- From: Pete Snyder <psnyder@brave.com>
- Date: Mon, 21 Oct 2019 12:40:27 -0700
- To: "Kostiainen, Anssi" <anssi.kostiainen@intel.com>
- Cc: W3C Devices and Sensors WG <public-device-apis@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Hi Anssi, Thanks for the reply. Follow up inline below: on that there are no PING relevant privacy issues for the WebDriver extensions. >> However, I do see a variety of other privacy sensitive issues in the specs, unrelated to WebDriver. Is there a point where the WG could work through some of these with PING during a regular PING call? > > The parts unrelated to WebDriver received wide review from PING earlier and PING feedback has been incorporated since first CR publications Mar 2018. These parts have not changed substantially since that review took place. Please refer to PING teleconference Nov 2 2017 and PING TPAC F2F 9 Nov 2017 minutes. You may also want to talk to Tara or Christine who helped facilitate these reviews. See also the wide review paper trail at https://github.com/w3c/sensors/issues/299 > > Please let me know if you'd like to revisit the earlier discussions in a PING call, or if you have further questions. I’ll follow up with the PING chairs and group this week (we have a call this Thursday) and follow up then. In the meantime though, was wondering if your group was familiar with this work [1] on using sensor APIs for permission less fingerprinting, if the standard has been updated to fix / prevent these attacks, and if not, how the standard should be adopted to fix. (TL;DR; you can derive devices w/ ~67 bit identifiers if they have accelerometers installed, using the sensor APIs). Refs: 1: https://www.repository.cam.ac.uk/bitstream/handle/1810/294227/405.pdf?sequence=3 > Thanks, > > -Anssi Thanks right back :) Pete
Received on Monday, 21 October 2019 19:40:32 UTC