- From: Patrick H. Lauke <redux@splintered.co.uk>
- Date: Tue, 24 Apr 2018 20:21:46 +0100
- To: "Jason A. Novak" <jnovak@apple.com>, public-pointer-events@w3.org
- Cc: public-privacy@w3.org
On 24/04/2018 16:34, Jason A. Novak wrote: > Hi Patrick - > > Thanks for the email, apologies for the delayed response. I have a few observations based on my understanding of the specification. Please let me know if I’m misinterpreting the spec. > > - pointerId appears to be a unique value for the pointer causing the event. I did not see anything regarding how frequently pointerIds should be reset, and as a result it seems like this could be a long term fingerprinting mechanism. It would be a good mitigation to specify that user agents should reset these pointerIds on with some frequency and that the values not be predictable (e.g. generated randomly with cryptographically strong randomness). To clarify, pointerId is just a number - generally 0, 1, 2, 3, 4, 5, ... - to just disambiguate the different pointers, not a unique id given to each finger/device which persists. Similar in use to, say, the "identifier" value on touch events. But yes, adding a note about how UAs should and should not assign the pointerId may well be worth it. > - There’s a good discussion of the fact that the data exposed in pointer events — the angle or tilt at which a pen input is held, the geometry of the contact surface, and the pressure exerted on the stylus or touch screen — could be used to fingerprint a user but there’s no mention made of mitigations. It would be a good mitigations to specify that user agents could either not provide precise values by default but rather could round the values provided; or user agents could add some element of jitter to their responses. Being inaccurate would, however, negate their usefulness (e.g. in drawing applications). Perhaps the UA could offer this, but as an option only that can be enabled/disabled. > - Based on my read of the specification, I think that the pointer information plus timing of events could be used by a malicious website to determine if a user was using assistive technologies. This may be a consideration to call out in the Security & Privacy considerations, perhaps in a more general way, e.g. “the use of certain input technologies may reveal sensitive information about the user themselves” I thought this was already covered under the "may be used to infer characteristics of a user" part in the S&P considerations. P -- Patrick H. Lauke www.splintered.co.uk | https://github.com/patrickhlauke http://flickr.com/photos/redux/ | http://redux.deviantart.com twitter: @patrick_h_lauke | skype: patrick_h_lauke
Received on Tuesday, 24 April 2018 19:22:19 UTC