Privacy evaluation of the API #3
Comments
|
The fingerprint exposed by the Intl Enumeration API is no larger than the browser version itself. For example, given the browser version, one can look at the browser's source code and see what the Intl Enumeration API would return. Therefore, I do not believe that this feature opens up any new fingerprinting vectors. |
|
@zbraniecki What do you feel are the next steps to complete the privacy review of the proposal? |
|
I think this evaluation is an important precondition to Stage 2. @litherum has raised concerns here in the past. (I'm not an expert in this area, so I don't really know how to do this evaluation.) |
|
Here's the discussion from last month's TG2 meeting: @zbraniecki raised the point that we may in the future move in a direction such that the enumeration is not necessarily tied to the browser version as I suggested above, so we should think about what this API might look like in that world. The high bit is that we need to get a privacy review on this proposal before it can move forward. |
|
OK, I don't have a have a strong opinion about whether we call this a Stage 2 or 3 prerequisite, but the high-level point is, we won't know whether this proposal will eventually move into the language until this analysis is done; Stage 2 should not be interpreted as an indication otherwise. |
|
Stage 2 means "this is expected to move into the language". If there's analysis to be done that might preclude that, stage 2 is premature. |
|
I think it can be said that the committee may be happy with this feature going into the language, modulo potential changes to address the privacy concerns. I do not expect nor want the privacy concerns to derail the proposal as a whole. |
|
Hi all. I consulted my colleagues at Mozilla at were able to assemble Intl.Enumeration Privacy Implications document. I think it would be good to get this document reviewed by privacy experts from other companies, but the recommendation from Mozilla is unblocking. The recommendation from this document may also serve as a foundation for privacy guidelines for the whole ECMA-402. |
|
@litherum is going to follow up with Apple's privacy team to review the doc posted above by @zbraniecki. |
|
Per 2021-04-08 ECMA402 meeting. All the privacy concern about this proposal is resolved from Mozilla and Apple. Therefore I am closing this issue down now. |
|
Notes from 2021-04-08: https://github.com/tc39/ecma402/blob/master/meetings/notes-2021-04-08.md#intl-enumeration-api-privacy-evaluation @litherum said: "We agree with ZB's privacy evaluation" CC @littledan |
Based on tc39/ecma402#435 and tc39/ecma402#443 , I'm filing an issue to request evaluation of this API from the privacy experts.
The text was updated successfully, but these errors were encountered: