Re: [vibration] Suggested changes for the Rec errata and Proposed Edited Rec from Frederick Hirsch on 2016-02-15 (public-device-apis@w3.org from February 2016)

From: Frederick Hirsch <w3c@fjhirsch.com>
Date: Mon, 15 Feb 2016 18:25:57 -0500
To: Chaals McCathie Nevile <chaals@yandex-team.ru>
Cc: public-device-apis@w3.org
Message-Id: <516D18E2-BA3C-4C03-A903-FA20600A319C@fjhirsch.com>

 it looks like we now have good reasons to publish an updated draft as a new Rec, incorporating errata as well as adding a security & privacy considerations section.

Thanks to Chaals and Lukasz we have at least two threats to document.

we can still work with Dom re fast-tracking it, given that the changes are still non-normative.

regards, Frederick

Frederick Hirsch
Chair, W3C Device APIs WG (DAP)

www.fjhirsch.com
@fjhirsch

> On Feb 12, 2016, at 4:36 AM, Chaals McCathie Nevile <chaals@yandex-team.ru> wrote:
> 
> On Fri, 12 Feb 2016 10:27:04 +0100, Kostiainen, Anssi <anssi.kostiainen@intel.com> wrote:
> 
>>> On 12 Feb 2016, at 11:16, Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com> wrote:
>>> 
>>> Apologies for the delay.
>>> 
>>> Vibration standard currently has no privacy considerations. And even if on its own it may not exhibit issues here, it is known that in in conjunction with other sources this is not so easy to ascertain.
>>> 
>>> For example, causing vibration of a device and reading the output of accelerometer - can allow fingerprinting by imperfections in the accelerometer sensors.
>>> 
>>> For more information we can consult, e.g.:
>>> http://synrg.csl.illinois.edu/papers/AccelPrint_NDSS14.pdf
>>> http://arxiv.org/pdf/1408.1416v1.pdf
>>> 
>>> For the current vibration standard, why not include some privacy considerations i.e. "even if on it's own this API is unlikely to create privacy risks, it is known that in conjunction with other APIs it can be used to fingerprint the user's device"?
>> 
>> Personally, I'd be happy to include such privacy considerations to the spec. May I ask you to open an issue for this so we can track it appropriately:
>> 
>> https://github.com/w3c/vibration/issues/new
> 
> I did this: https://github.com/w3c/vibration/issues/2
> 
> As well as being useful for device fingerprinting, in a situation that allows physical observation the effects of vibration can often be observed by a third party, leading to physical identification of a device and thereby user.
> 
> cheers
> 
> -- 
> Charles McCathie Nevile - web standards - CTO Office, Yandex
> chaals@yandex-team.ru - - - Find more at http://yandex.com
>

Received on Monday, 15 February 2016 23:26:25 UTC