Re: [w3ctag/spec-reviews] Review Web Bluetooth (#139) from Lukasz Olejnik on 2016-10-27 (public-webapps-github@w3.org from October 2016)

From: Lukasz Olejnik <notifications@github.com>
Date: Thu, 27 Oct 2016 15:22:38 -0700
To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
Message-ID: <w3ctag/spec-reviews/issues/139/256786859@github.com>

Vincent,

Thanks for your feedback. I am happy to hear it.

My intention was to look at the API from a high-level point of view.
That’s why I also mention Data Protection regulation side; I did consult people with expertise in this matter, of course.

You are correct, many aspects of Web Bluetooth are delegated to the user agent (e.g. how to expose it, how to show identifiers), the developer/site (e.g. how to handle the data), as well as the user (e.g. how to pick devices). All the parties should understand the sensitive nature of the API. So I agree that vendors and sites need to consider carefully their designs. That’s why I am suggesting to advise performing web privacy assessment, as is in the case of [Generic Sensors API](https://w3c.github.io/sensors/#security-and-privacy).

I wanted to make sure to note that any use of the API requires user permission. I understand this. I did read the specification and I did test Chrome implementation on desktop and Android. In my opinion, spec might not currently cover all the issues. However, I think I made it clear enough that user permissions are required for Web Bluetooth. That said, I did not feel like I need to emphasize the need for permissions in all paragraphs of my note, since I made that point several times... And you are correct, devices are not paired with remote servers directly. It’s just JavaScript on a site, so technically… Some data could be, potentially, sent to a server.

I do link to the very good security model [writeup](https://medium.com/@jyasskin/the-web-bluetooth-security-model-666b4e7eed2#.2m12lx3wt) by Jeffrey, I also realize the mechanism went through Chrome security team vetting (as it's stated in Jeffrey's article). Similar processes take place at other security and privacy teams (e.g. [Firefox](https://bugzilla.mozilla.org/show_bug.cgi?id=674737#c13)). The reason I focused on Chrome is that I’m not aware of any other major implementation other than Chrome. I would be happy if you could point me to a different implementation, if possible.

I also acknowledge the [analysis](https://developers.google.com/web/updates/2015/07/interact-with-ble-devices-on-the-web) you point to, where the API is regarded to as “privacy-preserving”. Although I don’t know what this expression means in that context, it's not described, so I did not see where is the privacy-preserving mechanism.

In general, I also agree it would be good to expand privacy considerations. I’m happy to work on the issues in my spare time.

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/spec-reviews/issues/139#issuecomment-256786859

Received on Thursday, 27 October 2016 22:23:10 UTC