Existing media queries expose whether forced colors mode is on, but computed style can expose the specific colors. Is that an extra privacy leak?

Tess presents example where specific colors may be set based on screen brightness, which would expose screen brightness.

Lea: But in modern devices where screen brightness is set based on ambient light, that would be a very poor choice for fingerprinting as it would fluctuate all over the place.

Tess: If it exposes ambient light information that also makes it a privacy leak

Lea: Isn't there an Ambient Light API?

Tess: Yes, and work has stalled due to privacy concerns! I hope nobody implements it!

... Also, even if another platform feature exposes privacy sensitive info, that is not justification to add this info on other APIs because it makes it harder to get rid of. WebGL example where WebGL is primarily used for fingerpinting. If we use WebGL as justification for exposing sensitive info elsewhere, it means we can't get rid of it by just getting rid of WebGL one day.

Peter: Maybe we should not only discuss this among CSS WG members.

Discussion follows, with decision to to punt to Breakout C so that others can weigh i

Rossen: I posted a comment.

Dan: looks good let's close.

[closed

Tess: Talked to Rossen and Lea about this... forced colour mode is part of windows accessibility settings. On windows, Rossen doesn't believe that the system colours doesn't give you any more information than the media query you can use to find out what kind of forced colour mode you're on. Eg. background dark and foreground light? Then the system colours reflect that, but you don't learn anything new about the state of the computer that you didn't already know because of the media query. In practice there isn't a concern on windows. I was concerned, the fact there is an implementation of this and that is the case in that implementation is relevent information but the kinds of implementation decisions that windows made aren't requirements of the spec itself. Very easy to imagine other kinds of forced colour implementation where the system colour values provides additonal information. So we talked through a couple of theoretical examples. One I made up: a portable system with a display capable of extreme brightness, you can imagine it having an ambient light sensor and forced colour mode can adjust system colours dynamically based on ambient light to make the screen the most readable in the current situation. So the media query would match 'yeah' but the system colour values would change independant of that. I don't know if that's realistic. The point was I don't think there's anything here that requires the windows behaviour. I think while the fingerprinting concern from the system colour values may only be theoretical presently, it's real enough that CSSWG should make a note of it. On implementations where system colours can vary independant of the media query, this could be additional fingerprinting information. I need to comment on the thing - practically there isn't a problem, but enough of a theoretical thing. ... this came to us as an escalation, so not sure if that's the right asnwer. ... Lea, Rossen and I are all in the CSS WG. We agreed that if the CSS WG is escalating something to the TAG it shouldn't just be CSS WG memebers on TAG who come up with an answer.

Dan: value to having th ediscussion with the rest of the TAG. Folks on TAG and CSS have a unique understanding. By explaining it to us i think you're getting validation of the issue. I don't disagree with what you're saying. I remain concerned about any fingerprinting issue.

Tess: also - there's a blog post from PING called antipatterns in web privacy or something - that mentions the arguement, it's okay to add this thing that has fingerprinting bits because thos efingerprinting bits are already exposed elsewhere. It addresses that. It's still a problem. You are doubling the ways in which they are accessible, doubling difficulty of removal of feature. So in the windows case where the system colour values don't provide mor einfo than the media query, it is the case that they provide the same info, which may be problematic. We want to feel like experts from outside CSSWG are looking at this more objectively than folks already in discussion.

Rossen: Both. Nothing wrong with subset of CSS folks. Shouldn't feel like a CSS WG topic is pushed to be discussed by a smaller group of CSS WG folks on the side. Tapping into additional opinion here is a must. We attempted this a couple of times. Arrived at the same conclusion. We either restrict colour values to keywords, or section off a part of the css object model that has fine colours that are a lie, or a default value, not mappable to the real actual colour being used. Same technique we used to evade detection of visited links so you can't fingerprint what a user has been browsing.

Dan: right now nothing in the issue. Can someone add that in? This is an answer that we have.

Rossen: [will serialize this]

Dan: [proposed closed