A mechanism for first-party re-identification

[bakkot]

Summary: IP blindness seems like it's mainly aimed at combatting the cross-site tracking which IP addresses facilitate. But individual sites also use IP addresses to correlate traffic for individuals across multiple visits to that one site, for combatting certain kinds of abuse. This proposal ought to have some way to let those individual sites still re-identify users across multiple visits.

---

Moving discussion from here. Let me quote some bits of my comments there:

It seems reasonable to say that the focus of this document is to provide alternatives for the use cases served by cross-site re-identification, but I think it's important to consider the effects of IP privacy on same-site re-identification as well. (For context, I work on an anti-abuse product at Shape Security which does exactly this sort of same-site re-identification.) Cookies are opt-in, so that's not particularly viable as an anti-abuse mechanism, particularly if account takeover or denial of service is in scope. [...] Attackers need to not be able to opt out of sending the signal. Or rather, real users need to opt out so infrequently that outright blocking anyone who does not send it is acceptable. Cookies don't work here because any first-time visitor will lack cookies for the site, which means you can't simply block anyone who lacks cookies.

There's some discussion in that thread about the feasibility of a mechanism which required the server to request some additional signal from the client, which I won't copy over, but we can continue discussing it here.

[bslassey]

The draft now includes several sections discussing anti-abuse needs, including same-site. Do you think this sufficiently addresses your concerns?