Re: Baterry API and fingerprinting

it seems that a general privacy consideration will frequently be appropriate:

"Implementations should ensure that the precision of information is at the lowest accuracy as possible while providing utility."

This is data minimization in another form but one that is easy to forget as accuracy may be implementation dependent.

Determining the required precision will depend both on the applications supported as well as the attack analysis, so not sure a blanket guideline is appropriate.

It sounds like this issue will become very relevant  for sensors and the emerging Internet of Things.

regards, Frederick

Frederick Hirsch
Chair, W3C Device APIs WG (DAP)

www.fjhirsch.com
@fjhirsch



> On Jul 8, 2015, at 2:09 PM, Dominique Hazael-Massieux <dom@w3.org> wrote:
> 
> Hi,
> 
> An interesting paper on how a seemingly innocuous API (battery level reading) ends up providing exploitable fingerprinting surface:
>  A privacy analysis of the HTML5 Battery Status API
>  http://eprint.iacr.org/2015/616.pdf
> 
> Some of the risks highlighted are specific to an implementation (providing arguably too detailed information), some are probably more generic to any API that bridges with hardware. It might be interesting to look if the self-review questionnaire would have helped mitigating these risks at the spec level.
> 
> Dom
> 
> 

Received on Wednesday, 8 July 2015 21:22:18 UTC