W3C home > Mailing lists > Public > public-device-apis-log@w3.org > February 2019

Re: [deviceorientation] Add API for requesting permission to receive device motion / orientation events (#57)

From: Tim van Scherpenzeel via GitHub <sysbot+gh@w3.org>
Date: Fri, 01 Feb 2019 19:18:56 +0000
To: public-device-apis-log@w3.org
Message-ID: <issue_comment.created-459836603-1549048735-sysbot+gh@w3.org>
For any new readers: earlier in this thread the new study on https://sensor-js.xyz/ is referenced. The relevant paper can be found here: https://sensor-js.xyz/webs-sixth-sense-ccs18.pdf. From what I understand the main issue is the misuse of the sensors for browser fingerprinting and various ad-tracking techniques (such as distinguishing between bots and real users).

In the study some other studies and exploitations are referenced (reading PIN's, reading keystrokes, sniffing browser history) which many have already said in the past to be highly impractical and extremely difficult to pull off in a short amount of time in the confined space that is the web browser. They are neat hacks (see: https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/) but I have problems considering them to be actual threats.

The paper is also not clear on how this raw data is actually used to help towards browser fingerprinting seeing as the sensor data rapidly changes over time and is not a consistent identifier over a longer period of time. If someone could explain that to me in more detail it would be highly appreciated.

I think there is plenty we can do to make it a lot more difficult for advertising networks to misuse these sensors (for example block any 3rd party iframe embeds / cross-origin sources from using these sensors by default, even secure sources). Browser fingerprinting is still very successful and won't be affected in any major way by this change: just have a look at fingerprinting through WebRTC / WebSocket / canvas / font detection / plugin support / evercookie / user agent / WebGL renderer & extensions. 

The damage of this proposed change far outweighs the possible benefits in my opinion and should be seen as a last resort. I feel that we should push for blocking default sensor access through 3rd party services (even secure ones) but leave it open for 1st party users that can use these sensors in creative ways (AR / VR / parallax effects etc..).

GitHub Notification of comment by TimvanScherpenzeel
Please view or discuss this issue at https://github.com/w3c/deviceorientation/issues/57#issuecomment-459836603 using your GitHub account
Received on Friday, 1 February 2019 19:18:57 UTC

This archive was generated by hypermail 2.3.1 : Friday, 1 February 2019 19:18:57 UTC