Fake downloads, fingerprinting, cross-site covert channels

[martinthomson]

(I've read #3, but I think that this is orthogonal to that idea.)

The explainer currently suggests that browsers fake a download if they already have a language pack that they would ordinarily have to retrieve. I imagine that a simple approach would be to remember how long it took to download a language pack when it was really retrieved and then wait about the same amount of time when a site first asks to use that pack.

This almost works, but there are some fairly obvious side channels.

A download consumes network resources. This means that a site can either inflate the time taken to obtain a pack by adding its own network usage or detect a fake download by observing no change to network throughput when requesting a new pack. Some amount of user fingerprinting is already possible through network capacity observations. This is because the network is a shared resource that we don't protect very well (mostly because it is generally considered to be scarce).

This might give sites the ability to generate a signal that other sites can read through increases to the time that obtaining a pack takes. Multiplied by the number of available packs (hence #3, I suppose).

The only mitigation I can think of here is to have the retrieval of language packs use the network exclusively. That's pretty disruptive though.

[domenic]

Yeah, our security folks didn't find the fake downloads idea that compelling either. Maybe I should just remove it.

[domenic]

I've posted webmachinelearning/writing-assistance-apis#47, which goes into more detail on the current privacy and security mitigations we're planning, and mandates most of them as "should"-level requirements. Direct link to PR preview.

Regarding the specific idea of fake downloads, this is covered in two sections:

• https://pr-preview.s3.amazonaws.com/webmachinelearning/writing-assistance-apis/pull/47.html#privacy-availability-alternatives explains fake downloads alongside other options, such as complete storage partitioning, or repeated downloads that reuse the same disk space. It takes care to point out the attacks you've mentioned here.
• https://pr-preview.s3.amazonaws.com/webmachinelearning/writing-assistance-apis/pull/47.html#privacy-language-availability explains how fake downloads can be useful in some cases, not as an anti-fingerprinting mechanism, but as a plausible-deniability mechanism for the user's demographic information.

In Chrome, our current implementation plan aligns with these guidelines: our primary line of defense against fingerprinting is other techniques, such as download status masking. But we plan to introduce short fake downloads for plausible deniability as well.

Note that even though the above PR is located in the writing assistance APIs spec, these privacy and security considerations are written to apply across all built-in AI APIs, including translator, and to tackle this issue specifically. So, after that PR gets reviewed and merged, the plan is to close this issue by updating the translator spec to refer to that section.

Any thoughts are appreciated!