Hi David, thanks for crafting this text. Would it make sense to also mention countermeasures in the paragraph on privacy? (For instance: disallowing use of this API for arbitrary origins or restricting access to specific API methods.)
Given the significant privacy implications, I would lean toward a formal objection, but other Mozillians have more experience with W3C charter reviews than I do... Peter On 7/22/18 7:17 PM, L. David Baron wrote: > Below is an attempt to write comments on the charter to consider the > feedback so far in this thread. It's not clear to me what the right > charter changes to suggest for the privacy and fingerprinting issues > are; I've made a proposal here, but I'm open to alternative > suggestions. > > There's also the question of whether these comments should > constitute a formal objection to the charter. I think I'm leaning > against, but could also be persuaded otherwise. > > -David > > ===== > > We're glad to see the plan to merge Navigation Timing into Resource > Timing after level 2 is complete. However, this only partially > addresses our concerns about confusing cross-references and > monkeypatching between a number of the specifications produced by this > working group. It would be good to also see User Timing and Performance > Timeline merged into the same set of specifications in the next level. > > A number of the group's specifications have significant privacy > implications: they might provide mechanisms for finding information > about what other software is running on the user's computer, whether > that's web content in other origins, or entirely separate software. > This requires careful consideration of whether these features are safe. > It would be good to see the Success Criteria section of the charter both > explicitly ask the group to consider these issues, and explicitly say > that it is an acceptable result for the group to decide not to release a > specification because an acceptable solution for user privacy cannot be > found. > > Likewise, some specifications in the group provide significant > additional fingerprinting surface. When they do this, they should > explicitly point out that they are doing so, and explicitly allow > implementations to take countermeasures. We'd like to see the Success > Criteria section of the charter encourage the group to consider > fingerprinting explicitly. > > > > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
