randomly generated when needed.
Comment 7 David Dorwin 2014-12-01 18:46:45 UTC
*** Bug 27270 has been marked as a duplicate of this bug. ***
Comment 8 David Dorwin 2014-12-02 01:43:02 UTC incorporates much of Henri's text quoted in comment #6.

We still need to address comments #1-3.
Comment 9 Jerry Smith 2014-12-02 19:55:32 UTC
The last edit:

1.  Requires clearable IDs.
2.  Recommends clearing them along with cookies.
3.  Recommends clearing them per site and taking precautions for cookie resurrection.

This edit addresses the subject of this bug and seems sufficient to close it in my view.  The additional suggestions in comments 1-3 had other possible tracking mitigations, but I think were included primarily to provide model text for making IDs clearable.
Comment 10 David Dorwin 2014-12-09 00:32:41 UTC
Although not directly related to the original bug, the following commits address comments #1-3. and integrate more text based on the Privacy and Security sections of the specifications in comment #1. and make most of the Security and Privacy sections normative.

All issues raised in this bug have now been addressed.