Open jyasskin opened 10 years ago
Per the 2014-08-15 meeting, we should obscure as much of this as possible, in order to force devices to put effort toward making themselves fingerprintable if they want to do so.
The basic idea will be to require that each of these IDs be randomly selected per website/device pair. There's probably wording in some other standard we can borrow to specify it.
This is framed as a tradeoff between utility of the API and the amount of obfuscation. The key question is, is there a region where utility is acceptably high, while malicious fingerprinting is impractical?
I doubt this.
I think you should focus on access to the device (the "explicitly pair each device" part) and not obfuscation. The access control policy is essential anyway. You can evolve it more easily than a set of obfuscations. It avoids the complexity of obfuscation in implementations.
Some background reading: http://www.chromium.org/Home/chromium-security/client-identification-mechanisms
The current Device interface exposes 2-3 unique IDs for the device (
deviceID
,address
, and possiblyname
), and allows sites to enumerate the Services the device defines, which is probably also enough to fingerprint the device.How much of this do we need to expose to let people write useful apps? Does the fact that a user has to explicitly pair each device with the site mitigate the privacy concern?