Geofencing API: Initial attempt at answering Privacy Questionnaire

Hello Geolocation WG and PING,
As per guidance from the TAG, I am taking an attempt at answering the Privacy questionnaire [1] with respect to the latest version of the Geofencing API [2], [3].  Note that the Geofencing API does have an existing security and privacy section [4] that may be modified depending on how the answers to the questionnaire shape up.  I've added notes in the form of '{NOTE: ...}' for questions whose answers I think need special scrutiny.

Thanks,
-Giri Mandyam, Geolocation WG Chair

References
[1] https://w3ctag.github.io/security-questionnaire/#questions
[2] https://w3c.github.io/geofencing-api/
[3] https://github.com/w3c/geofencing-api
[4] https://w3c.github.io/geofencing-api/#security-and-privacy-considerations
[5] http://www.w3.org/TR/geolocation-API/
[6] http://www.w3.org/TR/service-workers/#dfn-scope-url


  *   3.1 Does this specification deal with personally-identifiable information? <https://w3ctag.github.io/security-questionnaire/#pii>
Yes.  Geolocation data can be used help in identifying a person.  A user's location profile (i.e. the probabilistic distribution of the likelihood a person is in a given place at a given time), in combination with other information, may be used to uniquely determine a device user.

  *   3.2 Does this specification deal with high-value data? <https://w3ctag.github.io/security-questionnaire/#credentials>
Yes.  Location data may be used for end user authentication (based on a 'trusted location').  Moreover, this specification's target technology (geofencing) may be used as part of a "pervasive monitoring" attack (as defined in RFC 7258).

  *   3.3 Does this specification introduce new state for an origin that persists across browsing sessions? <https://w3ctag.github.io/security-questionnaire/#persistent-origin-specific-state>
Yes.  The dependency on Service Workers allows for process persistence across browsing sessions.  As has already been pointed out in the questionnaire itself, Service Workers offers some mitigation in the form of requiring authenticated origins.

  *   3.4 Does this specification expose persistent, cross-origin state to the web? <https://w3ctag.github.io/security-questionnaire/#persistent-identifiers>
{NOTE:  I may not fully understand the nature of this question, so my answer should be taken with a grain of salt}.  This specification does not in and of itself expose persistent cross-origin state to the web.  This is because Service Workers are registered against the invoking origin.  However, the main page (main thread) that created the service worker may expose any associated data to other origins using acceptable web technologies.  The mitigation for this is to prohibit mixed content.

  *   3.5 Does this specification expose any other data to an origin that it doesn't currently have access to? <https://w3ctag.github.io/security-questionnaire/#other-data>
No.  Geofencing as a function can always be implemented at the application layer using the existing W3C Geolocation API (see References, [5]).  However, this does not allow the web application to (a) take advantage of efficient platform-based implementations for geofencing, and (b) achieve a level of geofencing process persistence based on the use of Service Workers.

  *   3.6 Does this specification enable new script execution/loading mechanisms? <https://w3ctag.github.io/security-questionnaire/#string-to-script>
No.

  *   3.7 Does this specification allow an origin access to a user's location?<https://w3ctag.github.io/security-questionnaire/#location>
Yes.  This specification is cited as an example in the questionnaire itself.

  *   3.8 Does this specification allow an origin access to sensors on a user's device?<https://w3ctag.github.io/security-questionnaire/#sensors>
Yes, but not necessarily to discrete sensor data.  Modern location engines use a variety of sources in creating the determination of user device location, and therefore implement a form of "sensor fusion."

  *   3.9 Does this specification allow an origin access to aspects of a user's local computing environment?<https://w3ctag.github.io/security-questionnaire/#local-device>
No.

  *   3.10 Does this specification allow an origin access to other devices? <https://w3ctag.github.io/security-questionnaire/#remote-device>
No.

  *   3.11 Does this specification allow an origin some measure of control over a user agent's native UI? <https://w3ctag.github.io/security-questionnaire/#native-ui>
No.

  *   3.12 Does this specification expose temporary identifiers to the web?<https://w3ctag.github.io/security-questionnaire/#temporary-id>
Yes.  Service Workers have a notion of a scope URL (see References, [6]).

  *   3.13 Does this specification distinguish between behavior in first-party and third-party contexts?<https://w3ctag.github.io/security-questionnaire/#first-third-party>
{NOTE:  I am making an assertion about how Service Workers deal with cookies based on my reading of the spec; I may be wrong}. No, but with specific respect to "first-party-only cookies" it does not need to.  The functionality defined in this specification is restricted to service workers.  Service workers do not have direct access or visibility to cookies.

  *   3.14 How should this specification work in the context of a user agent's "incognito" mode? <https://w3ctag.github.io/security-questionnaire/#incognito>
Yes it should.  Incognito mode should not be affected by the presence of Service Workers.

  *   3.15 Does this specification persist data to a user's local device? <https://w3ctag.github.io/security-questionnaire/#storage>
{NOTE:  I believe this question seems to be getting at features such as cookies or app cache.  Note also that my assertion about Service Workers and data persistence may not be accurate.}  Service Workers are tied to persistent background processing, and the user agent must persist a list of all registered service workers.  However, this is not the same kind of data persistence that is seen with cookies or features such as applicationCache or LocalStorage.  The persisted data associated with the Service Worker is controlled by the User Agent, not the invoking origin.

  *   3.16 Does this specification have a "Security Considerations" and "Privacy Considerations" section? <https://w3ctag.github.io/security-questionnaire/#considerations>
Yes.  See References, [4].

  *   3.17 Does this specification allow downgrading default security characteristics? <https://w3ctag.github.io/security-questionnaire/#relaxed-sop>
{NOTE:  This question needs more explanation.  I didn't quite understand it, and the examples given (e.g. CORS) did not provide insight as to an example of 'downgrading default security charactersistics'}.  No.

Received on Monday, 19 October 2015 17:31:31 UTC