A question about user tracking with QUIC

Stephane Bortzmeyer <bortzmeyer@nic.fr> Mon, 07 June 2021 12:39 UTC

Return-Path: <bortzmeyer@nic.fr>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B51F3A1401 for <quic@ietfa.amsl.com>; Mon, 7 Jun 2021 05:39:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uiA22F4rGwbn for <quic@ietfa.amsl.com>; Mon, 7 Jun 2021 05:38:58 -0700 (PDT)
Received: from mx4.nic.fr (mx4.nic.fr [IPv6:2001:67c:2218:2::4:12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5908A3A13F5 for <quic@ietf.org>; Mon, 7 Jun 2021 05:38:58 -0700 (PDT)
Received: from mx4.nic.fr (localhost [127.0.0.1]) by mx4.nic.fr (Postfix) with SMTP id 5A20F280BC3 for <quic@ietf.org>; Mon, 7 Jun 2021 14:38:54 +0200 (CEST)
Received: by mx4.nic.fr (Postfix, from userid 500) id 54F34280D81; Mon, 7 Jun 2021 14:38:54 +0200 (CEST)
Received: from relay01.prive.nic.fr (relay01.prive.nic.fr [IPv6:2001:67c:2218:15::11]) by mx4.nic.fr (Postfix) with ESMTP id 4D3BF280BC3 for <quic@ietf.org>; Mon, 7 Jun 2021 14:38:54 +0200 (CEST)
Received: from b12.nic.fr (b12.tech.ipv6.nic.fr [IPv6:2001:67c:1348:7::86:133]) by relay01.prive.nic.fr (Postfix) with ESMTP id 486C26071EA6 for <quic@ietf.org>; Mon, 7 Jun 2021 14:38:54 +0200 (CEST)
Received: by b12.nic.fr (Postfix, from userid 1000) id 394B33FF3C; Mon, 7 Jun 2021 14:38:54 +0200 (CEST)
Date: Mon, 07 Jun 2021 14:38:54 +0200
From: Stephane Bortzmeyer <bortzmeyer@nic.fr>
To: IETF QUIC WG <quic@ietf.org>
Subject: A question about user tracking with QUIC
Message-ID: <20210607123854.GA16312@nic.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
X-Operating-System: Debian GNU/Linux 10.9
X-Kernel: Linux 4.19.0-16-amd64 x86_64
X-Charlie: Je suis Charlie
Organization: NIC France
X-URL: http://www.nic.fr/
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Bogosity: No, tests=bogofilter, spamicity=0.033515, version=1.2.2
X-PMX-Version: 6.4.9.2830568, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2021.6.7.122416, AntiVirus-Engine: 5.83.0, AntiVirus-Data: 2021.6.6.5830001
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/iVgF74YLPVpCcYUDPAXH_MVLEOw>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2021 12:39:03 -0000

I was thinking about the privacy risks of QUIC and there is one where
I'm not sure what to think of it, and for which I cannot find any
discussion in the archives of the WG.

Long-term QUIC connections may enable some user tracking, even when
the user changes its IP address, without even needing HTTP cookies or
things like that.

I am not sure it is a real problem in practice because it's not new
(HTTP/2 offered similar possibilities), there are many other ways to
track users (HTTP cookies, browser fingerprinting, Google Analytics),
and they even work cross-servers. But it can be a problem for
privacy-oriented technologies (QUIC cannot currently work over Tor but
may be in the future?)

I do not find discussions about that. Was it considered? (If so, you
are welcome to reply "Search with mailarchive yourself" but I prefer
if it comes with URLs and/or approximate datetimes.) Is it, for
instance, a good idea to advise privacy-oriented clients to always
shut down QUIC connections when IP address changes?