@@ -1545,6 +1545,86 @@ <h5>
15451545 unnecessary and abusive requests.
15461546 </ p >
15471547 </ section >
1548+ < section >
1549+ < h3 >
1550+ Fingerprinting and Data Leakage
1551+ </ h3 >
1552+ < h4 >
1553+ Browser fingerprinting
1554+ </ h4 >
1555+ < p >
1556+ While the API ensures that no user data is ever shared without a
1557+ permission prompt, the longevity and uniqueness of real world
1558+ identifiers that are likely to be returned by the Digital Credentials
1559+ API make it a potential target for trackers and fingerprinters.
1560+ </ p >
1561+ < p >
1562+ Even with selective disclosure, attackers might combine data from a
1563+ digital credential (such as the user's age, or the credential issuer,
1564+ timestamps, see [[[#leaking-incidental-data]]]) to reidentify and/or
1565+ fingerprint users.
1566+ </ p >
1567+ < p >
1568+ This attack might be harder for third-party attackers (such as
1569+ scripts embedded on the verifier's pages, but not actively
1570+ collaborating with them for the purpose of tracking) because response
1571+ encryption is mandatory and responses should be decrypted on the
1572+ verifier's server. The verifier could thus ensure not to reflect back
1573+ decrypted information back to client-side JavaScript. Not all
1574+ verifiers will choose to do so, however.
1575+ </ p >
1576+ < h4 id ="leaking-incidental-data ">
1577+ Leaking incidental data with credential presentations
1578+ </ h4 >
1579+ < p >
1580+ To ensure authenticity of a credential, its presentation to verifiers
1581+ generally includes more information than the content the verifier is
1582+ requesting access to. It will usually contain at least a signature of
1583+ the issuer and the wallet, and potentially other metadata.
1584+ </ p >
1585+ < p >
1586+ This additional information could be used to reidentify and
1587+ fingerprint users, which is especially relevant when an otherwise
1588+ unlinkable presentation is made.
1589+ </ p >
1590+ < p >
1591+ While the Digital Credentials API does not control the content of a
1592+ credential response, user agents can help protect users against this
1593+ type of tracking through clearly highlighting which information
1594+ likely gets shared with the verifier beyond what was requested, and,
1595+ more broadly, by identifying and blocking fingerprinting through the
1596+ API by verifiers.
1597+ </ p >
1598+ < h4 >
1599+ Revealing device properties through protocol availability
1600+ </ h4 >
1601+ < p >
1602+ The Digital Credentials API exposes information about which
1603+ credential exchange protocols are supported by the user agent through
1604+ {{DigitalCredential/userAgentAllowsProtocol()}}. It mitigates browser
1605+ fingerprinting and revealing information about the user's device
1606+ configuration through not customizing its response based on e.g.
1607+ which wallet applications are installed on a user's device. The
1608+ returned information is thus, at best, equivalent to a user agent
1609+ version.
1610+ </ p >
1611+ < h4 >
1612+ Avoiding leaks of credential availability
1613+ </ h4 >
1614+ < p >
1615+ The Digital Credentials API does not enable sites to learn whether a
1616+ credential is available without first going through a < a href =
1617+ "#user-permission-and-transparency "> user permission flow</ a > .
1618+ Revealing the presence of credentials would be a risk to user
1619+ privacy, as the presence of a credential is personal information that
1620+ the user might not have preferred to share with the site, and, in
1621+ combination with other signals, could be used to identify the user
1622+ without their permission. It is also a risk to free expression, as
1623+ websites might increasingly start to demand the presentation of these
1624+ credentials from the user in order to access services, excluding
1625+ individuals who are unwilling to present credentials.
1626+ </ p >
1627+ </ section >
15481628 < section >
15491629 < h3 >
15501630 User Permission and Transparency
0 commit comments