Re: Tracking with ultrasound beacons. Web Audio API privacy considerations need updating? from Joseph Lorenzo Hall on 2015-11-12 (public-privacy@w3.org from October to December 2015)

From: Joseph Lorenzo Hall <joe@cdt.org>
Date: Thu, 12 Nov 2015 16:29:21 -0500
To: "Lukasz Olejnik (W3C)" <lukasz.w3c@gmail.com>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>, public-audio@w3.org
Message-ID: <CABtrr-VFVu2kryTZJd4Huw4X27HxpWz8YP_=qZw+JUCc2UVUSA@mail.gmail.com>

(I'm not on public-audio, so I don't think my mail will make it there.)

This is something we've been concerned about recently here at CDT.

In some senses, platforms can help. E.g., just like there are small
indicators present when an app is accessing location or the microphone to
give users notice that something is using those resources, maybe a sound
icon could be used? Chrome I think does this with tabs so that you can
quickly identify which of dozens of tabs is the one playing annoying audio.

I do think that permissions to access the speaker are going to be hard to
justify and more difficult to get any UAs to actually build in. It's just
too common for something to want to access the speakers. Maybe permissions
could be triggered for audio that is clearly outside the range of normal
human hearing? A counter-move to that could be that services like
SilverPush could blast audio within human hearing ranges but make it
information dense (it would sound like the spread-spectrum white noise
blasts that fire and police use in the US to get the attention of cars that
aren't getting out of their way).

I don't see an easy answer to this. Would love to hear others' thoughts. We
might want to devote some time on a future PING call to this and invite
interested folks from public-audio to join.

best, Joe

On Thu, Nov 12, 2015 at 4:18 PM, Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com>
wrote:

> Dear all,
>
> I would like to raise the current issue of tracking using ultrasound audio
> beacons/markers.
>
> SilverPush PRISM [1] is a program/method enabling cross-device tracking.
> In short, it is the association of users of desktops/laptops with devices
> such as smartphones.  The intention is to enhance tracking and profiling,
> so users can experience more rich Web content, of course.
>
> It supposedly uses ultrasound beacons via speakers, emitted by scripts on
> websites. These can then be detected by smartphone apps.
>
> It is, however, bringing some transparency issues. Users are unaware of
> this, can't provide consent, and can't configure their browsers according
> to their expectations.
>
> The current privacy considerations of Web Audio API [4] are not addressing
> these concerns. Possibly we should ask for an update?
>
> We might consider investigating, and deciding -  if possible -  should Web
> Audio:
> - be subject of permissions
> - limit the output to filter out infra/ultrasound, if possible (?)
> - have an additional note
>
> Thanks and regards
> Lukasz
>
> Ps. This is addressed to PING and  Audio Working Group.
> Pps. As a side note - [3] - TV advertisements can emit ultrasound beacons
> as well.
>
>
> [1] http://www.silverpush.co/?_escaped_fragment_=/prism#!/prism
> [2]
> http://www.steamfeed.com/silverpush-launches-cross-device-ad-targeting-with-unique-audio-beacon-technology/
> [3] http://thetechportal.in/2015/09/23/silverpush-funding/
> [4] http://www.w3.org/TR/webaudio/#PrivacyConsiderations
>

-- 
Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe@cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

Received on Thursday, 12 November 2015 21:30:10 UTC