Re: PING - informal chairs summary - 24 March 2016 from Greg Norcie on 2016-04-04 (public-privacy@w3.org from April to June 2016)

From: Greg Norcie <gnorcie@cdt.org>
Date: Mon, 4 Apr 2016 13:03:32 -0400
To: Christine Runnegar <runnegar@isoc.org>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CAMJgV7YMonahdokCuidk1+O3-0=k1ikzE7swptN_6f8d8QVw+A@mail.gmail.com>
If anyone wants to take a look at the current Privacy Questionnaire draft
between now and the call, it is at
https://gregnorc.github.io/ping-privacy-questions/


/********************************************/
Greg Norcie (norcie@cdt.org)
Staff Technologist
Center for Democracy & Technology
District of Columbia office
(p) 202-637-9800
PGP: http://norcie.com/pgp.txt



*CDT's Annual Dinner (Tech Prom) is April 6, 2016.  Don't miss out!learn
more at https://cdt.org/annual-dinner <https://cdt.org/annual-dinner>*
/*******************************************/

On Mon, Apr 4, 2016 at 10:25 AM, Christine Runnegar <runnegar@isoc.org>
wrote:

> PING – informal chairs summary –  24 March 2016
>
> Our next call will be on 28 April 2016 at the usual time.
>
> * Vibration API
>
> Background: We discussed the privacy considerations of the Vibration API
> [1] on the February PING call [2], and on the public-privacy email list.
>
> There was support for the updates to the privacy and security
> considerations section of the draft specification. We discussed the
> cross-device tracking threat in more detail (i.e. where an attacker could
> use a vibration pattern to uniquely identify the device), noting that this
> issue was also discussed by PING in the context of reviewing the Ambient
> Light specification. Users are increasingly using more than one device. It
> is also valuable for Web services to have insight into what devices are
> related – to be able to infer a device connection graph. The techniques
> that CDT has observed fall into two categories: deterministic or
> probabilistic.
>
> We also discussed whether an attacker could cause a device to identify to
> be identifiable by forcing a vibration. It seems possible mitigations
> against these types of attacks may be limited. There was a query about
> whether there is any research on the fingerprintability of specific
> hardware based on the vibration being uniquely identifiable or because it
> has a specific kind of pattern. Imagine a phishing attack that sends a
> vibration command through a website and vibrate the device so it can be
> identified. If an attacker were able to serialize millisecond vibrations,
> could the attacker encode the pattern so that a speaker on an external
> device could hear? Are external side-channels within the scope of the
> specification? (Note: cross-origin concern relates to both emitters and
> speakers)
>
> (Action item: We should include something in the privacy questionnaire to
> identify these kinds of side-channel issues. For example: Does this
> specification allow for communication outside the Web channel? Does this
> specification allow for communication that could be detected in other
> origins?)
>
> A third issue is whether cross-origin attacks are possible. For example, a
> server that serves ads in iframes across browsers might find it difficult
> to sync cookies because there are different origins. But, what if that
> server could trigger a vibration event and use a timing attack to identify
> the same user? Is that possible?
>
> We also noted that steps to mitigate against cross-device and/or
> identification attacks could hamper accessibility where the vibration API
> is used as support for accessibility features.
>
> For further references on this topic, see:
> - CDT comments to the FTC regarding cross-device tracking [3]
> - L. Olenjink’s document [4] (Note: LO is inviting feedback)
>
> Nick will also follow up on the public-privacy email to make sure that
> cross-origin issues have been raised.
>
> * Media Capture Streams
>
> Background: PING was invited to provide feedback on the Media Capture and
> Streams API (see [5]). We identified some privacy issues and the Media
> Capture Task Force gave a very detailed response documenting the issues and
> their approach to each of them. Almost all of the issues are resolved (e.g.
> device identifiers are cleared with cookies, permission model is
> double-keyed by the top-level origin and the entry-script origin) (see
> [6]). They also explained why they decided not to use CSP as a signal for
> persisting permissions. The outstanding issues regarding permissions
> revocation may have already been resolved too. They opened an issue about
> event firing (similar issue to the cross-origin issue we discussed
> vis-à-vis the vibration API).
>
> Action item: Seeking volunteers to review the changes/responses made by
> the Media Capture Task Force to address the privacy issues raised by PING
>
> Thank you to PING and Media Capture Task Force members! A very nice
> example of cross-group collaboration to improve the privacy in the design
> of this Media and Capture Streams API [7].
>
> * WebRTC at IETF 95
>
> There will be a discussion during the RTCWeb WG meeting at IETF 95
> (Tuesday 5 April 2016) on Internet Draft WebRTC IP Address Handling
> Recommendations [8], which provides best practices for how IP addresses
> should be handled by WebRTC applications.
>
> * PING @ IETF 95
>
> The IAB Privacy and Security Program is meeting at the usual time for the
> PING get-together so we will send out a note to organise an informal
> get-together instead.
>
> * PING @ TPAC
>
> We will submit a request for a PING meeting slot.
>
> * PING questionnaire
>
> It would be useful to test the draft against some more specifications. We
> can expect upcoming requests from the Web Payments WG and Web
> Authentication WG.
>
> * PING outreach
>
> We need more people to step up to work with WGs on the privacy
> considerations of their specifications.
>
> Everyone, we also need to do more outreach to find new people to join PING.
>
> Please volunteer!
>
> Christine and Tara
>
> [1]
> https://github.com/anssiko/vibration/commit/48489c54e0b7ed80900e0906fa79803c8fa77069
> [2]
> https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0061.html
> [3] https://cdt.org/files/2015/10/10.16.15-CDT-Cross-Device-Comments.pdf
> [4]
> https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0095.html
> [5]
> https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0075.html
> [6]
> https://lists.w3.org/Archives/Public/public-privacy/2016JanMar/0085.html
> [7] https://www.w3.org/TR/2015/WD-mediacapture-streams-20150414/
> [8] https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-01
Received on Monday, 4 April 2016 17:04:45 UTC