limit precision to mitigate sensor calibration fingerprinting

w3c / deviceorientation

W3C Device Orientation spec

https://www.w3.org/TR/orientation-event/

Other

49 stars 32 forks source link

limit precision to mitigate sensor calibration fingerprinting #86

Closed npdoty closed 4 years ago

npdoty commented 4 years ago

require no more precise than 0.1 degrees, 0.1 degrees per second, 0.1 meters per second squared

updated examples to keep precision limits updated privacy considerations to note sensor calibration as threat added reference to sensorid paper

draft attempt to address w3c/deviceorientation#85 Feel free to comment or edit to match WG style etc. May also need updates to web platform tests to confirm that sensors do not return more precise values.

h/t @jensenpaul for https://github.com/JensenPaul/sensor-fingerprint-mitigation

Preview | Diff

marcoscaceres commented 4 years ago

Filed Gecko bug https://bugzilla.mozilla.org/show_bug.cgi?id=1642862

marcoscaceres commented 4 years ago

While I'm here, is there something in the spec about capping the sampling frequency? https://bugzilla.mozilla.org/show_bug.cgi?id=1292751

npdoty commented 4 years ago

@marcoscaceres looks to me like the previous versions of the spec in the Geolocation WG suggested a 60hz frequency, but that language was subsequently removed. I'm not sure why, unless the threat and mitigation are discussed in a different Sensor spec.

https://www.w3.org/TR/2016/CR-orientation-event-20160818/#security-and-privacy

marcoscaceres commented 4 years ago

No idea... Maybe someone can do so git archeology and figure out when/why it got removed? The Gecko bug seems to suggest 25hz is ok... and maybe cap at 60hz? We can do this separately tho.

anssiko commented 4 years ago

when/why it got removed?

See https://github.com/w3c/deviceorientation/pull/59 and https://www.w3.org/2018/10/23-dap-minutes.html#x18

This PR intents to fix fragmentation of the DevMotion & Orientation, in relation to security and privacy features. https://github.com/w3c/deviceorientation/pull/49#issuecomment-347468878

This update aligned the normative spec language with reality i.e. what was implemented in Chrome, Firefox, Safari, and Edge (the EdgeHTML based) as of 2018.

reillyeon commented 4 years ago

Let's move discussion about the sensor update frequency to another issue.

marcoscaceres commented 4 years ago

@reillyeon filed https://github.com/w3c/deviceorientation/issues/87