W3C home > Mailing lists > Public > public-privacy@w3.org > April to June 2018

Re: For horizontal review: WD: Pointer Events Level 2 (Call for Wide Review)

From: Jason A. Novak <jnovak@apple.com>
Date: Tue, 24 Apr 2018 10:34:44 -0500
Cc: public-privacy@w3.org
Message-id: <E3986318-2AAC-456E-97B3-0A5BECE67717@apple.com>
To: "Patrick H. Lauke" <redux@splintered.co.uk>, public-pointer-events@w3.org
Hi Patrick - 

Thanks for the email, apologies for the delayed response.  I have a few observations based on my understanding of the specification. Please let me know if I’m misinterpreting the spec.

- pointerId appears to be a unique value for the pointer causing the event.  I did not see anything regarding how frequently pointerIds should be reset, and as a result it seems like this could be a long term fingerprinting mechanism.  It would be a good mitigation to specify that user agents should reset these pointerIds on with some frequency and that the values not be predictable (e.g. generated randomly with cryptographically strong randomness).

- There’s a good discussion of the fact that the data exposed in pointer events — the angle or tilt at which a pen input is held, the geometry of the contact surface, and the pressure exerted on the stylus or touch screen — could be used to fingerprint a user but there’s no mention made of mitigations.  It would be a good mitigations to specify that user agents could either not provide precise values by default but rather could round the values provided; or user agents could add some element of jitter to their responses.

- Based on my read of the specification, I think that the pointer information plus timing of events could be used by a malicious website to determine if a user was using assistive technologies. This may be a consideration to call out in the Security & Privacy considerations, perhaps in a more general way, e.g. “the use of certain input technologies may reveal sensitive information about the user themselves”


> On Apr 4, 2018, at 2:34 PM, Patrick H. Lauke <redux@splintered.co.uk> wrote:
> (Expanding the automated call for wide review sent here: https://lists.w3.org/Archives/Public/public-review-announce/2018Apr/0000.html)
> Hello,
> The Pointer Events Working Group requests review of the following specification before 2018-04-25:
>   Pointer Events Level 2
>   https://www.w3.org/TR/2018/WD-pointerevents2-20180404/
> The group requests feedback via public-pointer-events@w3.org
> This publication is a Pre-Candidate Recommendation Draft under the
> 2014 Process [1]. Therefore, the group is looking for confirmation
> that it has satisfied its relevant technical requirements and
> dependencies with other groups.
> The group has specifically asked for feedback on the following:
> ============================================
> See the revision history from Pointer Events Level 1 https://www.w3.org/TR/2018/WD-pointerevents2-20180404/#revision-history. This specification primarily clarifies aspects of the previous specification which were vague and led to interoperability issues.
> The specification also now features a "Security and privacy considerations" section https://www.w3.org/TR/2018/WD-pointerevents2-20180404/#security-and-privacy-considerations (which was not a requirement at the time Level 1 was published).
> Note that there remains one open item which has not been covered in this version https://github.com/w3c/pointerevents/issues/173. However, the groups feels that this item, once resolved, won't result in a major substantive change (only a single additional clarifying paragraph), and would therefore welcome feedback on the specification in its current state.
> ============================================
> [1] https://www.w3.org/wiki/DocumentReview
> P
> -- 
> Patrick H. Lauke
> www.splintered.co.uk | https://github.com/patrickhlauke
> http://flickr.com/photos/redux/ | http://redux.deviantart.com
> twitter: @patrick_h_lauke | skype: patrick_h_lauke
Received on Tuesday, 24 April 2018 15:35:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:49:35 UTC