Re: Formal objection to raised Vibration API issue #33 from Atsushi Shimono (W3C Team) on 2024-07-11 (public-review-comments@w3.org from July 2024)

From: Atsushi Shimono (W3C Team) <atsushi@w3.org>
Date: Fri, 12 Jul 2024 01:26:58 +0900
To: Marcos Caceres <marcosc@apple.com>
Cc: public-review-comments@w3.org, Philippe Le Hégaret <plh@w3.org>
Message-ID: <4bb72eb0-405e-4556-9fec-cb2d4de20945@w3.org>
   hi Marcos,

   The Devices and Sensors Working Group has decided to update the Vibration API
specification, by publishing a new Candidate Recommendation Snapshot:

   https://lists.w3.org/Archives/Public/public-device-apis/2024Jun/0004.html


   In order to do so, WG are requesting wide review of their document, including
the security and privacy horizontal reviews:

   https://github.com/w3c/vibration/issues/39


   Potential concerns, including the ones you raised related to privacy and
overall approach, would be addressed as part of this update.

   Since you raised a formal objection related to your request to obsolete the
Recommendation, you may prefer to hold on us proceeding forward while the update
is ongoing. Please let us know before July 16 if you would like to hold,
otherwise we'll continue to proceed with your formal objection and request to
form a council.


   Thank you,

   Atsushi


----
   Below are more details related to current implementation status and current
steps of the Devices and Sensors Working Group.


1. implementation status

    Chrome implementation is in blink part [1], but device mapping was only
implemented on Android platform [2,3]

*1 https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/vibration/vibration_controller.cc;l=202;bpv=0;bpt=1

*2 https://source.chromium.org/chromium/chromium/src/+/main:services/device/vibration/vibration_manager_impl.cc

*3 https://source.chromium.org/chromium/chromium/src/+/main:services/device/vibration/vibration_manager_android.cc;l=23;bpv=0;bpt=1


    Firefox disabled Vibration API totally 2024-06-12 [4]. Related bmo bug at [5,6].
Potential some plan about Permission API integration was pointed [7], but just marked
as v2 and no activity found after 2016. Also, there was past discussion about
'vibration' to Permission Registry Enum [8], but it seems there was no such
coordination happens, nor in mozilla code [9,10]. Also there was a comment about
implementation has not updated since there is no Permission API integrated [11,12].

*4 https://hg.mozilla.org/mozilla-central/rev/3b2c2ba40e73

*5 https://bugzilla.mozilla.org/show_bug.cgi?id=1900037 (bug referenced by [4])
*6 https://bugzilla.mozilla.org/show_bug.cgi?id=1653318

*7 https://github.com/w3c/vibration/issues/10

*8 https://github.com/w3c/permissions/issues/173

*9 https://github.com/mozilla/gecko-dev/blob/master/dom/webidl/Permissions.webidl

*10 https://github.com/mozilla/gecko-dev/commits/master/dom/webidl/Permissions.webidl

*11 https://bugzilla.mozilla.org/show_bug.cgi?id=1495036

*12 https://github.com/mozilla/standards-positions/issues/907#issuecomment-1768244124


    Webkit removed its implementation at 2017-05-11 [13,14].

*13 https://trac.webkit.org/changeset/216696/webkit

*14 https://bugs.webkit.org/show_bug.cgi?id=171766



2. privacy concerns / Permission API integration

    As [7-8], Permission API integration was raised (2016-06-15) before 2nd edition
REC publication (2016-10-18), but marked as future work with label 'v2' [15].
    DAS WG decided to try bringing updates on Vibration API as a draft with
substantive changes [16], and formally submitted (full) HRs on Vibration API [17],
including Privacy review [18]. So, potential concerns will be addressed during
there. Of course, review comments will not directly have any procedural pressure
on existing REC, but most of potential (or listed) concerns should be formalized
there.

*15 https://github.com/w3c/vibration/labels/v2

*16 https://lists.w3.org/Archives/Public/public-device-apis/2024Jun/0004.html

*17 https://github.com/w3c/vibration/issues/39

*18 https://github.com/w3cping/privacy-request/issues/138




> I raise a formal objection on the Vibration API’s issue [#33]. 
> 
> Rationale: 
> 
> The W3C Vibration API is falsely claiming to be implemented by Firefox, as indicated in the implementation report. In reality, Firefox no longer supports the API in that it doesn't actually vibrate. Furthermore, the specification hasn't received interest from any other implementer in years. 
> 
> Additional reasons for obsoleting the Vibration API include:
> 
> - **Privacy Concerns**: The Vibration API can potentially be used in conjunction with other APIs to track or fingerprint devices. For instance, by generating specific vibration patterns and monitoring the timing and response of those vibrations through sensors or other feedback mechanisms, malicious actors could create a unique identifier for a device. This risk is heightened when combined with other data points, leading to more accurate device or user tracking. The specification itself already acknowledges these privacy concerns, but they remain unresolved in practice.
> 
> - **User Experience**: Haptic feedback from vibration can be perceived as intrusive and annoying by users, which is why some browsers have disabled or limited its use.
> 
> - **Technological Redundancy**: Modern devices and platforms offer more advanced and flexible haptic feedback mechanisms that are not reliant on the web's Vibration API (e.g., Gamepad API).
> 
> [#33] https://github.com/w3c/vibration/issues/33
Received on Thursday, 11 July 2024 16:27:02 UTC