Re: [w3c/screen-orientation] Add Privacy and Security Considerations section (#115)

mounirlamouri commented on this pull request.



> @@ -880,13 +880,29 @@ <h2>
 
 </pre>
     </section>
+    <section class='informative'>
+      <h2>
+        Privacy and Security Considerations
+      </h2>
+
+     
+      <section>
+        <h3>Access to aspects of a user’s local computing environment</h3>
+        <p>
+          The screen orientation type and angle of the device can be accessed with the API specified in this document,
+          and can be a potential fingerprinting vector. However, using this information is very difficult compared to other fingerprinting information. 
+          Aggregating information derived from this API is not very helpful in fingerprinting. 
+          In particular the <a href="https://w3c.github.io/deviceorientation/spec-source-orientation.html">DeviceOrientation Event Specification</a> provides a far more detailed version of the same information. 
+          So in practice, this API's minimal fingerprinting potential is unlikely to be used by any competent attack.
+        </p>

I think we can say more than that. The spec provides the following information:
- angle
- type

Type is landscape / portrait which the website can already figure out with the `screen.width` and `screen.height`. The only information the `type` provides that wasn't available is the distinction between `primary` and `secondary`. It may be interesting to look deeper into these two sub-types.

Angle, by definition has a strong correlation with the `type` value. I wonder if it's worth looking more into it and how it may impact fingerprinting.

I don't think it's correct to say that this API is a sub-set of Device Orientation as Device Orientation, even if more noisy doesn't quite offer the same information.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/screen-orientation/pull/115#pullrequestreview-124818150