Re: A question about user tracking with QUIC

Mirja Kuehlewind <mirja.kuehlewind@ericsson.com> Wed, 14 July 2021 17:07 UTC

Return-Path: <mirja.kuehlewind@ericsson.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1303F3A259C for <quic@ietfa.amsl.com>; Wed, 14 Jul 2021 10:07:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.553
X-Spam-Level:
X-Spam-Status: No, score=-2.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d_n6NNgy9r7D for <quic@ietfa.amsl.com>; Wed, 14 Jul 2021 10:07:38 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2072.outbound.protection.outlook.com [40.107.21.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA7F63A259B for <quic@ietf.org>; Wed, 14 Jul 2021 10:07:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HO3EK76qYSVf4Kdb7bthEb6vCt9A23BAEu/e5jM5kq/3F9Hco7PJToT/z+pz0V80Dr8RGWtYsUJdawGFh+O+jSKsKedA4NC7JU501FRZwVKZV6UpgAJJAiAMBovpPcOLGeVKE6XDF885gmXS6Um0nV5P1AL7fwDM/R6kEnmOklOVMLKtZGqcKmaojMCXVa4BMscFAw40DvHzDhrd93dgm5vWM0I4cThrJf3FwRrFocY/e+QxrWkSbcUvqqjaQQcU8xUbbrJF83zCjLUZTCUF5bEmujzSdXIDZ52SsRE3NODvpcxYbKnobo9wJII/+mJ07GYyHpozq0h5WLvOxaxFNA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LNPVONbyFc5Y6BMRPphTZGFAaovivWsNFRaWsVxJAiQ=; b=IAwGQabADC8cohTVP4o3a/V2/9ysURK0ovgG4DL2VFzFw17TKdjpU33z7LJyGLI4iThjLDLkD1ha43L/8TMHyvE3MslFefCcZiMmsyO2rXSRfu2AHstJiKNpDMaue+G8KDoP8K0WI2LmUNvJkbzO6zrjrriYhW566AMSW+Ydch81DoUwd7o/B3XdO0fc4iHnPQku663bsaWD8u00yHcHCF/WYvPuIPJQHnIVRQ7Z7diqLJNFiFEGN9+b83FZOq5KIvcEFJC5E/F6VAEA2i9IsqEEr5v4hj4If4GM/sENettk+hy/aTKddoP/fAkSw/75eq9y+AARZYcbb7cu0ava4w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LNPVONbyFc5Y6BMRPphTZGFAaovivWsNFRaWsVxJAiQ=; b=GNHxV5Wloy4ZeB78ppXDC9NtDn7gaf4pCKFxG0qP4NQwDbYU8+dBdHw2og85jr/079lwCs8vYVkSt9S9UR+ScYrWHMp8qbCxxUY2p9aK7K55RwMStDsR43kZ8KlHDAsxDPgrR7vBXzDFTFu7BpMl3k/5U0ikOKtJ6L7jbrrsC3Q=
Received: from DB9PR07MB7804.eurprd07.prod.outlook.com (2603:10a6:10:26d::21) by DBBPR07MB7563.eurprd07.prod.outlook.com (2603:10a6:10:1e3::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.11; Wed, 14 Jul 2021 17:07:35 +0000
Received: from DB9PR07MB7804.eurprd07.prod.outlook.com ([fe80::869:6009:74d6:b3ea]) by DB9PR07MB7804.eurprd07.prod.outlook.com ([fe80::869:6009:74d6:b3ea%4]) with mapi id 15.20.4352.008; Wed, 14 Jul 2021 17:07:35 +0000
From: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
To: Mirja Kuehlewind <mirja.kuehlewind=40ericsson.com@dmarc.ietf.org>, Stephane Bortzmeyer <bortzmeyer@nic.fr>, IETF QUIC WG <quic@ietf.org>
Subject: Re: A question about user tracking with QUIC
Thread-Topic: A question about user tracking with QUIC
Thread-Index: AQHXW5onDSMH9yANmE60L/JCGqHLOqtDDemAgAAB4wA=
Date: Wed, 14 Jul 2021 17:07:35 +0000
Message-ID: <BE58A2D5-1D45-4102-8F0B-31A45AFB05DF@ericsson.com>
References: <20210607123854.GA16312@nic.fr> <C0EFE417-EB96-4760-B416-A35C1114138A@ericsson.com>
In-Reply-To: <C0EFE417-EB96-4760-B416-A35C1114138A@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.48.21041102
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6f7891d7-7698-414a-610d-08d946e9e037
x-ms-traffictypediagnostic: DBBPR07MB7563:
x-microsoft-antispam-prvs: <DBBPR07MB7563F46A654F03E9266D15D2F4139@DBBPR07MB7563.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: ydVdSqj4tETrnonFqLBU4fOyJQpMFVzGULmZJbjcXO2hS/oiY3swxs9w7jXQVB8FG7XuMbSbCSts6OL44PU7yw3pOWMlo3thU/G3h4RLtZ9d/AlDDOyZ2nqtwfVRx85xmVO0OZ1Cyv5u6SbfL8HQFd0Uhm5ZdLD0CQ3z1Z+S4LzLl+eosfd7clch/a6kjNYus5XUXl8bnt1poKoMfQ+QjJgzNHKxfefOUd59JUDB76rhaQqU/doWO0v1l6JL49EoH4HS7iPIzMl/NfMwzhHAKRgPJwwqCjqm5et8+eqokBL7ppIxOhnKFNrKL+cU9AklsUFafbXsVJrRganJVJOXCN6YP/kzRKijJwNabpYFMHU6AfGHBlNUZnl+KaGIRmarxinq+o0PUQF/4cTydCo9n01L++MkA/MwdZmnfxezq8Xu4cgq7/hcayu2cupfUVFqWsAspgxqNfH14UU7RJpFvqEn2eFRxbIecsi3muNBUYMN0HDaYZjwaFYlDddHVz7NKMXeAWNbXmhgl+Em3C9lA/LTvQF/Z/PcWX/AztaiVA4XYObTGHIHm6Dt3n3I4Kzg97wUscQ33n++vz0DPH7nkcOSg3PAqcpT8QSLy4awys+euKz01a8AvJ9UboxmzftvGXv/M0undjdrSs5v7hHNx9eNXaYu5UAxXlUp8ELeBmb/UJfvC4TTlOGDRXQCNoVMGMtG9ILP9D8X58Q200FW2CRiE2FSlxA+q1sCUuR1McIDfcbMCenwq8I7ApxlUy2nwrF9S9AS7XfH4phC+FKHUh3P+6pa0oN8VV6HgLGpqtkw4hkhJhX4r9MZmeWbvGmD
