PING 2021 Year in Review
PING performed 24 privacy reviews in 2021 and provided guidance on several other APIs.
PING privacy reviews resulted in privacy improvements in proposed specifications. Some examples include:
- Payment Request API: The specification identifies the potential for sites to use the API for tracking instead of payments and recommends requiring users’ consent as mitigation.
- Web Neural Network API: The specification restricts functionality to first-party contexts to prevent others from using the functionality for tracking.
- WebCodecs: We identified ways that sites could abuse the proposed functionality to learn details about a user’s CPU and GPU. The specification mitigates this risk by limiting the revealed data to only what would be otherwise available and by suggesting ways that user agents could further dynamically limit exposure.
- Incremental Font Transfer: The API no longer sends unneeded information about the user’s local network conditions.
- CSS Masking Module Level 1: The specification now warns that it should not be used for privacy-protecting purposes because the masking is purely cosmetic and does not irreversibly redact data.
- Ambient Light Sensor API: The working group made its data minimization guidance normative.
Here are some other privacy issues we uncovered:
- Decentralized Identifier Specification v1.0: The specification could introduce new unique identifiers that could be used to track individual users and the associated user activity could end up stored as persistent data in blockchains.
- Federated Learning of Cohorts (FLoC): The specification could enable trackers to combine a cohort identifier with existing profiles to learn more information about individuals. Additionally, the proposal requires implementers to define a singular set of sensitive topics, which may not be shared by all users.
- Resource Timing, Performance Timeline, User Timing: Sites could abuse the functionality enabled by these specifications to learn when users are using VPNs, or whether a user is logged into a third-party site.
- Multiple specifications could allow sites to learn when people are using assistive technologies. PING will work on mitigations with the TAG and the ARIA WG.
- Secure Payment Confirmation: The specification could allow payment providers (e.g., banks, cryptocurrency wallets, etc.) to learn when a user has multiple, different accounts, posing a privacy harm for users who want to maintain distinct identities on the Web. This could also be abused by sites that are not payment providers to do cross-site tracking.
- CSS Color Adjustment Module Level 1: We identified non-standard color configurations as a potential fingerprinting vector, one that may also reveal disability status.
Here are some improvements currently being discussed, and which we hope to see before the proposals move to Recommendation status:
- Media Stream Image Capture: Add protections to prevent sites from learning a user’s location through image metadata. Plus, remove capabilities that could be misused by trackers for communicating across site boundaries or apply other mitigations for this potential abuse.
- EPUB 3.3: Consider privacy threats specific to the ecosystem of ebooks, including authors, publishers, online book sellers and readers, and address privacy issues from packaging, DRM, obfuscation and fingerprinting.
- HTML Review Draft: Add a warning around interactions with the Reporting API because of unresolved concerns around privacy and user consent in that API. Add privacy and security considerations sections.
- DOM Review Draft: Add privacy and security considerations sections.
What you don’t see here are all the privacy improvements that Working Groups already made to their specifications before they came to PING, aided by privacy expertise and documentation, including the Self-review Questionnaire: Security and Privacy and Mitigating Browser Fingerprinting. We are pleased to note that privacy is increasingly seen as integral to functionality, not an afterthought.
Keeping up with privacy reviews of every new Web feature is a challenge, and we expect the rush to continue this year with even more new and updated Web platform technologies. But building a more privacy-friendly Web isn’t just a matter of catching new issues as they arise. This year we aim to:
- begin more comprehensive reviews of foundational Web standards: HTML and DOM, for example, long predate our privacy review processes;
- improve systematic guidance, including: working with the TAG on privacy principles and providing advice on fingerprinting, permissions and threat modeling; and,
- start consideration of privacy even earlier by reaching out to WHATWG and WICG processes.
We thank all the groups that reached out to PING last year and worked with us to make a more privacy-respecting Web for users all over the world.
We would also like to thank all our 2021 privacy reviewers. These volunteers, from a variety of organizations, have contributed to privacy on the Web for all:
- Kris Chapman (Salesforce)
- Nick Doty (Center for Democracy & Technology)
- Konrad Dzwinel (DuckDuckGo)
- Matthew Finkel (Tor)
- Joe Genereux (Brave Software)
- Pranjal Jumde (Brave Software)
- Jonathan Kingston (DuckDuckGo)
- Lei Mu (Roy) (Invited Expert)
- Eric Mwobobia (ARTICLE19)
- Theodore Olsauskas-Warren (Google)
- Christine Runnegar (Invited Expert)
- Shivan Sahib (Salesforce, now Brave Software)
- Kris Shrishak (Invited Expert)
- Peter Snyder (Brave Software)
- Samuel Weiler (W3C)
- Aram Zucker-Scharff (The Washington Post)
Nick Doty, Center for Democracy & Technology (PING Co-Chair) Christine Runnegar, ISOC (PING Co-Chair) Wendy Seltzer, W3C (Team Contact) Pete Snyder, Brave Software (PING Co-Chair) Samuel Weiler, W3C/MIT (Team Contact)