New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Privacy and Security Considerations section #115
Conversation
index.html
Outdated
<h2> | ||
Privacy and Security Considerations | ||
</h2> | ||
<p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, I tried doing exactly this format in the past (in a different spec) and people complained. Maybe we can just chop this down to the "yes" stuff, and make a paragraph out of it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's pretty useful to have the positive and negative aspects covered, but I agree that it should be readable prose rather than answers to questions whether they are relevant or not...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This answers the questions posed by the security/privacy questionnaire, but doesn't give much useful information.
I think the point is to explain what someone might do with that information that has an impact on security and privacy.
Although it is potentially possible to lock the orientation of a device, about the only application I can think of where there is an issue is something like a compass, where it is possible to actively mislead the user. In practice, that is already possible with a compass application.
Kowing whether the user is turning their device is indeed a potential fingerprinting vector (like so many things related to sensors, also because it can be corroborated externally, e.g. by processing surveillance video of an area). However, it is a relatively complex and inefficient attack to use - in practice I would not expect to see it deployed unless users become far-more privacy concsious and protect themselves against many simpler attacks.
Remove the "locking the screen orientation" part, since it doesn't seem to have privacy and security impact. Mention the fingerprinting vector.
index.html
Outdated
<h2>Control over a user agent’s native UI</h2> | ||
<p> | ||
This specification allows locking the screen orientation to a specific state. | ||
The screen orientation type and angle of the device can be accessed with the API specified in this document, and can be a potential fingerprinting vector. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it is worth saying how weak this potential vector is, and that it is unlikely to be used while far stronger ones are available.
IMHO, even trying to use this in association with other data is difficult, except real-time comparison of external visual surveillance or device-orientation.
For example, adding
Using this information for practical fingerprinting is very difficult compared to other fingerprinting information. Aggregating information derived from this API is not very helpful in fingerprinting. The Device Orientation API provides a far more detailed version of the same information. So in practice, this API's minimal fingerprinting potential is unlikely to be used by any competent attack.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(I'll do that as a PR to your branch)
more detailed privacy considerations
I'll merge this in one day if there's no objection. Further improvements can be made later :) |
(need a few days still to review, sorry!) |
index.html
Outdated
<h3>Access to aspects of a user’s local computing environment</h3> | ||
<p> | ||
The screen orientation type and angle of the device can be accessed with the API specified in this document, | ||
and can be a potential fingerprinting vector. However, using this information is very difficult compared to other fingerprinting information. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please drop: "However, using this information is very difficult compared to other fingerprinting information."
index.html
Outdated
<p> | ||
The screen orientation type and angle of the device can be accessed with the API specified in this document, | ||
and can be a potential fingerprinting vector. However, using this information is very difficult compared to other fingerprinting information. | ||
Aggregating information derived from this API is not very helpful in fingerprinting. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same with this line.
index.html
Outdated
The screen orientation type and angle of the device can be accessed with the API specified in this document, | ||
and can be a potential fingerprinting vector. However, using this information is very difficult compared to other fingerprinting information. | ||
Aggregating information derived from this API is not very helpful in fingerprinting. | ||
In particular the <a href="https://w3c.github.io/deviceorientation/spec-source-orientation.html">DeviceOrientation Event Specification</a> provides a far more detailed version of the same information. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same, all this stuff can go. Blaming another spec for being more leaky doesn't help this one :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Making this section minimal would be better.
@chaals Any comment on Marcos's comments? Maybe we need some research papers about this topic (see Accelerometer for an example). In the meantime, I also see fingerprintjs2 detecting the screen orientation to ensure consistent fingerprints when users rotate their mobile devices, although it doesn't use the Screen Orientation API: https://github.com/Valve/fingerprintjs2/blob/f6c39229228831ffb7d84592e0529633f25c0c65/fingerprint2.js#L164 |
Aggregating information derived from this API is not very helpful in fingerprinting. | ||
In particular the <a href="https://w3c.github.io/deviceorientation/spec-source-orientation.html">DeviceOrientation Event Specification</a> provides a far more detailed version of the same information. | ||
So in practice, this API's minimal fingerprinting potential is unlikely to be used by any competent attack. | ||
</p> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can say more than that. The spec provides the following information:
- angle
- type
Type is landscape / portrait which the website can already figure out with the screen.width
and screen.height
. The only information the type
provides that wasn't available is the distinction between primary
and secondary
. It may be interesting to look deeper into these two sub-types.
Angle, by definition has a strong correlation with the type
value. I wonder if it's worth looking more into it and how it may impact fingerprinting.
I don't think it's correct to say that this API is a sub-set of Device Orientation as Device Orientation, even if more noisy doesn't quite offer the same information.
* Privacy & Security Edits * Formatting * Reworded phrasing
Closed by #121 - @Johanna-hub did the change suggest here. Text is now in the spec. Thanks everyone for your input! |
Hmm, text is not in the spec now, because Johanna's PR was created against the We should either merge both PRs, or rebase #121 against Reopening this PR; Merging. |
Oh whoops, I should have spotted that. |
Thanks @xfq! |
Sorry about the confusion @marcoscaceres and @xfq and thanks for fixing. I created my PR against |
Either would be fine. Just note in a comment which branch it’s going into as it’s easy to miss. |
Fix #96.
One question I haven't answered yet is:
I don't know how implementations behave in this case.
Preview | Diff