@@ -103,6 +103,65 @@ specifications using the Infra Standard, the user agent is generally the client
103103implements the specification.
104104
105105
106+ <h3 id=privacy>Privacy concerns</h3>
107+
108+ <p> Some features that are defined in documents using the Infra Standard might trade user convenience
109+ for a measure of user privacy.
110+
111+ <p> In general, due to the internet's architecture, a user can be distinguished from another by the
112+ user's IP address. IP addresses do not perfectly match to a user; as a user moves from device to
113+ device, or from network to network, their IP address will change; similarly, NAT routing, proxy
114+ servers, and shared computers enable packets that appear to all come from a single IP address to
115+ actually map to multiple users. Technologies such as onion routing can be used to further anonymize
116+ requests so that requests from a single user at one node on the internet appear to come from many
117+ disparate parts of the network. [[RFC791]]
118+
119+ <p> However, the IP address used for a user's requests is not the only mechanism by which a user's
120+ requests could be related to each other. Cookies, for example, are designed specifically to enable
121+ this, and are the basis of most of the web's session features that enable you to log into a site
122+ with which you have an account. More generally, any kind of cache mechanism or shared state,
123+ including but not limited to HSTS, the HTTP cache, grouping of connections, storage APIs, can and
124+ ought to be expected to be abused. [[COOKIES]] [[RFC6797]] [[STORAGE]]
125+
126+ <p> There are other mechanisms that are more subtle. Certain characteristics of a user's system can
127+ be used to distinguish groups of users from each other. By collecting enough such information, an
128+ individual user's browser's "digital fingerprint" can be computed, which can be better than an IP
129+ address in ascertaining which requests are from the same user.
130+
131+ <p> Grouping requests in this manner, especially across multiple sites, can be used for malevolent
132+ purposes, e.g., governments combining information such as the person's home address (determined from
133+ the addresses they use when getting driving directions on one site) with their apparent political
134+ affiliations (determined by examining the forum sites that they participate in) to determine whether
135+ the person should be prevented from voting in an election.
136+
137+ <p> Since the malevolent purposes can be remarkably evil, user agent implementors and specification
138+ authors are strongly encouraged to minimize leaking information that could be used to fingerprint or
139+ track a user.
140+
141+ <p> Unfortunately, as the first paragraph in this section implies, sometimes there is great benefit
142+ to be derived from exposing APIs that can also be abused for fingerprinting and tracking purposes,
143+ so it's not as easy as blocking all possible leaks. For instance, the ability to log into a site to
144+ post under a specific identity requires that the user's requests be identifiable as all being from
145+ the same user, more or less by definition. More subtly, though, information such as how wide text
146+ is, which is necessary for many effects that involve drawing text onto a canvas (e.g., any effect
147+ that involves drawing a border around the text) also leaks information that can be used to group a
148+ user's requests. (In this case, by potentially exposing, via a brute force search, which fonts a
149+ user has installed, information which can vary considerably from user to user.)
150+
151+ <p tracking-vector> Features that are defined in documents using the Infra Standard that can be used
152+ as a <dfn export>tracking vector</dfn> are marked as this paragraph is.
153+
154+ <p> Other features in the platform can be used for the same purpose, including, but not limited to:
155+
156+ <ul>
157+ <li> The exact list of which features a user agents supports.
158+ <li> The maximum allowed stack depth for recursion in script.
159+ <li> Features that describe the user's environment.
160+ <li> The user's time zone.
161+ <li> HTTP request headers.
162+ </ul>
163+
164+
106165<h2 id=algorithms>Algorithms</h2>
107166
108167<p> Algorithms, and requirements phrased in the imperative as part of algorithms (such as "strip any
0 commit comments