W3C home > Mailing lists > Public > public-privacy@w3.org > April to June 2017

Re: Which questionnaire?

From: Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com>
Date: Thu, 4 May 2017 20:19:31 +0200
Message-ID: <CAC1M5qr49auBKnZ0CADu6NnwbzJO64BuMA87+Lm2vWV8tjMi2A@mail.gmail.com>
To: Christine Runnegar <runnegar@isoc.org>
Cc: Chaals is Charles McCathie Nevile <chaals@yandex-team.ru>, "public-privacy@w3.org" <public-privacy@w3.org>

Just to add a few eurocents - I wrote the considerations in Vibration API.

Thank you Christine - guidance in a good direction!

It's definitely a good idea to start from the known issues/types/cases.
However - from experience - it's often quite challenging (but fun) to list
or identify the risks/identifiers/etc upfront. That also highly depends on
the specific APIs.


Ps. Perhaps slightly relevant:

2017-05-04 20:03 GMT+02:00 Christine Runnegar <runnegar@isoc.org>:

> Dear Charles,
> Thank you! We really need to push forward with the PING annotated privacy
> questionnaire.
> Greg Norcie did a lot of work on this before moving on to other
> adventures. I believe Wendy added it to GitHub here:
> https://github.com/w3c/privacy-considerations
> Perhaps you could help me move this along.
> I think one place to start to add to the draft is to list out some of the
> common potential privacy risks that we have already seen, how these have
> been addressed in specs and what could be improved.
> (For example, a common concern is the use of identifiers or things that
> could behave like identifiers, especially those that are persistent and
> unique.
> If we break this down into small pieces that people can comment on via
> email, I think we will make better progress.
> There are also probably some common principles we could draw out for APIs
> that access sensor data.)
> As an example, here is what is in the privacy considerations of the
> Vibration API - https://www.w3.org/TR/vibration/#security-and-
> privacy-considerations
> Vibration API is not a source of data on its own and as such is not
> producing any data possible to consume on the Web. However, it is known
> that it can serve as a source of events for other APIs. In particular, it
> is known that certain sensors such as accelerometers or gyroscopes are
> prone to tiny imperfections during their manufacturing. As such, they
> provide a fingerprinting surface that can be exploited utilizing the
> vibration stimuli generated via the Vibration API. In this sense, Vibration
> API provides an indirect privacy risk, in conjunction with other
> mechanisms. This can create possibly unexpected privacy risks, including
> cross-device tracking and communication. Additionally, a device that is
> vibrating might be visible to external observers and enable physical
> identification, and possibly tracking of the user.
> For these reasons, the user agent SHOULD inform the user when the API is
> being used and provide a mechanism to disable the API (effectively no-op),
> on a per-origin basis or globally.
> Christine
> > On 4 May 2017, at 12:40 pm, Chaals is Charles McCathie Nevile <
> chaals@yandex-team.ru> wrote:
> >
> > Hi,
> >
> > For microdata, I went through the questionnaire at
> https://www.w3.org/TR/security-privacy-questionnaire/
> >
> > It turns out that the content in https://www.w3.org/wiki/
> Privacy/Privacy_Considerations seems
> > much better expressed and more thorough in terms of privacy.
> >
> > There is also a repo, but last time I went there it was unclear how to
> actually contribute.
> > Now I cannot find it at all, although I did find https://github.com/w3c/
> privacy-considerations
> >
> > How can I help get a good privacy questionnaire published by PING?
> >
> > cheers
> >
> >
> > --
> > Charles McCathie Nevile   -   standards   -   Yandex
> > chaals@yandex-team.ru - Find more at http://yandex.com
> >
> >
Received on Thursday, 4 May 2017 18:20:06 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 4 May 2017 18:20:06 UTC