Re: For horizontal review: WD: Pointer Events Level 2 (Call for Wide Review)

Hi Patrick - 

Thanks for the email, apologies for the delayed response.  I have a few observations based on my understanding of the specification. Please let me know if I’m misinterpreting the spec.

- pointerId appears to be a unique value for the pointer causing the event.  I did not see anything regarding how frequently pointerIds should be reset, and as a result it seems like this could be a long term fingerprinting mechanism.  It would be a good mitigation to specify that user agents should reset these pointerIds on with some frequency and that the values not be predictable (e.g. generated randomly with cryptographically strong randomness).

- There’s a good discussion of the fact that the data exposed in pointer events — the angle or tilt at which a pen input is held, the geometry of the contact surface, and the pressure exerted on the stylus or touch screen — could be used to fingerprint a user but there’s no mention made of mitigations.  It would be a good mitigations to specify that user agents could either not provide precise values by default but rather could round the values provided; or user agents could add some element of jitter to their responses.

- Based on my read of the specification, I think that the pointer information plus timing of events could be used by a malicious website to determine if a user was using assistive technologies. This may be a consideration to call out in the Security & Privacy considerations, perhaps in a more general way, e.g. “the use of certain input technologies may reveal sensitive information about the user themselves”

Best,
Jason


> On Apr 4, 2018, at 2:34 PM, Patrick H. Lauke <redux@splintered.co.uk> wrote:
> 
> (Expanding the automated call for wide review sent here: https://lists.w3.org/Archives/Public/public-review-announce/2018Apr/0000.html)
> 
> Hello,
> 
> The Pointer Events Working Group requests review of the following specification before 2018-04-25:
> 
>   Pointer Events Level 2
>   https://www.w3.org/TR/2018/WD-pointerevents2-20180404/
> 
> The group requests feedback via public-pointer-events@w3.org
> 
> This publication is a Pre-Candidate Recommendation Draft under the
> 2014 Process [1]. Therefore, the group is looking for confirmation
> that it has satisfied its relevant technical requirements and
> dependencies with other groups.
> 
> The group has specifically asked for feedback on the following:
> 
> ============================================
> See the revision history from Pointer Events Level 1 https://www.w3.org/TR/2018/WD-pointerevents2-20180404/#revision-history. This specification primarily clarifies aspects of the previous specification which were vague and led to interoperability issues.
> 
> The specification also now features a "Security and privacy considerations" section https://www.w3.org/TR/2018/WD-pointerevents2-20180404/#security-and-privacy-considerations (which was not a requirement at the time Level 1 was published).
> 
> Note that there remains one open item which has not been covered in this version https://github.com/w3c/pointerevents/issues/173. However, the groups feels that this item, once resolved, won't result in a major substantive change (only a single additional clarifying paragraph), and would therefore welcome feedback on the specification in its current state.
> ============================================
> 
> [1] https://www.w3.org/wiki/DocumentReview
> 
> P
> -- 
> Patrick H. Lauke
> 
> www.splintered.co.uk | https://github.com/patrickhlauke
> http://flickr.com/photos/redux/ | http://redux.deviantart.com
> twitter: @patrick_h_lauke | skype: patrick_h_lauke
> 

Received on Tuesday, 24 April 2018 15:35:17 UTC