PING - informal chairs summary - 24 March 2016 from Christine Runnegar on 2016-04-04 (public-privacy@w3.org from April to June 2016)

From: Christine Runnegar <runnegar@isoc.org>
Date: Mon, 4 Apr 2016 14:25:45 +0000
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <D8B232D0-9080-453A-814F-719AA3E53BC3@isoc.org>

PING – informal chairs summary – 24 March 2016

Our next call will be on 28 April 2016 at the usual time.

* Vibration API

Background: We discussed the privacy considerations of the Vibration API [1] on the February PING call [2], and on the public-privacy email list.

There was support for the updates to the privacy and security considerations section of the draft specification. We discussed the cross-device tracking threat in more detail (i.e. where an attacker could use a vibration pattern to uniquely identify the device), noting that this issue was also discussed by PING in the context of reviewing the Ambient Light specification. Users are increasingly using more than one device. It is also valuable for Web services to have insight into what devices are related – to be able to infer a device connection graph. The techniques that CDT has observed fall into two categories: deterministic or probabilistic.

We also discussed whether an attacker could cause a device to identify to be identifiable by forcing a vibration. It seems possible mitigations against these types of attacks may be limited. There was a query about whether there is any research on the fingerprintability of specific hardware based on the vibration being uniquely identifiable or because it has a specific kind of pattern. Imagine a phishing attack that sends a vibration command through a website and vibrate the device so it can be identified. If an attacker were able to serialize millisecond vibrations, could the attacker encode the pattern so that a speaker on an external device could hear? Are external side-channels within the scope of the specification? (Note: cross-origin concern relates to both emitters and speakers)

(Action item: We should include something in the privacy questionnaire to identify these kinds of side-channel issues. For example: Does this specification allow for communication outside the Web channel? Does this specification allow for communication that could be detected in other origins?)

A third issue is whether cross-origin attacks are possible. For example, a server that serves ads in iframes across browsers might find it difficult to sync cookies because there are different origins. But, what if that server could trigger a vibration event and use a timing attack to identify the same user? Is that possible?

We also noted that steps to mitigate against cross-device and/or identification attacks could hamper accessibility where the vibration API is used as support for accessibility features.

For further references on this topic, see:
- CDT comments to the FTC regarding cross-device tracking [3]
- L. Olenjink’s document [4] (Note: LO is inviting feedback)

Nick will also follow up on the public-privacy email to make sure that cross-origin issues have been raised.

* Media Capture Streams

Background: PING was invited to provide feedback on the Media Capture and Streams API (see [5]). We identified some privacy issues and the Media Capture Task Force gave a very detailed response documenting the issues and their approach to each of them. Almost all of the issues are resolved (e.g. device identifiers are cleared with cookies, permission model is double-keyed by the top-level origin and the entry-script origin) (see [6]). They also explained why they decided not to use CSP as a signal for persisting permissions. The outstanding issues regarding permissions revocation may have already been resolved too. They opened an issue about event firing (similar issue to the cross-origin issue we discussed vis-à-vis the vibration API).

Action item: Seeking volunteers to review the changes/responses made by the Media Capture Task Force to address the privacy issues raised by PING

Thank you to PING and Media Capture Task Force members! A very nice example of cross-group collaboration to improve the privacy in the design of this Media and Capture Streams API [7].

* WebRTC at IETF 95

There will be a discussion during the RTCWeb WG meeting at IETF 95 (Tuesday 5 April 2016) on Internet Draft WebRTC IP Address Handling Recommendations [8], which provides best practices for how IP addresses should be handled by WebRTC applications.

* PING @ IETF 95

The IAB Privacy and Security Program is meeting at the usual time for the PING get-together so we will send out a note to organise an informal get-together instead.

* PING @ TPAC

We will submit a request for a PING meeting slot.

* PING questionnaire

It would be useful to test the draft against some more specifications. We can expect upcoming requests from the Web Payments WG and Web Authentication WG.

* PING outreach

We need more people to step up to work with WGs on the privacy considerations of their specifications.

Everyone, we also need to do more outreach to find new people to join PING.

Please volunteer!

Christine and Tara

[1] https://github.com/anssiko/vibration/commit/48489c54e0b7ed80900e0906fa79803c8fa77069
[2] https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0061.html
[3] https://cdt.org/files/2015/10/10.16.15-CDT-Cross-Device-Comments.pdf
[4] https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0095.html
[5] https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0075.html

[6] https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0085.html
[7] https://www.w3.org/TR/2015/WD-mediacapture-streams-20150414/
[8] https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-01

Received on Monday, 4 April 2016 14:26:24 UTC