6. Privacy Considerations

Expect-CT can be used to infer what Certificate Transparency Policy a UA is using by attempting to retrieve specially configured websites that pass one user agent's policies but not another's. Note that this consideration is true of UAs that enforce CT policies without Expect-CT as well.

Additionally, reports submitted to the report-uri could reveal information to a third party about which web page is being accessed and by which IP address, by using individual report-uri values for individually tracked pages. This information could be leaked even if client-side scripting were disabled.

Implementations store state about Known Expect-CT Hosts and, hence, which domains the UA has contacted. Implementations may choose to not store this state subject to local policy (e.g., in the private browsing mode of a web browser).

Violation reports, as noted in Section 3, contain information about the certificate chain that has violated the CT Policy. In some cases, such as an organization-wide compromise of the end-to-end security of TLS, this may include information about the interception tools and design used by the organization that the organization would otherwise prefer not be disclosed.

Because Expect-CT causes remotely detectable behavior, it's advisable that UAs offer a way for privacy-sensitive end users to clear currently noted Expect-CT Hosts and allow users to query the current state of Known Expect-CT Hosts.