hoch
commented
2 years ago Thanks for sharing this information and we will discuss this in the next teleconference.
Open phani-vadrevu opened 2 years ago
hoch
commented
2 years ago Thanks for sharing this information and we will discuss this in the next teleconference.
phani-vadrevu
commented
2 years ago Hello, We were just wondering if you have any updates after your discussion. Please let us know if you need any extra information from us.
Thanks!
hoch
commented
2 years ago I forwarded this information to Chrome's privacy team for the review. Hopefully the WG can respond after the next meeting. (8/26)
hoch
commented
2 years ago Teleconf 9/23: Progressing, but browser implementors do not have a conclusion yet. The investigation is still ongoing.
phani-vadrevu
commented
2 years ago Do you have any updates on this? Please let us know!
phani-vadrevu
commented
1 year ago Hello! I am just following up on this issue. Do you have any updates?
The "Security and Privacy Considerations" section of the spec mentions that Web Audio fingerprinting "merely allows deduction of information already readily available by easier means (User Agent string)".
Our security & privacy research group at the University of New Orleans (UNO) performed an empirical study of the effectiveness of Web Audio Fingerprints. Our paper is available here and is currently under submission at a security conference. One of our goals was to measure the diversity of web audio fingerprints in comparison to other popular fingerprinting vectors such as Canvas, Font and User-Agent strings. Our results show that while Web Audio fingerprints do not have as much discriminative value as Canvas fingerprints or even the "User-Agent" header, we show that they have a definite "additive value" over all the other fingerprint vectors. In particular, we verified the above assertion made in the spec. Our results showed that this assertion is likely incorrect. More details about this are mentioned in the last paragraph of Page 8 of the paper while the rest of the paper gives the context for this. Please let us know if you need any clarification regarding this.
We hope that the rest of the results in our paper will also be able to clearly quantify the privacy threat posed by Web Audio APIs and can potentially help improve the privacy section of the spec. We will also be happy to provide any extra information that you might need regarding the data that we collected or conduct any analysis that you might be interested in. We also appreciate any feedback you might have for the paper.
Thank you!