# Anti-Fingerprinting Breakout 13-09-2023 Shubie Panicker (Hooli Anti-fingerprinting team) [slides](https://docs.google.com/presentation/d/1ab0N_LPHUmangtPw-I1_JTnt2Lc1lCasRseQbik6h6g/edit?resourcekey=0-y1es1Rp6eLmegHy3nezAjw#slide=id.p) - Scope - Out: - use-cases disrupted by anti-fingerprinting - UX and mediation needs - Context - moz def and chrome def of x-site tracking - browser by browser; DDG list, disconnect, etc - tracker lists as "pragmatic" first step, but incremental and even application industrywide will take time - duckduckgo dominant - def(success): 3 - users "have protections" (going well) - industry change, i.e. devrel - incentive problem; "pave the well lit path" - "lacking clear stance and policy for the web" - regulators empowered - role of policy not discussed much - building blocks - xsite threat - data purpose - "is there a 'greater gain' from the data, such as anti-fraud service, security" (?) - data practice - GDPR stuff - "user perspective" - user harm = ? - how hard is it for user to "take corrective action"? currently, very - user value - Interupt: John - per-site user recall is a problem for us, too? - E.g. if you visit a site in private mode and come back in normal node - ranking priorities 1. ad targeting/fraud/msrmnt 2. analytics and audience msrmnt 3. social - comment/share 4. tag manager 5. ... - emerging de facto tolerance thresholds: purpose legitimacy (ads always bad, payment always good); "browser already doing this today" - some guy: is there a standard for declared data purpose? - "no standard yet; i'm building a case for one, but i see tracker lists already doing this ad hoc" - ben savage: safari already has a tool to strip tracking params from URLs; google's trackers are not stripped by that tool-- why? did they disclose something to safari? - declarations in the wild - [my co] is not tracking for [purpose] - [my co] is exclusively doing [x and y] - "we are already in the policy game" - Q&A - Gerard (south afr guy): Web Payment POV: 3Secure takes a long time to rollout, and was built on then-current fingerprinting standards, and will take 4 years to upgrade not to be based on fping - in the meantime, we're stuck getting adoption "in an iFrame that's there FOR fingerprinting" - brian may (dstillery) - wellknown list, appealable/fine-tune-configurable by user, etc - ??: policies versus procedures? is tracking list the policy or the procedure you're proposing? - John: Lots of tactics going into browsers AREN'T list-based; would fping breaking speed up the processes of adoption for 3Secure? - French guy: Bad actors dodge identity mechanism; allowlist better than blocklist? Blocklist seems a bad first stop - contrarian: Don't new sites with zero reputation have a hurdle/delay? not quick or cheap to move through burner U - Ben (Moz guy) - cross-site isn't consensual and browsers have rebranded and tweaked the 1st party/3rd party boundary a lot lately... policy infrastructure - policy-based approach reduces to a list of the entire internet - Dev Declaration slide - machine-readable, browser-friendly; regulators can come after you - dev tooling when - scope of privacy label? some of this is urgent - short-form and long-form manifest - apple SDK manifest and nutrition labels - Q&A - Sam - "detection pipeline" - this looks like adblocking arms race, except with a less-reliable oracle; what's progress on detection look like? - Sameer: offer of collab, love to work on a use-case-focused work stream; Gerard - web payments & anti-fraud collab session tomorrow! - brian may - blocklist applied per-API or total? - matt finkel - tracking and lists are off-topic; i wanna know how browsers block fping - nick doty - out of band enforcement ? i'm willing to work on that, since i think that's gonna get more important when circumvention grows - gerard - app stores force declarations per app; browser could get user intervention based on declarations (i.e. this site says its tracking you for payment purposes); I'm fine with that friction if it builds a longterm path to compliance