- From: Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com>
- Date: Mon, 11 Apr 2016 10:33:43 +0200
- To: Christine Runnegar <runnegar@isoc.org>
- Cc: Nick Doty <npdoty@ischool.berkeley.edu>, Greg Norcie <norcie@cdt.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Message-ID: <CAC1M5qqzCcnpyY39_wkp=A=1xh1FC-ewyd=WGJeJtWAWvpp9Qw@mail.gmail.com>
Great, thanks. I'll then work as a connector and bake out the final considerations. Then I'll proceed with a preliminary ambient light sensors work (mostly based on my report). But my modest take is that a lot if "unexpected" here. I am still inclined to treat Vibration per se as something providing "input" (for other sensors e.g. accelerometers, maybe microphones - although this would likely be quite difficult to do it reliably), and technically this is mostly out-of-bands even. LO 2016-04-11 7:57 GMT+02:00 Christine Runnegar <runnegar@isoc.org>: > To Nick’s question about feedback to Frederick/DAP, I will take this on. > > Any last comments, observations, ideas before I send a note? > > Christine (PING co-chair) > > On 29 Mar 2016, at 10:35 PM, Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com> > wrote: > > > > > > > > 2016-03-27 7:59 GMT+02:00 Nick Doty <npdoty@ischool.berkeley.edu>: > > This topic was discussed on this week's PING teleconference and I wanted > to make a couple notes on the mailing list of issues that came up that > might not already be in this or related threads. > > > >> On Mar 8, 2016, at 2:52 AM, Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com> > wrote: > >> > >> Beaconing, device fingerprinting, cross device tracking, these all > describe the same threat model: Device A generates some sort of unique > signal, which is picked up by device B and used to link the two devices. > >> > >> Fingerprinting does not need to concern a device B. > > > > One additional threat might be cross-origin or cross-browser tracking on > a single device. So in addition to fingerprinting via finding > idiosyncracies in a particular accelerometer (with vibration as the > trigger), it might also be possible for different browsing contexts on a > single device to communicate in unexpected ways, by noticing accelerometer > changes at the same moment that a vibration is called. That is, the user > might not want example.com in a private browsing window and example.com > in a regular browsing window to know that she is the same user, but a > vibration called by one origin and accelerometer changes noted in another > window could allow for that correlation. This allows for cross-origin > correlation and also cross-browser correlation, on the same device. > > > > Maybe there are essentially different levels here: device fingerprinting > (single origin on multiple visits), device fingerprinting (across origins), > cross-origin communication (on-device), cross-browser communication > (on-device), cross-device communication, beaconing (to other people in the > room). The consideration should be to note that the Vibration API, in > combination with microphone or accelerometer access, could enable all of > these capabilities unexpectedly. > > > > But is this a risk related to Vibration API, or others? > > It is a combined risk, and also the list of potential sensor APIs might > be subject to change. Isn't it better to leave it as is proposed (that > vibration CAN be used and poses a risk, but with conjunction with other > sensors)? So once again, vibration can induce/produce data. But to read it, > other sensors need to be used (in case of same device). > > > > > > I'm just wondering what would be the best way to avoid any confusing > parts. > > Specifically, fingerprinting is mostly related to the construction of > other sensors. > > That said, the word "unexpectedly" also sounds good. > > > > > >> My logic was that if we limit the Vibration API to some very specific > calls (like a dot, and a dash), it would be easier to audit use of the API. > Yes, a developer may have to repeatedly call: dot() dash() dot() dash() > dot() dash(), but an unusual amount of calls to the API could be a signal > auditors use to > >> > >> While I'm unsure if developers would like that ;-) - I certainly > encourage putting thought into transparency recommendations, and privacy > UIs. Many good things can be done by browser vendors... > > > > +1 that auditing here would be very useful, if difficult. I'm not sure > the API would need to be reduced to dot(), dash() to enable that auditing; > the user agent can log exactly what pattern is being used in the > millisecond separation model and could theoretically decide to warn the > particularly concerned user (or log for followup by an auditor) if it sees > something particularly elaborate. I'm not sure separating the vibration > calls into different methods will make that logging any different. > > > > I agree. Browsers would have little problems with providing this > information. Now: how to incentive them? I am thinking about some > transparency/UI note for a while now. > > > > > > > > --- > > > > As a process matter, it sounds like we're hoping to hear back from > Lukasz about some further elaboration/research on the fingerprinting > concern. Once that happens, is someone in charge of getting back to > Frederick/DAP with the combined results of this thread? > > > > I sent a more detailed PDF to the list, already. > > > > > > Cheers, > > Nick > >
Received on Monday, 11 April 2016 08:34:17 UTC