Closed jasonanovak closed 6 years ago
alexshalamov
commented
6 years ago @jasonanovak The research paper is very interesting and definitely worth mentioning. However, it describes generic device fingerprinting attack vector that is identified in https://w3c.github.io/sensors/#device-fingerprinting, therefore, it would be better to add reference to it in the generic sensor specification.
anssiko
commented
6 years ago @jasonanovak, thank you for your review comments. If PING has any further questions or comments, please let us know. If we don't hear from you we assume you're fine with the proposed resolution: https://github.com/w3c/sensors/pull/346
anssiko
commented
6 years ago For the record, here's a summary of changes the group did to resolve this issue:
At the review of the Sensors API at TPAC 2017, PING and the Sensors WG discussed including known privacy exposures for a given sensor, e.g. the use of the gyroscope as a microphone, in the W3C specification for that specific sensor as opposed to incorporating the exposure by reference. The goal of doing so is that an implementer of the specific sensor API would see the specific privacy exposure — and mitigations — for a sensor in the spec for that sensor API.
In the case of accelerometer, that would entail incorporating a reference to the fingerprinting risk that accelerometers pose, e.g. http://synrg.csl.illinois.edu/papers/AccelPrint_NDSS14.pdf. For mitigations, the proposed mitigations in the Generic Sensor API specification could be brought over or referenced.