Re: Which questionnaire?

Hello,

Just to add a few eurocents - I wrote the considerations in Vibration API.

Thank you Christine - guidance in a good direction!

It's definitely a good idea to start from the known issues/types/cases.
However - from experience - it's often quite challenging (but fun) to list
or identify the risks/identifiers/etc upfront. That also highly depends on
the specific APIs.

Best
Lukasz

Ps. Perhaps slightly relevant:
https://blog.lukaszolejnik.com/battery-status-not-included-assessing-privacy-in-w3c-web-standards/

2017-05-04 20:03 GMT+02:00 Christine Runnegar <runnegar@isoc.org>:

> Dear Charles,
>
> Thank you! We really need to push forward with the PING annotated privacy
> questionnaire.
>
> Greg Norcie did a lot of work on this before moving on to other
> adventures. I believe Wendy added it to GitHub here:
> https://github.com/w3c/privacy-considerations
>
> Perhaps you could help me move this along.
>
> I think one place to start to add to the draft is to list out some of the
> common potential privacy risks that we have already seen, how these have
> been addressed in specs and what could be improved.
>
> (For example, a common concern is the use of identifiers or things that
> could behave like identifiers, especially those that are persistent and
> unique.
> If we break this down into small pieces that people can comment on via
> email, I think we will make better progress.
> There are also probably some common principles we could draw out for APIs
> that access sensor data.)
>
> As an example, here is what is in the privacy considerations of the
> Vibration API - https://www.w3.org/TR/vibration/#security-and-
> privacy-considerations
>
> Vibration API is not a source of data on its own and as such is not
> producing any data possible to consume on the Web. However, it is known
> that it can serve as a source of events for other APIs. In particular, it
> is known that certain sensors such as accelerometers or gyroscopes are
> prone to tiny imperfections during their manufacturing. As such, they
> provide a fingerprinting surface that can be exploited utilizing the
> vibration stimuli generated via the Vibration API. In this sense, Vibration
> API provides an indirect privacy risk, in conjunction with other
> mechanisms. This can create possibly unexpected privacy risks, including
> cross-device tracking and communication. Additionally, a device that is
> vibrating might be visible to external observers and enable physical
> identification, and possibly tracking of the user.
>
> For these reasons, the user agent SHOULD inform the user when the API is
> being used and provide a mechanism to disable the API (effectively no-op),
> on a per-origin basis or globally.
>
> Christine
>
> > On 4 May 2017, at 12:40 pm, Chaals is Charles McCathie Nevile <
> chaals@yandex-team.ru> wrote:
> >
> > Hi,
> >
> > For microdata, I went through the questionnaire at
> https://www.w3.org/TR/security-privacy-questionnaire/
> >
> > It turns out that the content in https://www.w3.org/wiki/
> Privacy/Privacy_Considerations seems
> > much better expressed and more thorough in terms of privacy.
> >
> > There is also a repo, but last time I went there it was unclear how to
> actually contribute.
> > Now I cannot find it at all, although I did find https://github.com/w3c/
> privacy-considerations
> >
> > How can I help get a good privacy questionnaire published by PING?
> >
> > cheers
> >
> >
> > --
> > Charles McCathie Nevile   -   standards   -   Yandex
> > chaals@yandex-team.ru - Find more at http://yandex.com
> >
> >
>
>
>

Received on Thursday, 4 May 2017 18:20:06 UTC