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB9PR07MB7804.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(346002)(366004)(376002)(396003)(39860400002)(66946007)(38100700002)(6506007)(2616005)(66476007)(66574015)(33656002)(86362001)(36756003)(2906002)(53546011)(122000001)(966005)(186003)(316002)(83380400001)(76116006)(478600001)(64756008)(5660300002)(8936002)(66556008)(66446008)(91956017)(110136005)(44832011)(8676002)(6512007)(6486002)(71200400001)(38070700004)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?B?LzJJYnlLbGZRSnpJODlTc3BQOWE4VzZmN245NzhmM0hmK3c1SEhJZmVxd2Zi?= =?utf-8?B?bjllSm1EbzBlejlmRGNDbW9sZjI3RnNHYUo1VmpWcjVHOWhjOWRmWEhBR2wz?= =?utf-8?B?Y25FWmUvd1FCaHEyNWZmeWh3dW5Yay9VMnUrTGd5bHh3V3MyT2h3eCsyTlp4?= =?utf-8?B?UFZ4eXJuaXhYTlgrS3dYaUpzLzhuTmtmeHF1Z0tEU2tTdkxZTFBLRFFzRzVo?= =?utf-8?B?aU4vclNqN040UVRwWFA1ZEQ4ejNFMW1INkZVcVoxM2IxRUN5UkpTdHBIVGdi?= =?utf-8?B?MVNINjhrQUgrSGlxZzBpU0pOeTA5QVVPR2xXYmFTSFRTQy9vSU5JeGoydmZL?= =?utf-8?B?ZmZwY3E3cEpjTEdJVHZMMFRGaC9QeDVSVWhjZ3ptWnd3ZXN2TjVCWEhNU0xM?= =?utf-8?B?allBajFzWExQeWY1cWpzbkpRVjh2OVBMWUI2UDU4U0ZLbXQ5N0hEOUZlT091?= =?utf-8?B?THova3I1VFFhTVhPTU9PK3Frc1RhQkxtczNqVkpmb1kzWFlqV2kvWFNpZUFT?= =?utf-8?B?OHZ6cW9VK2I4U0xlYkpnMU9iaUE0Tm44VUlqc20wdWZWellxKzdyd1FUY2N6?= =?utf-8?B?WVNCNmozWURCWTF0eDNUZnNacXZJOGRRamZIRmhKZmhWTEVFbGVVd0FrSm0y?= =?utf-8?B?T1U0YUFEVytyRFY0QWVNUFdHTmM2cUxxTm1nTjExVlhLdXpRWjVKRjM2WEJP?= =?utf-8?B?cGw5QXRxdEkwdEVOSjIzVUYyZE1WbzZRMDBucWtjYi8wL1pSbHhqUUxaUldV?= =?utf-8?B?YlhKWmNIaVBXWkIvcllNU1RIVEVJTG1ReUYyL3NISU9DRlVGT1RDWkp6L0Ix?= =?utf-8?B?MXUwNWQ3R25QUFI2aHhHa0lMR1VwTXdnNGdBM1JEN213YkRnaWJnS3RVY1g5?= =?utf-8?B?ZGFOWVI0Y0M5NDcwNkJab0JYYTFJc2xqbG0yVUZaUy96V0o0OGYwU2ZpVkxp?= =?utf-8?B?N3FlTlNyTzA5NmFRakRFcWtEczR5QUxZSWtoaTBUTTNIQUtyaWJyZTlhejJF?= =?utf-8?B?RDFNWUpWcStuVEJFQ1NndityVnQrSklTY3JMeUt1Q3FnRk8wVzk2VnJmY1JE?= =?utf-8?B?RDBsK1k4bVptZWp4Nm96Z3IvZUFpamxSWnFFanhORHBVK0VaUTVJRks2TEFs?= =?utf-8?B?VnBFc3BXT2NrVlJmVlVZMTQzMmd2aFJBemZHRHdRZDllam0zQWluWkE0VXBP?= =?utf-8?B?cVRpbGNrdHlvWTZwUHhaNzdqTVFIdVpLRjBnejhIbjErM0RRSzRCZnFwRzdx?= =?utf-8?B?RStHNTBpTkNnaStPd0VBSHYyOHVjbGl3Wi9jang4MldqYW90VmlEbytjR0NK?= =?utf-8?B?dmQ5azZyQWNYWDdHYjYydDVJM1lKWFJseDR1bm0rTHJBWGUremZVYU1CMDdT?= =?utf-8?B?SXJ0Y2M5KzJMNDR6bSsvbDRUNExyUlFZb3dKcWpaVjFUSitZOHVWcHdHQjJt?= =?utf-8?B?Undvc1JpaUpWWVF5WTlNTHBnTTMwTXRpclBWTEY5UEt0U1pJV3NDSjRXMTJN?= =?utf-8?B?d3ZoQklRaStGcnhEcVpCOXRsZDUrL3NUYS85ejdrK1lwRkwrOGFBbG51djI2?= =?utf-8?B?WEZiaTdPYmFwSk5GTWIxY1pLQk1vNnBrcTd6a0h6bmozaEMybjAyeTRNdEx4?= =?utf-8?B?dlBwSlBaZ01ZRXRJVlpRb1d1MUNxNzM4YnI3Qng5NGo3VnFLaVhyVnVqYy9w?= =?utf-8?B?QmpoeXlxazhkM2k4d1R5dVFxRzFwZjBONGdiTEtRQkJncE90ZDhVL3g1elJa?= =?utf-8?B?MU5YSDcxZTRueGJoYkRpRm5NVE9XWjhkSmgwMEVkUTVsdWVXYTNOelRZdjZV?= =?utf-8?B?Q0tCY2Y2U29ZenI4VnErWWg1V1U0d2J4QW1nOFF6VVRmSUdrVEpGTXRtSWk1?= =?utf-8?Q?gKBr/MmESQqxr?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <E2FA88FF6CB3CC4DB5B0A20D32AE4F77@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB9PR07MB7804.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6f7891d7-7698-414a-610d-08d946e9e037
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2021 17:07:35.2337 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: hyN5QT5murZNt7rcnp/FQxqleJCjHGWGBrMS7+CLy+KcWZB3qhtWdLv8o3thtmHBB+YrtJb5Dxv/NrM+LMS1hmf+AXP7TtoaP7y5ZSB6svk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBPR07MB7563
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/AlU3Er7GM1Wkew3wy6p9ZZzO614>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jul 2021 17:07:43 -0000

