W3C home > Mailing lists > Public > public-geolocation@w3.org > February 2020

Re: [deviceorientation] Move fingerprintable APIs behind permissions (#85)

From: Maryam Mehr via GitHub <sysbot+gh@w3.org>
Date: Wed, 05 Feb 2020 12:26:16 +0000
To: public-geolocation@w3.org
Message-ID: <issue_comment.created-582383858-1580905575-sysbot+gh@w3.org>
Hi everyone. Here are my comments on this issue: 

1- The two suggestions in the SensorID paper would mitigate the attacks proposed in the same paper. There is not any assessment showing that these solutions will prevent similar attacks using other approaches (as a matter of fact, there isn't any assessment in the paper showing that the suggested solutions will prevent their own attacks and to what extent). There is this whole field of calibration techniques (which I am not expert in, see references 5,6, and 10 in the same paper). 

2- Adding noises to sensor reading does not seem a practical solution to me. It has been in the literature for ages. But I think it inherently conflicts with the fact hat sensors are getting stronger and more accurate. In addition, there are research papers which show that even after applying noise, it is still possible to fingerprint devices to some extent (different applications).

3- It is true that after adding permission, the app can still fingerprint devices by using motion sensor. However, this is no different from other sources of fingerprinting such as Unique Device IDs (UID (advertising ID,  phone no, device ID, unique hardware ID), and other personally identifiable information (PII). This is where the GDPR takes action. Although it is a little vague, but such information will eventually be classified as personal information.

GDPR Article 4, the GDPR gives the following definition for “personal data” (https://gdpr.eu/eu-gdpr-personal-data/): "‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

In terms of possible recommendations in the specifications, I think unless we do a systematic study on the available implemented/recommended solutions in practice and literature, the Permissioning would do for now. 

GitHub Notification of comment by maryammjd
Please view or discuss this issue at https://github.com/w3c/deviceorientation/issues/85#issuecomment-582383858 using your GitHub account
Received on Wednesday, 5 February 2020 12:26:18 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 5 February 2020 12:26:18 UTC