- From: Joseph Lorenzo Hall <joe@cdt.org>
- Date: Tue, 16 Feb 2016 15:30:29 -0500
- To: Chaals McCathie Nevile <chaals@yandex-team.ru>
- Cc: W3C Privacy IG <public-privacy@w3.org>
Are those two things or just one? That is, is this section claiming: 1) it is possible to fingerprint a device through the Vibration API by requesting information that could be used to uniquely identify a device by characterizing "tiny imperfections during their manufacturing"; and 2) it is possible for an external observer to identify someone close to them in physical reality ("meat space") by causing the user to visit a specific web page that then uses the Vibration API to vibrate the device (and the external observer observes this and connects a particular web session with a particular device)? Looking at the spec, it just accepts a list of integers and vibrates the device or not. So, I don't see a way to fingerprint devices using this spec by taking advantage of "tiny imperfections during their manufacturing" (of accelerometers and gyroscopes). Maybe it's in conjunction with another API that that becomes revelant? (e.g., if you were recording audio, I bet vibrating the phone with a little training could allow you to characterize the surface it's on and possibly the type of phone and if it's in a case) I think maybe drop the first fingerprinting concern (maybe I don't understand it) but keep the second concern that it allows an external observer in physical proximity to associate a device with a web session by causing the device to vibrate using the API. (A possible mitigation to allowing for highly unique vibration patterns would be to make only simple vibrations possible.) If you've read this far, know that at some point we'll probably have to deal with eavesdropping via mobile gyroscopes... so not fingerprinting but full on identification of speaker information and parsing speech: https://crypto.stanford.edu/gyrophone/files/gyromic.pdf On Tue, Feb 16, 2016 at 10:39 AM, Chaals McCathie Nevile <chaals@yandex-team.ru> wrote: > Hi, > > the Device API group are considering proposing a revision of the Vibration > API, and one of the things they propose adding is a section on Security and > Privacy. > > The current proposal is > <https://github.com/anssiko/vibration/commit/48489c54e0b7ed80900e0906fa79803c8fa77069> > > The two things identified are that vibration can be picked up with e.g. > motion sensors in the same device for fingerprinting, and that a vibrating > device can be physicall observed externally. > > Wondering if anyone has further input. > > Cheers > > -- > Charles McCathie Nevile - web standards - CTO Office, Yandex > chaals@yandex-team.ru - - - Find more at http://yandex.com > -- Joseph Lorenzo Hall Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 CDT's annual dinner, Tech Prom, is April 6, 2016! https://cdt.org/annual-dinner
Received on Tuesday, 16 February 2016 20:31:16 UTC