Initial Accessibility related review of Privacy Threat Model spec from Joshue O Connor on 2020-01-17 (public-privacy@w3.org from January to March 2020)

From: Joshue O Connor <joconnor@w3.org>
Date: Fri, 17 Jan 2020 11:54:35 +0000
To: public-privacy@w3.org
Cc: "group-apa-chairs@w3.org" <group-apa-chairs@w3.org>
Message-ID: <d4a8aea6-bdaf-f5f3-f73b-1e5551300781@w3.org>

Hi all,

I've had a look at the 'Privacy Threat Model' spec and here are my
thoughts. Note, this does not represent a formal review from APA (chairs
list cc'ed here) but I hope it is useful.

From an accessibility perspective, under the 'High Level Threats'
section there are attacker goals that will be useful to discuss. In
particular with regard to browser fingerprinting of people with
disabilities due to their bespoke personalisation settings and Assistive
Technologies. These could be high-contrast mode, or large text sizes,
but are not limited to that. [1]

For example, Symbol sets (AAC type) may be used as a default in the
browser, which if 'seen' by an attacker can arguably be used to identify
a user with a cognitive disability. [2]

Also currently under some of the brainstormed threats - you have listed:

#Benign information disclosure (connected hardware [game controller or
assistive device], system preferences [like dark mode]…)

I think the classification for some accessibility related use cases
would be 'Sensitive Information'. I'm thinking this kind of
personalisation requests to user agents, or the disclosure of
information regarding potentially vulnerable people, may be better
thought of as 'Sensitive' and treated as such. The potential threat to
the individual should taken as seriously as access to someone's credit
card information IMO.

From my reading of the Threat model spec, these threats are mostly of
the type, 'Correlation', 'Disclosure' threats.

Regarding the Anti-Tracking table (and boy is that vertical text hard to
read - also it is not clear exactly what text relates to what - so a
suitable caption is required at a minimum).

There is some very interesting stuff in there, and I'm wondering if this
is the place for something on the threat of browser fingerprinting and
for ideas on combatting it? Apologies if fingerprinting related use
cases etc belong in some other spec, please advise.

As a final thought as user customisation and personalization relating to
creating more accessible UIs becomes more advanced, issues of privacy
etc will become much more relevant. For example, APA have recently
published a spec 'Personalization Semantics Content Module 1.0' that
proposed use cases and a vocabulary of accessibility related semantics
that can be used to customise a UI.

From the perspective of the PING, the mere presence of these semantics
within a source file, could be used to identify a person with a
disability using these type of UIs (if enabled in the browser via a user
preference.)

I hope this help, comments etc welcome.

Thanks

Josh

[1] https://w3cping.github.io/privacy-threat-model/#high-level-threats

[2] https://globalsymbols.com/symbolsets?locale=en

[3]
https://raw.githack.com/w3c/personalization-semantics/f48303d97b8744887549c032f6ea9954d13fe165/content/index.html

--
Emerging Web Technology Specialist/Accessibility (WAI/W3C)

Received on Friday, 17 January 2020 11:54:40 UTC