Web Neural Network API 2022-06-30 > 2022-09-30

[anssiko]

• name of spec to be reviewed: Web Neural Network API
• URL of spec: https://www.w3.org/TR/webnn/ (any dated version from 30 June 2022 or later is adequate)
• What and when is your next expected transition? CR in Q4 2022.
• What has changed since any previous review? See "Changes since previous privacy review" section below.
• Does your document have an in-line Privacy Considerations section, ideally one separate from the Security Considerations? https://www.w3.org/TR/webnn/#privacy
• Please point to the results of your own self-review: Self-Review Questionnaire: Security and Privacy and Self-Review Questionnaire: Security and Privacy webmachinelearning/webnn#119 for review and discussion
• Where and how to file issues arising? https://github.com/webmachinelearning/webnn/issues
• Pointer to any explainer for the spec? https://github.com/webmachinelearning/webnn/blob/main/explainer.md

Other comments: Thanks to PING participants and other privacy experts for your contributions and participation in the Web Machine Learning Working Group on behalf of the whole WG.

Changes since previous privacy review

The Web Neural Network API received early PING review during 2020-2021: PING reviewed our initial self-review response (#119), the WG merged the self-review (#132) and added initial Security and Privacy Considerations (#170):

• issue: [2020-11-05] Initial Self-Review Questionnaire response: Security and Privacy Self-Review Questionnaire: Security and Privacy webmachinelearning/webnn#119
• PR: [2021-02-18] Add responses to the Self-Review Questionnaire: Security and Privacy Add responses to the Self-Review Questionnaire: Security and Privacy webmachinelearning/webnn#132
• PR: [2021-05-27] Add initial Security and Privacy Considerations sections Add initial Security and Privacy Considerations sections webmachinelearning/webnn#170

Based on additional privacy review conducted by Google Chrome Privacy, the WG updated the privacy considerations in #259:

• PR: [2022-05-21] Add privacy considerations for cached/persisted data Add privacy considerations for cached/persisted data webmachinelearning/webnn#259

In June 2022, the WG reviewed the changes since the previous privacy review took place identifying any privacy-impacting changes:

• HTML diff for changes since 2021-05-27
• All PRs merged since 2021-05-27

The WG identified the following potentially privacy-impacting issues, triaged with a "privacy-tracker" label:

• issue: [2020-08-27] Fingerprinting via machine-specific artifacts Fingerprinting via machine-specific artifacts webmachinelearning/webnn#85
• issue: [2021-06-03] Related WebGPU Security and Privacy Considerations Related WebGPU Security and Privacy Considerations webmachinelearning/webnn#175
• issue: [2021-05-13] Device selection with MLDevicePreference and MLPowerPreference Device selection with MLDevicePreference and MLPowerPreference webmachinelearning/webnn#169
• issue: [2018-10-26] Cosine similarity between two facial features and cross origin tracking https://github.com/webmachinelearning/webnn/issues/7

The WG addressed webmachinelearning/webnn#85 webmachinelearning/webnn#175 and clarified webmachinelearning/webnn#169 in PR webmachinelearning/webnn#271. The WG elevated https://github.com/webmachinelearning/webnn/issues/7 to ethical considerations, a separate deliverable. Furthermore, the WG decided to drop WebGL dependency that removed related fingerprinting concerns:

• PR: Privacy Considerations refresh Privacy Considerations refresh webmachinelearning/webnn#271
• PR: Drop WebGL interoperability Drop WebGL interoperability webmachinelearning/webnn#273

[sandandsnow]

@anssiko, Thank you to the WG for such a thorough and detailed account of the work the group has undertaken on privacy since the last review. This is the model that all WGs should follow. Thank you.

We will be discussing the specification at our next PING meeting on 21 July 2022.

In the meantime, a couple of observations and questions:

• Thank you for (1) specifically highlighting the privacy advantages this API, namely, locally-sourced inputs remain in the browser's sandbox and (2) declaring that the API exposes the minimum amount of information needed, i.e. that it applies the principle of data minimization.
• Please keep us posted with the results of your research into the extent of the threat of fingerprinting via execution time analysis and mitigations.
• What are the software implementations (or examples) that would eliminate or reduce compute unit scheduling from being a fingerprinting risk? (The text says: " Furthermore, software implementations can be used to further eliminate such artifacts.")
• Re: "If a future version of this specification introduces support for new a device type that can only support a subset of MLOperandTypes, that may introduce a new fingerprint", what mitigations does the WG envisage should this occur?
• Re: "In general, implementers of this API are expected to be familiar with the WebGPU Privacy Considerations", it would be helpful to state that implementers are expected to apply WebGPU Privacy Considerations to their implementations.
• Possible typos in privacy considerations: "worload" => "workload"; "allow the implementation better select" => "allow the implementation to better select"

[sandandsnow]

@anssiko, one further question regarding "Power preference indicates preference as related to the power consumption and is considered a hint only and as such does not increase entropy of the fingerprint." - if power preference is set to default, what might the user agent do, and could that reveal information about the device and/or user?

[sandandsnow]

This request was discussed at the PING call on 21 July 2022, but some further consideration and follow-up is needed.

[sandandsnow]

One of the additional concerns identified is - the ethics (and privacy implications) of the identified and potential use cases of the API. A number of the use cases that it would enable are highly privacy-invasive and should include an analysis of the privacy implications of those use cases as well as mitigations. While the described use cases are probably only a subset of use cases that this API could be used for, the examples provided in the specification should help guide the use (or not use) of the API in other situations. (The issue here is not where the processing is done, but whether the API allows a specific activity and whether there is transparency and policy or user controls around that in the API.)

[sandandsnow]

@anssiko, one further question regarding "Power preference indicates preference as related to the power consumption and is considered a hint only and as such does not increase entropy of the fingerprint." - if power preference is set to default, what might the user agent do, and could that reveal information about the device and/or user?

We discussed this during the PING call, but we were not able to sort out whether the hint is fingerprintable. Could you explain in more detail how the power preference works?

[sandandsnow]

Filed webmachinelearning/webnn#280

[sandandsnow]

Closing issue as review has been completed (see webmachinelearning/webnn#280).

[anssiko]

Hi again PING!

NB: I'm piggypacking on this issue to retain context, but please let me know if I should file a new issue instead. On behalf of the WG I hope you're happy to see these changes and look forward to your comments.

We're looking to publish a new CR Snapshot of the Web Neural Network API in Q1'24 and wanted to give you a heads up with the following high-level summary of changes for your information and review:

Since the initial Candidate Recommendation Snapshot the Working Group has gathered further implementation experience and added new operations and data types needed for well-known transformers to support generative AI use cases. In addition, the group has removed select features informed by this implementation experience: higher-level operations that can be expressed in terms of lower-level primitives in a performant manner, and support for synchronous execution. The group has also updated the specification to use modern authoring conventions to improve interoperability and precision of normative definitions and is developing a new feature, a backend-agnostic storage type, to improve performance and interoperability between the WebNN, WebGPU APIs and purpose-built hardware for ML.

We have considered your privacy and ethics guidance as we have evolved this API. Specifically, we have paid attention to not add any extra bits of entropy via power preferences mechanism discussed with you earlier. Further, we have published an updated Ethical Principles for Web Machine Learning W3C Note and have welcomed new participants to the group who aspire to further advance these ethical principles. PING participants interested in this effort are welcome to join the ethics discussion too. I'd like to note your contribution in webmachinelearning/webnn#280 (comment) has been found helpful by readers and it remains at the top of the use cases section to orientate spec readers and direct them to the ethical principles document.