- From: Greg Norcie <gnorcie@cdt.org>
- Date: Thu, 18 Feb 2016 12:02:54 -0500
- To: David Singer <singer@apple.com>
- Cc: Joseph Lorenzo Hall <joe@cdt.org>, Chaals McCathie Nevile <chaals@yandex-team.ru>, W3C Privacy IG <public-privacy@w3.org>
- Message-ID: <CAMJgV7Yto5baB+M_VJCF4XM66ia8WjPzx=eyN9WyF7qKtU5AnA@mail.gmail.com>
So I did an initial read through: First off I think it's impressive that the spec authors thought to check if a page is visible before allowing the vibration API to fire. Very good thinking! However, I was thinking (and I'd love to hear other's thoughts) that allowing arbitrary length patterns might not be the best idea. Any new standard that allows a developer to cause device A to send a unique signal to device B can be used for cross device tracking. Furthermore, even if we ignore the fingerprinting aspect there's a usability aspect - specifically a griefing aspect. If the API allows us to specify arbitrary patterns of arbitrary length, it'd be easy to make a very abusive web page. Forcing someone to repeatedly call the API means someone could easily write a browser extension that limits the number of vibration calls. It would also reduce the threat of using the vibrations as a signal for cross device tracking. Anyways, these are just my initial thoughts - happy to discuss further on the call. /********************************************/ Greg Norcie (norcie@cdt.org) Staff Technologist Center for Democracy & Technology District of Columbia office (p) 202-637-9800 PGP: http://norcie.com/pgp.txt *CDT's Annual Dinner (Tech Prom) is April 6, 2016. Don't miss out!learn more at https://cdt.org/annual-dinner <https://cdt.org/annual-dinner>* /*******************************************/ On Wed, Feb 17, 2016 at 12:13 PM, David Singer <singer@apple.com> wrote: > > > On Feb 16, 2016, at 17:40 , Greg Norcie <gnorcie@cdt.org> wrote: > > > > Would they be too faint? IIRC tempest attacks have picked up keystroke > noises: > > > > https://www.schneier.com/blog/archives/2005/09/snooping_on_tex.html > > > > Couldn't a microphone also pick up vibration noises? > > yes, we should probably include this in the audio beaconing; I guess we > could do some tests, but I would expect that under some circumstances a > microphone will hear the vibration of another device. > > whether you could do it without the user noticing, I don’t know (whereas > ultrasonic audio is fairly easy). > > but as the ‘Bump’ app showed, you can do a lot if you have synchronized > clocks. > > > > > > > > > /********************************************/ > > Greg Norcie (norcie@cdt.org) > > Staff Technologist > > Center for Democracy & Technology > > District of Columbia office > > (p) 202-637-9800 > > PGP: http://norcie.com/pgp.txt > > > > CDT's Annual Dinner (Tech Prom) is > > April 6, 2016. Don't miss out! > > learn more at https://cdt.org/annual-dinner > > /*******************************************/ > > > > On Tue, Feb 16, 2016 at 8:06 PM, David (Standards) Singer < > singer@apple.com> wrote: > > yes, an obvious question is ‘beaconing’ using vibration. > > > > I guess this becomes more of a question for users with more than one > device — especially a second device that has motion sensing. But the two > devices would have to be awfully close for vibration to transfer. > > > > > > > > > On Feb 16, 2016, at 12:30 , Joseph Lorenzo Hall <joe@cdt.org> wrote: > > > > > > Are those two things or just one? That is, is this section claiming: > > > 1) it is possible to fingerprint a device through the Vibration API by > > > requesting information that could be used to uniquely identify a > > > device by characterizing "tiny imperfections during their > > > manufacturing"; and 2) it is possible for an external observer to > > > identify someone close to them in physical reality ("meat space") by > > > causing the user to visit a specific web page that then uses the > > > Vibration API to vibrate the device (and the external observer > > > observes this and connects a particular web session with a particular > > > device)? > > > > > > Looking at the spec, it just accepts a list of integers and vibrates > > > the device or not. So, I don't see a way to fingerprint devices using > > > this spec by taking advantage of "tiny imperfections during their > > > manufacturing" (of accelerometers and gyroscopes). Maybe it's in > > > conjunction with another API that that becomes revelant? (e.g., if you > > > were recording audio, I bet vibrating the phone with a little training > > > could allow you to characterize the surface it's on and possibly the > > > type of phone and if it's in a case) > > > > > > I think maybe drop the first fingerprinting concern (maybe I don't > > > understand it) but keep the second concern that it allows an external > > > observer in physical proximity to associate a device with a web > > > session by causing the device to vibrate using the API. (A possible > > > mitigation to allowing for highly unique vibration patterns would be > > > to make only simple vibrations possible.) > > > > > > If you've read this far, know that at some point we'll probably have > > > to deal with eavesdropping via mobile gyroscopes... so not > > > fingerprinting but full on identification of speaker information and > > > parsing speech: > > > > > > https://crypto.stanford.edu/gyrophone/files/gyromic.pdf > > > > > > On Tue, Feb 16, 2016 at 10:39 AM, Chaals McCathie Nevile > > > <chaals@yandex-team.ru> wrote: > > >> Hi, > > >> > > >> the Device API group are considering proposing a revision of the > Vibration > > >> API, and one of the things they propose adding is a section on > Security and > > >> Privacy. > > >> > > >> The current proposal is > > >> < > https://github.com/anssiko/vibration/commit/48489c54e0b7ed80900e0906fa79803c8fa77069 > > > > >> > > >> The two things identified are that vibration can be picked up with > e.g. > > >> motion sensors in the same device for fingerprinting, and that a > vibrating > > >> device can be physicall observed externally. > > >> > > >> Wondering if anyone has further input. > > >> > > >> Cheers > > >> > > >> -- > > >> Charles McCathie Nevile - web standards - CTO Office, Yandex > > >> chaals@yandex-team.ru - - - Find more at http://yandex.com > > >> > > > > > > > > > > > > -- > > > Joseph Lorenzo Hall > > > Chief Technologist, Center for Democracy & Technology [ > https://www.cdt.org] > > > e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key > > > Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 > > > > > > CDT's annual dinner, Tech Prom, is April 6, 2016! > https://cdt.org/annual-dinner > > > > > > > David Singer > > Manager, Software Standards, Apple Inc. > > > > > > > > David Singer > Manager, Software Standards, Apple Inc. > >
Received on Thursday, 18 February 2016 17:03:47 UTC