Updating privacy considerations to reflect recomentations.

[lknik]

I think we should consider updating the considerations to reflect some of the discussions on the lists (including PING), to specify more direct recommendations (including, more directly, this one https://lists.w3.org/Archives/Public/public-device-apis/2016Feb/0072.html_. Can we go with the following?

Vibration API is not a source of data on its own and as such is not producing any data possible to consume on the Web. However, it is known that it can serve as a source of events for other APIs. In particular, it is known that certain sensors such as accelerometers or gyroscopes are prone to tiny imperfections during their manufacturing. As such, they provide a fingerprinting surface that can be exploited utilizing the vibration stimuli generated via the Vibration API. In this sense, Vibration API provides an indirect privacy risk, in conjunction with other mechanisms. This can create possibly unexpected privacy risks, including cross-device tracking and communication. Additionally, a device that is vibrating might be visible to external observers and enable physical identification, and possibly tracking of the user.

For these reasons, the user agent SHOULD inform about the past and present use of the API. Additionally, the user agent MUST allow a mechanism of limiting the the potential of using the API to create vibration patterns.

[anssiko]

Thanks! I reworded the proposal slightly, and submitted a PR #9. Please review.

[lknik]

Looks fine. Thanks!