[![W3C][1]][2] # Device and Sensors Working Group Teleconference ## 04 May 2017 [Agenda][3] See also: [IRC log][4] ## Attendees Present Dominique_Hazael-Massieux, Kenneth_Christiansen, Alexander_Shalamov, Tobie_Langel, Wanming_Lin, Anssi_Kostiainen, Frederick_Hirsch, mikhail_pozdnyakov Regrets Chair Frederick_Hirsch Scribe anssik ## Contents * [Topics][5] 1. [Welcome, scribe selection, agenda review, announcements][6] 2. [Minutes approval][7] 3. [FPWD of Orientation Sensor specification and FPWD of Motion Explainer Note][8] 4. [HTML Media Capture][9] 5. [Screen Orientation API][10] 6. [Generic Sensor API][11] 7. [Ambient Light][12] 8. [Wake lock][13] 9. [Brussels workshop][14] 10. [Battery][15] 11. [DAS Workshop][16] 12. [Other Business][17] 13. [Adjourn][18] * [Summary of Action Items][19] * [Summary of Resolutions][20] * * * ### Welcome, scribe selection, agenda review, announcements GitHub digest (25 April): [https://lists.w3.org/Archives/Public/public- device-apis/2017Apr/0029.html][21] GitHub digest (2 May): [https://lists.w3.org/Archives/Public/public- device-apis/2017May/0000.html][22] ScribeNick: anssik ### Minutes approval Approve minutes from 20 April 2017 [https://lists.w3.org/Archives/Public/public-device- apis/2017Apr/att-0028/minutes-2017-04-20.html][23] proposed RESOLUTION: Minutes from 20 April 2017 are approved **RESOLUTION: Minutes from 20 April 2017 are approved** ### FPWD of Orientation Sensor specification and FPWD of Motion Explainer Note FPWD of Orientation Sensor specification and FPWD of Motion Explainer Note Approved for publication, [https://lists.w3.org/Archives/Member/chairs/2017AprJun/0028.html][24] snapshots prepared: [https://lists.w3.org/Archives/Public/public-device- apis/2017May/0002.html][25] **ACTION:** fjh to submit publication request for Orientation sensor and motion explainer [recorded in [http://www.w3.org/2017/05/04-dap- minutes.html#action01]][26] Created ACTION-798 - Submit publication request for orientation sensor and motion explainer [on Frederick Hirsch - due 2017-05-11]. thanks anssi fjh: I'll proceed with the request ### HTML Media Capture Publication request processed; publication in progress for 4 May 2017. CR publication draft fixes to fragments, [https://github.com/w3c/html- media-capture/commit/e2424bb8dcbce7c479651ccc02a271c043e2a2ee][27] close ACTION-788 Closed ACTION-788. published [https://www.w3.org/TR/2017/CR-html-media-capture-20170504/][28] ### Screen Orientation API ACTION-787? ACTION-787 -- Kenneth Christiansen to Review screen orientation api with alexander -- due 2017-04-15 -- OPEN [http://www.w3.org/2009/dap/track/actions/787][29] close ACTION-787 Closed ACTION-787. shalamov: have submitted feedback via GH shalamov: have a few more minor issues. Have heard nothing back from editors. close ACTION-792 Closed ACTION-792. ### Generic Sensor API fjh: easy things first, we should publish a new WD tobie: I wanted to do it yesterday, will do it today anssik: +1 to publish already agreed to do this ACTION-779? ACTION-779 -- Tobie Langel to Propose changes to address garbage collection issues -- due 2016-12-08 -- OPEN [http://www.w3.org/2009/dap/track/actions/779][30] fjh: looking through actions, did you handle the GC issue tobie tobie: there's a bunch of GH issues on this topic ACTION-799: issues recorded in github Notes added to ACTION-799 . close ACTION-799 Closed ACTION-799. ACTION-781? ACTION-781 -- Wanming Lin to Track changes in generic sensor api and update ambient light tests accordingly -- due 2016-12-08 -- OPEN [http://www.w3.org/2009/dap/track/actions/781][31] close ACTION-781 Closed ACTION-781. [https://github.com/w3c/web-platform-tests/tree/master/ambient-light][32] tobie: reviewed tests including ambient light shalamov: I'll check if we pull in the latest wpt tests to Chromium ACTION-785? ACTION-785 -- Tobie Langel to Update milestones on generic sensor issues -- due 2017-03-16 -- OPEN [http://www.w3.org/2009/dap/track/actions/785][33] tobie to work on cleaning up issue tracker tobie: triaging GH issues in progress tobie: first thinking biggest issue is motion, fix permissions / privacy, then look at ALS; but since orientation sensors exist, but implementers not concerned about theoretical attacks, have use cases for ALS so now thinking deal with that first alex: considering security privacy in parallel ScrtibeNick: fjh tobie: adding generic mitigation strategies to the spec ... expanding