Okay, I have to admit that I don't know who to use my mail client correctly and I've now seen that there are many replies. However, I hope the pointer to the manageability draft is still somewhat helpful...



On 14.07.21, 19:01, "QUIC on behalf of Mirja Kuehlewind" <quic-bounces@ietf.org on behalf of mirja.kuehlewind=40ericsson.com@dmarc.ietf.org> wrote:

    Hi Stephane,

    I just found this older mail and didn't really see a reply, so here a quick note:

    You are right that it's really hard to avoid tracking completely, just because if one flow stops sending to server but that the same time another flow starts sending with the same "speed" it likely that it is actually the same flow.

    Maybe a few notes on this are in the manageability document here:

    https://datatracker.ietf.org/doc/html/draft-ietf-quic-manageability-11#section-3.5

    Not sure what else to say...

    Mirja



    On 07.06.21, 14:39, "QUIC on behalf of Stephane Bortzmeyer" <quic-bounces@ietf.org on behalf of bortzmeyer@nic.fr> wrote:

        I was thinking about the privacy risks of QUIC and there is one where
        I'm not sure what to think of it, and for which I cannot find any
        discussion in the archives of the WG.

        Long-term QUIC connections may enable some user tracking, even when
        the user changes its IP address, without even needing HTTP cookies or
        things like that.

        I am not sure it is a real problem in practice because it's not new
        (HTTP/2 offered similar possibilities), there are many other ways to
        track users (HTTP cookies, browser fingerprinting, Google Analytics),
        and they even work cross-servers. But it can be a problem for
        privacy-oriented technologies (QUIC cannot currently work over Tor but
        may be in the future?)

        I do not find discussions about that. Was it considered? (If so, you
        are welcome to reply "Search with mailarchive yourself" but I prefer
        if it comes with URLs and/or approximate datetimes.) Is it, for
        instance, a good idea to advise privacy-oriented clients to always
        shut down QUIC connections when IP address changes?