The WoT (Web of Things) Security TF has been reviewing this document and we have collected some feedback under the following issue:
https://github.com/w3c/wot-security/issues/152
A summary follows, although please look at the issue above for ongoing discussion:
We feel that 5 and 6 are security threats, not strictly speaking privacy. Also the examples given for 5 require capability access, covered in 6. So some examples (for example, denial-of-service attacks) that are distinct from the other threats... if you even keep this as a privacy risk.
Fingerprinting should be more directly addressed: should discuss inference in general of private information, as opposed to direct leaking of private information.
IoT use cases should be considered. For example, many use cases in IoT require multiple devices to be accessed. If this is possible, and device IDs are available, then it would be possible to "link" the two IDs and infer information from that linkage. However, note that IDs in IoT (WoT) are for devices, not users, so an additional step would be needed to link a user to a device. Also relevant here is the work being done by the DID (Decentralized ID) WG (although we would also like to see them more explicitly address IoT use cases for IDs).
Please also review and cite our "WoT Security and Privacy Guidelines" document, which among other things, includes a threat model for WoT: https://www.w3.org/TR/wot-security/
The WoT (Web of Things) Security TF has been reviewing this document and we have collected some feedback under the following issue: https://github.com/w3c/wot-security/issues/152 A summary follows, although please look at the issue above for ongoing discussion:
Please also review and cite our "WoT Security and Privacy Guidelines" document, which among other things, includes a threat model for WoT: https://www.w3.org/TR/wot-security/