Add initial privacy considerations for fingerprinting and data leakage

johannhof · johannhof · commit bd259809555d · 2025-06-18T21:14:02.000Z
diff --git a/index.html b/index.html
@@ -1005,16 +1005,16 @@ <h5>
         </p>
         <p>
           Note that unlinkability is exclusively a consideration for attributes
-          that can not be linked to a specific user identity. Inherently linkable
-          attributes such as names, driver's license numbers or phone numbers do
-          not benefit from unlinkability.
+          that can not be linked to a specific user identity. Inherently
+          linkable attributes such as names, driver's license numbers or phone
+          numbers do not benefit from unlinkability.
         </p>
         <p>
-          Through the Digital Credentials API, the user agent can help verifiers
-          and wallets exchange unlinkable attributes, but it can not guarantee
-          that no linkable information is passed between verifiers and wallets.
-          It is recommended that user agents account for this fact in their
-          user permission experience.
+          Through the Digital Credentials API, the user agent can help
+          verifiers and wallets exchange unlinkable attributes, but it can not
+          guarantee that no linkable information is passed between verifiers
+          and wallets. It is recommended that user agents account for this fact
+          in their user permission experience.
         </p>
         <p class="issue" data-number="279">
           Which level of unlinkability is the goal for this API? Can we
@@ -1129,6 +1129,37 @@ <h3>
           this risk.
         </p>
       </section>
+      <section>
+        <h3>
+          Fingerprinting and Data Leakage
+        </h3>
+        <h4>
+          Browser fingerprinting
+        </h4>
+        <p class="issue" data-number="219">
+          The Digital Credentials API exposes information about which
+          credential exchange protocols are supported by the user agent, which
+          has the potential to be used for browser fingerprinting (see
+          [[[fingerprinting-guidance]]]). We need to add privacy considerations
+          for the involved mitigations here.
+        </p>
+        <h4>
+          Avoiding leaks of credential availability
+        </h4>
+        <p>
+          The Digital Credentials API can not make it possible for websites to
+          learn whether a certain credential is available or not without going
+          through a <a href="#user-permission-and-transparency">user permission
+          flow</a>. Revealing the presence of credentials is a risk to user
+          privacy, as the presence of a credential is personal information that
+          the user might not have preferred to share with the site, and, in
+          combination with other signals, could be used to identify the user
+          without their permission. It is also a risk to free expression, as
+          websites might increasingly start to demand the presentation of these
+          credentials from the user in order to access services, excluding
+          individuals who are unwilling or unable to present credentials.
+        </p>
+      </section>
       <section>
         <h3>
           Over Collection of Data
