privacy New W3C Proximity Sensor API Can Be Used for User Fingerprinting

[vissha]

New W3C Proximity Sensor API Can Be Used for User Fingerprinting

 

 

New W3C API brings new fears regarding user privacy

 

Quote

A new API currently developed by the World Wide Web Consortium (W3C) called the Proximity Sensor API would allow websites and advertisers to query the position of nearby objects next to your smartphone or tablet.

 

As mobile devices evolved, so did their technical capabilities. Nowadays, when you lift your phone to your ear, the screen usually goes dark because the device uses the camera to tell if you've put it next to your ear.

 

Rear and back cameras, movement sensors, accelerometers, and many other high-tech sensors can let a smartphone, tablet, or Internet of Things device know where you are in the room, or where are other objects like walls, doors, etc..

 

Because most of these sensors provide API interfaces, the W3C has begun work on a generic JavaScript-based API that will let websites query your device, and tell it how far are nearby objects. The W3C describes this new feature as below:

 

Quote

“  The proximity level is reported as the distance (in centimeter) from the sensor to the closest visible surface.  ”

 

New W3C API could be used for user fingerprinting

 

Lukasz Olejnik, security & privacy technology engineer for the French Institute for Research in Computer Science and Automation (INRIA), and a W3C "Invited Expert" claims that this new API might pose a threat to user privacy in the future.

 

Olejnik claims that threat actors can use (malicious) code embedded on a website to leak information about the phone's user and his behavior. He says that this data could be used to fingerprint users, a technique in which advertisers might also be very interested in using.

 

An attacker could use the W3C Proximity Sensor API to gather information about how the user interacts with the device, the frequency at which he interacts with it, interaction patterns, or mechanics for holding the device in different positions, close to his head, or the distance from his face.

 

Olejnik: There's no need for verbose distance results

 

The problem, he says, comes from the fact that the new Proximity Sensor API allows two query modes. One that uses "near" and "far" distance indicators, and one that uses verbose data, in centimeters (cm).

 

Olejnik says that there's no need for the second. "Is there a need to provide a verbose proximity readout at all?" he writes on his blog. "For example, is providing readouts of proximity (distance) value up to 150 cm necessary?"

 

Besides limiting access to verbose data, the INRIA researcher also recommends that the Proximity Sensor API should also be subject to user permissions. The device must ask the user for this data, and they should be able to review what websites accessed this API and how often.

 

Olejnik's criticism, which is dated August 8, has been taken into account. The latest version of the W3C Permission Sensor API features support for browser permissions, according to a draft dated August 26. The verbose distance results have been kept. Work on the W3C Proximity Sensor API is still ongoing.

 

Source

[nIGHT]

I believe they are right that this might pose a threat to user privacy in the future.

They could detect how far you are to your wife (old girlfriend) and how close you have become with your new girlfriend.

Those kinds of information can be used for user fingerprinting and that is not good.