on [https://w3c.github.io/sensors/#mitigation-strategies][34] ... explaining what is in PR [https://github.com/w3c/sensors/pull/191][35] [https://docs.google.com/document/d/1MxrVtXkSwrduY3FlYbJe_NYwChdtEWhpF IBgoRARIn0/edit#heading=h.jgeutylz2fcp][36] [https://w3c.github.io/sensors/#mitigation-strategies][34] [https://github.com/w3c/sensors/pull/191][35] tobie: listing mitigation strategies is valuable since can now enable variety of use cases tobie: working on fixes. also how to fit into HTML event loop - tests lacking on HTML side tobie: in addition, I'm looking at how to integrate this with the event loop in the HTML [https://docs.google.com/document/d/1Ml65ZdW5AgIsZTszk4mD_ohr40pcrd VFOIf0ZtWxDv0/edit?ts=58e6579f&pli=1#heading=h.lmg4m6asf9b4][37] “Sensor APIs implementation in Chromium: Generic Sensor Framework" shalamov: few month ago, me and mikhail started to work on a design doc that try to address the permission, security and privacy issues tobie: initially though this would be a quality of implementation issue turned out to be false assumption, implementers need more concrete guidance threat levels, security policies, permissions etc should be in w3c spec that spans groups dom, you wanted to mention interest on the previously discussed permission++ workshop tobie: Generic Sensor API to define shared S&P terminology for other specs to use dom: gauging interest to have a workshop around the topic ... nothing to announce yet, but people at the AC meeting were supportive ... ws needs to be organized by Wendy and Dom, but lack of cycles currently [https://github.com/w3c/sensors/issues/171][38] tobie: need input from kenneth_ on an issue 171 kenneth_: I'll look at the issue tomorrow fjh: question on threats, seems we're going back and forth on whether frequency can address security-privacy threats tobie: applicable mitigation strategies depend on the use cases and sensor types makes sense another example of why listing threats and mitigation strategies is a good approach tobie: it's a tradeoff, for example frequency, find a good enough frequency that allows the implementation of the use cases while still be security and privacy preserving shalamov: for ALS we try to mitigate risks by rounding, provide data in steps ... for motion sensors, we are thinking of tackling the threats using focus state ... if an input element that can be focused is focused waiting for user input, we can stop or slow the sensors down to the point they cannot be used for attacks tobie: having list of risks and mitigation strategies helps us find the solutions for each of these sensors anssik: is this new information, no existing knowledge on mitigations that work for the Web? tobie: listing problems without offering mitigations is not enough, since security limitations on APIs may not solve right security issues and may prevent use cases this is new for W3C, elsewhere listing threats along with mitigations is done [https://w3c.github.io/battery/#security-and-privacy-considerations][39] The user agent should not expose high precision readouts of battery status information as that can introduce a new fingerprinting vector. anssik: implementers seem to ignore security and privacy considerations might not if mitigations are mentioned anssik: also they ignore things that are not testable can make testable mitigation strategies anssik: need mitigations to be interoperable anssik: when are we publishing CR for generic sensor API tobie: let me think about it, need to clean up document tobie: will need to cleanup issues first to be able to say where we stand in terms of CR tobie: 15 open issues, can get it down to 3 ### Ambient Light ACTION-778? ACTION-778 -- Dominique Hazaël-Massieux to Review tets results pull request for ambient light [https://github.com/w3c/test-results/pull/72][40] -- due 2016-12-08 -- OPEN [http://www.w3.org/2009/dap/track/actions/778][41] close ACTION-778 Closed ACTION-778. ### Wake lock ACTION-774? ACTION-774 -- Andrey Logvinov to Transfer [https://github.com/w3c/ping/blob/master/wake-lock-privacy.md][42] as github issues -- due 2016-09-15 -- OPEN [http://www.w3.org/2009/dap/track/actions/774][43] anssik: related to Ambient Light - attack Lucasz noted - interactions among sensors, possibly related to generic sensor API anssik: ALS attack uses Wake Lock API to keep the screen awake anssik: wake lock not shipping yet, but should take this potential attack into account anssik: