- From: Matt Reynolds via GitHub <sysbot+gh@w3.org>
- Date: Thu, 14 Apr 2022 17:44:03 +0000
- To: public-web-bluetooth-log@w3.org
I think the Bluetooth device address (and MAC address) cannot be exposed through the API because some platforms do not provide the device address or provide a synthetic identifier that is not useful for re-identification. In general, web platform APIs should not expose persistent device identifiers that cannot be reset by clearing the browser's local state. See [Mitigating Browser Fingerprinting in Web Specifications](https://www.w3.org/TR/fingerprinting-guidance/#identifying-fingerprinting-surface-and-evaluating-severity). Bluetooth device addresses are typically [permanent identifiers set in hardware](https://www.w3.org/TR/fingerprinting-guidance/#no-permanent). The device address is intended to be globally unique, making it a significant risk for [active fingerprinting](https://www.w3.org/TR/fingerprinting-guidance/#active-0). To [mitigate fingerprinting](https://www.w3.org/TR/fingerprinting-guidance/#fingerprinting-mitigation-levels-of-success) while still allowing re-identification of previously connected devices, we should develop an opaque, persistent identifier that can be invalidated when local state is cleared. This would also enable us to expose an identifier on platforms where the device address is obscured. I think this may not be sufficient for your use case. Can you describe more about how you intend to use the identifier for synchronizing devices? -- GitHub Notification of comment by nondebug Please view or discuss this issue at https://github.com/WebBluetoothCG/web-bluetooth/issues/583#issuecomment-1099461790 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Thursday, 14 April 2022 17:44:04 UTC