This document is at a very early stage. Many things in it are wrong and/or incomplete. Please take it as a rough shape for how we might document the target threat model, rather than as definite statements about what should be in the target threat model.
As a threat model, this specification describes attacker capabilities and attacker goals, and says which goals which capabilities should and should not enable.
As a privacy threat model, the attacker goals compromise the privacy of users, rather than their security.
As a target threat model, it describes not the current state of the Web including all current maybe-unwise APIs, but rather an end state that we hope to migrate to, and that new APIs should be held to. This is meant to be a plausible threat model: it doesn’t expect to remove any APIs or browser behavior that is deemed essential to the viability of the Web.
Since people are likely to disagree about which APIs are essential to the Web, when saying that an attacker can achieve their goal, this document describes how the attacker achieves it using particular "essential" APIs, and it provides an index of those APIs so readers can point out ones that they don’t consider essential.
[HTML] defines an origin as the tuple of a scheme, hostname, and port that provides the main security boundary on the web.
A site is a set of origins that are all same site with each other. Note that there are problems ([PSL-PROBLEMS]) with using registrable domains as a logical boundary.
A party is defined by [tracking-dnt] as "a natural person, a legal entity, or a set of legal entities that share common owner(s), common controller(s), and a group identity that is easily discoverable by a user."
The first party for a user action is the party that controls the origin of the top-level browsing context under which the action happened. Intuitively, this is the owner of the domain in the browser’s URL bar. This differs from Mozilla’s definition in that Mozilla defines other parties as first parties if the user can easily discover which party it is and intends to interact with that party, for example to allow sign-in widgets to be first-party.
A third party for a user action is any party that isn’t the first party or the user (the second party).
A user is a human or program that controls a user agent.
A user ID is a pair of a site and a (potentially-large) integer allocated by that site that is used to identify a user on that site. A single user will generally have many user IDs that refer to them, and a single site may or may not know that multiple user IDs refer to the same user.
A global identifier is a string that identifies a particular user independent of which site they’re visiting. Users generally have relatively few global identifiers and can usually list and recognize them. A goal of anti-tracking policy is to prevent user IDs from becoming global identifiers.
An attacker is any entity trying to get information that a user might not want them to get. Attackers are often entities that a user intends to interact with in other ways, as both first and third parties, and some users may not mind their collection of this information.
This document uses the terms publisher and tracker colloquially to refer to particular kinds of sites and the parties that operate them. They are not rigorously defined.
3. High-level threats
User agents should attempt to defend their users from a variety of high-level threats or attacker goals, described in this section. then describes the low-level steps an attacker would use to achieve these high-level goals.
This section is not complete. It lists a lot of potential privacy threats, but needs editing to pick which kinds of threats belong in this threat model and to unify the multiple lists of suggestions.
The following threats were brainstormed in the 2019 TPAC PING meeting:
Benign information disclosure (connected hardware [game controller or assistive device], system preferences [like dark mode]…)
Sensitive information disclosure (user location, user camera, file information, financial data, contacts, calendar…)
Intrusion (displaying messages/notifications, playing sounds, full screen…)
Obtaining capabilities (sending SMS, finance/billing…)
The following threats are copied from Self-Review Questionnaire: Security and Privacy §threats. They are not all addressed in this document.
Surveillance is the observation or monitoring of an individual’s communications or activities.
- Stored Data Compromise
End systems that do not take adequate measures to secure stored data from unauthorized or inappropriate access.
Intrusion consists of invasive acts that disturb or interrupt one’s life or activities.
::: Misattribution occurs when data or communications related to one individual are attributed to another.
Correlation is the combination of various pieces of information related to an individual or that obtain that characteristic when combined.
Identification is the linking of information to a particular individual to infer an individual’s identity or to allow the inference of an individual’s identity.
- Secondary Use
Secondary use is the use of collected information about an individual without the individual’s consent for a purpose different from that for which the information was collected.
Disclosure is the revelation of information about an individual that affects the way others judge the individual.
Exclusion is the failure to allow individuals to know about the data that others have about them and to participate in its handling and use.
Safari did the first work to prove that a more privacy-preserving web was possible, by blocking third-party cookies by default and then shipping ITP 1.0, without breaking the world. They eventually published their policy for Tracking Prevention, which heavily influenced this document.
Mozilla wrote the first concrete anti-tracking policy, which inspired Safari’s policy.
Michael Kleber on the Chrome team proposed a Privacy Model for the Web, which suggests blocking the transfer of user IDs between top-level sites and suggests a few ways that information could flow between sites without compromising user privacy.