Review PING's Privacy Threat Model draft

[mmccool]

We should take a look at and provide comments to the following Privacy Threat Model draft document from the Privacy Interest Group: https://w3cping.github.io/privacy-threat-model/ It certainly overlaps in scope with some of what we have in our Security and Privacy Guidelines document.

[ereshetova]

I have read through the doc and here is small summary of its current status (doc says it is work in progress and it is far from being completed in many places):

The doc focuses on privacy threats (no countermeasures, just threats) that are specific to modern browsers. As a result many things are not directly applicable to WoT, but the high level privacy threats are common. Here is my understand on how to map their high-level threats to our privacy threats:

1) Unexpected Recognition (being confident that this is the same person/device you saw before), cross-site. This threat is discussed in § 4.1 Anti-tracking. 2) Recognition, same-site

Both map to "Tracking WoT System User" in WoT privacy threats, but the interesting angle that we have not looked into is linking of user identifiers. In web world, they define a number of ways how identifiers can be linked - user clicks on link from site A to site B, and from that we know it is the same user, which can be userid1098 on siteA and userid3059 on site B. Need to check if any of these links between identifiers are possible in WoT.

3) Benign information disclosure (connected hardware [game controller or assistive device], system preferences [like dark mode]…)

Maps to "Disclosing WoT Thing/Device configuration" in WoT privacy threats.

4) Sensitive information disclosure (user location, user camera, file information, financial data, contacts, calendar…)

Maps to "Leaking WoT System User Data" in WoT privacy threats.

5) Intrusion (displaying messages/notifications, playing sounds, full screen…)

Do we have smth like this in WoT? We currently do not consider this as any privacy threat. https://www.w3.org/TR/security-privacy-questionnaire/#threats describes intrusion as "Intrusion consists of invasive acts that disturb or interrupt one’s life or activities." In principle it can be in scope for smart home scenario for example, but it can be also viewed as "escalation of privileges" if attacker manages to take control of a lamp that it starts blinking in a house and cause annoyance to people and they cannot turn it off.

6) Obtaining capabilities (sending SMS, finance/billing…)

IMO this is a security threat and NOT a privacy threat. In WoT threat model it is reflected in security threats and not privacy threats.

[mmccool]

I think we should provide the following feedback to PING:

1. We feel that 5 and 6 are security threats, not strictly speaking privacy. Also the examples given for 5 require capability access, covered in 6. So some examples (for example, denial-of-service attacks) that are distinct from the other threats... if you even keep this as a privacy risk.
2. Fingerprinting should be more directly addressed: should discuss inference in general of private information, as opposed to direct leaking of private information.
3. IoT use cases should be considered. For example, many use cases in IoT require multiple devices to be accessed. If this is possible, and device IDs are available, then it would be possible to "link" the two IDs and infer information from that linkage. However, note that IDs in IoT (WoT) are for devices, not users, so an additional step would be needed to link a user to a device.

We should also invite them to review (and cite...) our document: https://www.w3.org/TR/wot-security/ and to link to this issue https://github.com/w3c/wot-security/issues/152

[mmccool]

Issue created for PING: https://github.com/w3cping/privacy-threat-model/issues/17

[mmccool]

Still no comments on the issue, but I'm wondering if we should look at the document again and see if it's been updated since we last reviewed it.

[mmccool]

Still no comments on PING issue. @mmccool to message PING chairs.