search

w3cping / privacy-threat-model

A target privacy threat model for the Web
https://w3cping.github.io/privacy-threat-model
Apache License 2.0
23 stars 7 forks source link

Address cross-device correlation #40

Open jyasskin opened 4 years ago

jyasskin commented 4 years ago

Roughly:

Sites can't tell that a single user is visiting on two different devices until the user enters sufficiently-identifying information into the site on both devices independently or otherwise expresses a desire to sign into the same account on both devices.

The ideal threat model would prevent cross-device correlation until the user intentionally signs into a single account on both devices, but it seems impossible for a browser to prevent users from, say, typing a credit card number or home address into the site on each device, which doesn't express the user's intent to share an account, but does let the site guess it's the same or a closely-related user.

I think the only practical effect is to ban browsers from sync'ing storage across devices without per-site user intent (?), but that's still worth writing down.

npdoty commented 3 years ago

+1, but also I think better defining the threat of cross-device correlation will involve a lot more threats than just browser-synced storage. Environmental sensors and out-of-band signaling mechanisms (e.g. correlating through similar changes in ambient light, hard-to-hear audio modulations, recognizing simultaneous idle or accelerometer changes) are known threats.