Re: draft, pls review by Tuesday - Summary of Privacy Interest Group (PING) feedback regarding Proximity and Ambient Light APIs

Hi Frederick - 

That looks like a very good collection of the views submitted. 

Forgive me if this is already addressed, but the other day I thought through a specific practical issue to do with this functionality.

Use case: the user wishes to maintain strict separation between two "mobile phone personas"; for instance, reserving one handset for work purposes and one for personal use. The user does not wish their use of the devices to be correlated.

If a third party is able to observe that both handsets report the same changes in ambient light, they may conclude that the devices are co-located, thus undermining the user's ability to maintain separation of the two personas.

Hope this helps - as I say, sorry if this is really already covered by the existing comments.


Yrs.,
Robin

Robin Wilton
Technical Outreach Director - Identity and Privacy
Internet Society

email: wilton@isoc.org
Phone: +44 705 005 2931
Twitter: @futureidentity




On 8 Feb 2013, at 00:17, <Frederick.Hirsch@nokia.com> wrote:

> Here is my draft summary of the PING Ambient Light and Proximity review, based on the emails, IRC log and my recollection of the call.
> 
> Please let me know of any additions, corrections etc before I send to the DAP list on Tuesday, 12 Feb.
> 
> regards, Frederick
> 
> Frederick Hirsch, Nokia 
> 
> [[
> 
> Members of the Privacy Interest Group (PING) [1] reviewed the Proximity [2] and Ambient Light  Event [3] Last Call drafts from a privacy perspective.
> 
> The following key points were made in the review process:
> 
> 1) Privacy threats can arise when these simple specifications are used in combination with other functionality or when used over time.
> 
> 2) User notification and control over use of sensors should be provided (e.g. able to turn them off, or know if they are being used)
> 
> 3) There are possibilities for fingerprinting based by event patterns during and over time.
> 
> 4) There should be a summary of privacy information applicable to the various sensors collected in one place (I offered to start a draft) and information may also need to be added to each individual draft
> 
> 5) Reviewing these drafts was useful to PING in order to learn and start creating a checklist and process for other reviews.
> 
> In detail, 
> 
> Nick Doty gave an excellent summary in an email [4] that includes examples:  using ambient light sensors in multiple contexts over time to correlate the same user, suggesting the spec be limited to a single active window context.
> Similarly he notes a concern similar to the Idle API risk discussion, see [5]. See Nick's email for details.
> 
> Nick noted during the call that there is a chance for gleaning information from light sensors, but not with high, med, low settings, so that is good.
> 
> Nick and Thomas Roessler also note that there  is also a fingerprinting risk based on frequency and timing of event occurrence (though I suggest this might be harder than more straightforward fingerprinting approaches). A possible mitigation is to impose limitations on granularity of information.
> 
> Ambient Light could offer a side channel for communication via light generation and detection though again I think this might be lower priority than other possible concerns.
> 
> Tony Rahman noted [6] that there might be a security risk if there is no limit to the rate of queries and also suggested that remote sensors offer a greater security risk, though I suggest the current specs are focused on local information. He also noted that perhaps there should be an indication to the user when the sensors are used (I'd say in particular for ambient light). In addition he suggests there should be a way to disable sharing proximity information (or in general various sensor information).
> 
> The PING group agreed that there may need to be privacy documentation that spans the variety of sensors noting common concerns - I offered to  start drafting document. Nick suggests that material needs to also be repeated in the individual drafts as well, however I'd suggest a short executive summary might suffice.
> 
> Nick started a wiki to collect resources around Privacy Considerations, see http://www.w3.org/wiki/Privacy/Privacy_Considerations
> 
> regards, Frederick
> 
> Frederick Hirsch
> Nokia
> 
> [1] http://www.w3.org/Privacy/
> 
> [2] http://www.w3.org/TR/2012/WD-proximity-20121206/
> 
> [3] http://www.w3.org/TR/2012/WD-ambient-light-20121213/
> 
> [4] http://lists.w3.org/Archives/Public/public-privacy/2013JanMar/0007.html
> 
> [5] https://groups.google.com/forum/?fromgroups=#!topic/mozilla.dev.webapi/7mEN0gSryCk
> 
> [6] http://lists.w3.org/Archives/Public/public-privacy/2013JanMar/0010.html and http://lists.w3.org/Archives/Public/public-privacy/2013JanMar/0011.html
> 
> ]]
> 
> 

Received on Friday, 8 February 2013 09:19:17 UTC