possible topic for workshop @tobie a github issue for this on ALS ### Brussels workshop tobie: attended a workshop organized by UK university ... workshop scope: how standards make privacy impact on users, standards process, IP, open source ... I gave perspective on the W3C aspects, Lukasz shared battery paper findings ... talks around fingerprinting etc. tobie: Lucasz noted that often API is used for unintended use battery status mitigations against the tracking scripts: [https://github.com/w3c/battery/issues/10][44] ### Battery ACTION-777? ACTION-777 -- Anssi Kostiainen to Edit battery to document privacy concerns related to issue 5 -- due 2016-10-13 -- OPEN [http://www.w3.org/2009/dap/track/actions/777][45] in progress ### DAS Workshop should we complete questionnaire given likely to have workshop instead dom: sounds like workshop and issues with travel suggests not planning on TPAC, also Tobie noted he cannot attend TPAC +1 anssik: can we have WG meeting in conjunction with workshop? dom: yes anssik: would prefer not to have DAS at TPAC proposed RESOLUTION: DAS will not meet at TPAC **RESOLUTION: DAS will not meet at TPAC** dom: can scale down to simply WG meeting if workshop not possible, but expect workshop should be possible dom: have smaller scale workshop anssik: can you please check into possible Intel hosting tobie: we need to get Google and Mozilla participation if we want permissions work to progress fjh: we need to frame this workshop appropriately, so it is worthwhile and gets participation; plan for Europe, need early idea on venue to avoid later problems ### Other Business none ### Adjourn Thanks everyone ## Summary of Action Items **[NEW]** **ACTION:** fjh to submit publication request for Orientation sensor and motion explainer [recorded in [http://www.w3.org/2017/05/04-dap- minutes.html#action01][46]] ## Summary of Resolutions 1. [Minutes from 20 April 2017 are approved][47] 2. [DAS will not meet at TPAC][48] [End of minutes] * * * Minutes formatted by David Booth's [scribe.perl][49] version 1.144 ([CVS log][50]) $Date: 2015/11/17 08:39:34 $ [1]: https://www.w3.org/Icons/w3c_home [2]: http://www.w3.org/ [3]: https://lists.w3.org/Archives/Public/public-device- apis/2017May/0001.html [4]: http://www.w3.org/2017/05/04-dap-irc [5]: #agenda [6]: #item01 [7]: #item02 [8]: #item03 [9]: #item04 [10]: #item05 [11]: #item06 [12]: #item07 [13]: #item08 [14]: #item09 [15]: #item10 [16]: #item11 [17]: #item12 [18]: #item13 [19]: #ActionSummary [20]: #ResolutionSummary [21]: https://lists.w3.org/Archives/Public/public-device- apis/2017Apr/0029.html [22]: https://lists.w3.org/Archives/Public/public-device- apis/2017May/0000.html [23]: https://lists.w3.org/Archives/Public/public-device- apis/2017Apr/att-0028/minutes-2017-04-20.html [24]: https://lists.w3.org/Archives/Member/chairs/2017AprJun/0028.html [25]: https://lists.w3.org/Archives/Public/public-device- apis/2017May/0002.html [26]: http://www.w3.org/2017/05/04-dap-minutes.html#action01] [27]: https://github.com/w3c/html-media- capture/commit/e2424bb8dcbce7c479651ccc02a271c043e2a2ee [28]: https://www.w3.org/TR/2017/CR-html-media-capture-20170504/ [29]: http://www.w3.org/2009/dap/track/actions/787 [30]: http://www.w3.org/2009/dap/track/actions/779 [31]: http://www.w3.org/2009/dap/track/actions/781 [32]: https://github.com/w3c/web-platform-tests/tree/master/ambient-light [33]: http://www.w3.org/2009/dap/track/actions/785 [34]: https://w3c.github.io/sensors/#mitigation-strategies [35]: https://github.com/w3c/sensors/pull/191 [36]: https://docs.google.com/document/d/1MxrVtXkSwrduY3FlYbJe_NYwChdtEWhpF IBgoRARIn0/edit#heading=h.jgeutylz2fcp [37]: https://docs.google.com/document/d/1Ml65ZdW5AgIsZTszk4mD_ohr40pcrdVFO If0ZtWxDv0/edit?ts=58e6579f&pli=1#heading=h.lmg4m6asf9b4 [38]: https://github.com/w3c/sensors/issues/171 [39]: https://w3c.github.io/battery/#security-and-privacy-considerations [40]: https://github.com/w3c/test-results/pull/72 [41]: http://www.w3.org/2009/dap/track/actions/778 [42]: https://github.com/w3c/ping/blob/master/wake-lock-privacy.md [43]: http://www.w3.org/2009/dap/track/actions/774 [44]: https://github.com/w3c/battery/issues/10 [45]: http://www.w3.org/2009/dap/track/actions/777 [46]: http://www.w3.org/2017/05/04-dap-minutes.html#action01 [47]: #resolution01 [48]: #resolution02 [49]: http://dev.w3.org/cvsweb/~checkout~/2002/scribe/scribedoc.htm [50]: http://dev.w3.org/cvsweb/2002/scribe/