Hey
2016-02-26 1:34 GMT+01:00 Frederick Hirsch <w3c@fjhirsch.com>:
> I attended the Privacy Interest Group (PING) call today [1] where we
> discussed privacy aspects of the Vibration API [2].
>
> As you may know, we in DAP are considering updating the Vibration REC with
> the errata and Privacy and Security considerations to bring to REC again.
>
> Some takeaways:
>
> 1. We need to add a Security and Privacy Considerations section.
>
> 2. This section should consider the "Cross-Device Tracking" threat
>
> This threat consists of using vibration patterns to create a unique
> pattern that can allow the device to be recognized
>
Sure...
>
> Note, this threat may also be applicable to Ambient Light
>
This is already accounted by my larger PDF that I am making public soon
(it's already being "reviewed" ;) ).
But basically, it's as already largely stated in the current considerations
- that Vibration API provides input that can be read by other sensor(s).
Chaals also noted that we don't want to limit the vibration API too much,
since it can be used for blind/sight limited people to allow them to
'view' images etc and we wouldn't want mitigations to limit the
functionality.
Definitely. This is an accessibility feature.
However, this could be left configured, i.e. it can be advised that there
SHOULD be an option to set the limits.
5. 'Fingerprinting' may or may not be a threat (not sure it is related to
the vibration functionality), but it is a general threat to consider
Vibration just provides the data ;)
6. Applications might want to give indications when vibration is in use.
Definitely, there SHOULD be an option to indicate it...