W3C home > Mailing lists > Public > public-privacy@w3.org > January to March 2013

Fwd: Ambient Light Events review [retitled]

From: Christine Runnegar <runnegar@isoc.org>
Date: Thu, 24 Jan 2013 07:10:33 +0800
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <B5DD2375-1D36-401A-B576-299B094772FD@isoc.org>
A very big thank you to Erin for her review of the draft Ambient Light Events specification.

We will be discussing and consolidating the comments/reviews of this draft specification and the Proximity Events specification on the call on Thursday 24 January 2013 at UTC 17.

Christine and Tara

Begin forwarded message:

> From: Erin Kenneally <erin@elchemy.org>
> Date: January 21, 2013 9:21:45 AM GMT+08:00
> To: Christine Runnegar <runnegar@isoc.org>
> Subject: Re: Proximity Events and Ambient Events - Consolidated comments from Microsoft
> Reply-To: erin@elchemy.org
> 
> Christine-
> 
> Here is my review... I am in general agreement with the feedback I've
> seen so far, ie, Nick and Tony.
> 
<snip>
> 
> INFORMAL PRIVACY INTEREST GROUP (PING) REVIEW
> 
> Ambient Light Events [1]
> 
> Date: 21 January 2013
> 
> I: Specific privacy-supporting features:
> Lightlevel event value granularity is abstract enough so as to not be
> identifiable.
> 
> II: Privacy risks and vulnerabilities:
> - None inherent to ambient light data itself. It is not a first-order
> identifier for either user or device.
> 
> - Any privacy risk would arise as part of a collective risk with other
> sensor data or contextual information.  IOW, ambient light data are
> contributory to inference or linkage risks derived from combination with
> external data (including other temporal and/or spatial lightlevel api
> data could be aggregated to evolve into an identifier), ie, device
> context information.  This is a 'mosaic risk' wherein the privacy risk
> does not lay with the individual pieces but with the larger picture.
> This risk would generalize across other Sensor API risks, such as idle
> API or other background event APIs.
> 
> III: How the privacy risks and vulnerabilities are addressed and/or
> suggestions as to how to address them:
> - De-couple the timing of ambient light event firing from other
> activity/events such that knowledge of one would not proxy a join to the
> other (this may be a long-winded way of describing others' comments (ie,
> Nick, Tony) re: "fuzzing of the timing of ambient light events"?)
> - Abstract the Value granularity  (currently in the spec)
> 
> - Include considerations of the collective risk of combined sensor
> values within each sensor spec.  Although, I don't know that that alone
> offers much guidance other than "be aware", so we should be careful to
> avoid guiding language that just kicks the can down the road.  Since the
> combination of event variables that would implicate this risk could be
> quite numerous, and future-proofing use cases may be similarly
> intractable, perhaps a general warning is the most practicable guide?
> 
> IV: Suggested text for a Privacy Considerations section in the
> specification:
> (see III comments)
> 
> V: Additional comments:
> ________________________
> Dear volunteers,
> 
> A reminder that the review is due on 17 January 2013. In case you do not
> have an almost complete draft ready to go, let me suggest we extend the
> time to UTC 23 on Monday 21 January so that there will be time for
> feedback from other PING members prior to the call on 24 January 2013.
> The review needs to be complete by 25 January 2013.
> 
> Nick's recent email [1] provides a good starting point for drafting a
> privacy review of the draft Ambient Light Event specification [2].
> There has also been some discussion on the email list.
> 
> In terms of structure, one approach might be:
> 
> -------
> 
> 
> 
> On 1/16/13 2:28 PM, Christine Runnegar wrote:
>> Dear volunteer reviewers,
>> 
>> Tony has some additional comments from Microsoft to contribute. He has
>> helpfully consolidated them into one email.
>> 
>> Please see below.
>> 
>> Begin forwarded message:
>> 
>>> *From: *"Tony Rahman (LCA)" <tonyr@microsoft.com
>>> <mailto:tonyr@microsoft.com>>
>>> *Date: *January 17, 2013 8:12:07 AM GMT+10:00
>>> *To: *Christine Runnegar <runnegar@isoc.org <mailto:runnegar@isoc.org>>
>>> *Subject: **Consolidated comments from Microsoft...*
>>> 
>>> Hi Christine, here are our consolidated review comments for you…
>>> 
>>> Proximity Events draft review
>>> http://www.w3.org/TR/2012/WD-proximity-20121206/
>>> 
>>>  Comments on Privacy and Security areas:
>>> 
>>>  1. There should be a way for a device to refuse to be queried about
>>> its proximity or even presence (e.g. Bluetooth device).
>>> 
>>>  2. Can an object (being queried) be also a hosting device? If so, is
>>> it possible that DeviceProximityEvent and UserProximityEvent
>>> interfaces can be used to do "daisy-chain" queries to find not just
>>> the first device within the proximity, but also the what's in
>>> proximity to the queried device and so on. That needs to taken into
>>> consideration. This is including the ability for devices to see how
>>> far away they are from each other.
>>> 
>>>  3. Perhaps the device should have a max number of queries on itself
>>> allowed within a certain amount of time, and if it's exceeded it will
>>> stop responding to the hosting device for x amount of time (e.g. no
>>> more responses to that host for an hour). This is more of a Security
>>> issue.
>>> 
>>> 4. In isolated usage, there may not be much risk here. However, when
>>> combined with other features such as identity or location I feel this
>>> could be very concerning.
>>> 
>>> 5. There should be a mechanism to alert the user when the feature is
>>> enabled or being used.
>>> 
>>> 
>>>  Ambient Light Events draft review
>>> http://www.w3.org/TR/2012/WD-ambient-light-20121213/
>>> 
>>>  Comments on Privacy and Security areas:
>>> 
>>> 1.       See #1 comment above for Proximity Events (refuse to report)
>>> 2. See #3 comment above for Proximity Events (limit queries) 3. The
>>> real-world usage of any of the Ambient Light Events features must be
>>> strictly controlled as there are privacy and physical security
>>> implications especially when used in a home automation situation. Only
>>> designated/authorized users can query whether it's dark in your house,
>>> etc.
>>> 2.       Hacking is a huge risk here.  This feature could be used in
>>> an unexpected way, e.g. to see if two devices are in the same place
>>> depending how sensitive the light sensor is.
>>> 
>>> 
>>> CSG: <http://sharepoint/SITES/CAT/> Technical Engagement & Strategy
>>> 	
>>> Sr. Program Manager. CIPP/US
>>> 	
>>> tonyr@microsoft.com <mailto:tonyr@microsoft.com>  ( 425.703.2680
>>> 
>>> 
>>> 
>> 
> 
> -- 
> Erin E. Kenneally, M.F.S., J.D.
> CEO, Founder
> eLCHEMY, Inc.
> 8677 Villa La Jolla Dr., #1133
> La Jolla, CA  92037
> www.elchemy.org
> 
> 
> This email message is for the sole use of the intended recipient[s] and
> may contain privileged information.  Any unauthorized review, use,
> disclosure or distribution is prohibited.  If you are not the intended
> recipient, please contact the sender by phone or reply email and destroy
> all copies of the original message.
> 
Received on Wednesday, 23 January 2013 23:11:07 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 23 January 2013 23:11:07 GMT