Re: Privacy report on sensors, for generic sensors API. from Greg Norcie on 2016-03-29 (public-privacy@w3.org from January to March 2016)

From: Greg Norcie <gnorcie@cdt.org>
Date: Tue, 29 Mar 2016 10:21:13 -0400
To: "Lukasz Olejnik (W3C)" <lukasz.w3c@gmail.com>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>, W3C Device APIs WG <public-device-apis@w3.org>
Message-ID: <CAMJgV7YvOQw9JL44wujwYyRyZPUmmgMbqAA6G=11WgNToMW+6Q@mail.gmail.com>

Hi Lukasz,

Thanks for reaching out, we really appreciate it. We're happy to help.

Do you have a timeline for when you'll need comments by?


/********************************************/
Greg Norcie (norcie@cdt.org)
Staff Technologist
Center for Democracy & Technology
District of Columbia office
(p) 202-637-9800
PGP: http://norcie.com/pgp.txt



*CDT's Annual Dinner (Tech Prom) is April 6, 2016.  Don't miss out!learn
more at https://cdt.org/annual-dinner <https://cdt.org/annual-dinner>*
/*******************************************/

On Tue, Mar 29, 2016 at 5:49 AM, Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com>
wrote:

> Dear all!
>
> I am working on a sensors privacy (impact, risk, ...) assessment for a
> while now. And I think now it has little sense to withhold it for any
> longer, as most of the work I did some time ago, anyway.
>
> It is primarily intended for Devis APIs WG (DAP), with whom I have the
> pleasure to work on the privacy aspects of sensors API.
>
> I invite you to take a look on the document [1]. I hope it will be useful,
> and I primarily hope this can be an appropriate starting input in privacy
> considerations of sensors.
> Often, as indicated in the PDF report, even perhaps far-fetched scenarios
> are considered. Same for cross-device risks, where plausible scenario could
> be pointed to.
>
> As advised in private correspondence with (and by), Tobie Langel (DAP), it
> would be good if specific pull(s) request(s) follow. I'll look into that
> next.
>
> Also of note. It is not included in the PDF (should it?), but I believe it
> is worthy to require a secure (i.e. TLS) connection for having access to
> sensors ('secure contexts') - all of them, generically and just like that.
> I can't imagine a scenario where this could cause any issues, apart from
> the need to set up a TLS, that is.
>
> I also highlight my view and want to ask a question. Can W3C give
> guidance/recommendation/note regarding the transparency UIs (sometimes
> called "privacy user interface")? A method for a straight-forward
> user-verification of: what/how was being used, how frequent, etc.
>
> Please, enjoy ;-)
>
>
> Best regards
> Lukasz Olejnik
>
> [1] http://lukaszolejnik.com/SensorsPrivacyReport.pdf
>
>
>

Received on Tuesday, 29 March 2016 14:22:05 UTC