New W3C API brings new fears regarding user privacy

Aug 28, 2016 21:10 GMT  ·  By
New W3C can be used to detect how far users keep their phones from their head
   New W3C can be used to detect how far users keep their phones from their head

A new API currently developed by the World Wide Web Consortium (W3C) called the Proximity Sensor API would allow websites and advertisers to query the position of nearby objects next to your smartphone or tablet.

As mobile devices evolved, so did their technical capabilities. Nowadays, when you lift your handset to your ear, the screen usually goes dark because the phone uses the camera to tell if you've put it next to your ear.

Rear and back cameras, movement sensors, accelerometers, and many other high-tech sensors can let a smartphone, tablet, or Internet of Things device know where you are in the room, or where other objects like walls, doors, etc. are.

Because most of these sensors provide API interfaces, the W3C has begun work on a generic JavaScript-based API that will let websites query your device, and tell how far nearby objects are. The W3C describes this new feature as below:

  The proximity level is reported as the distance (in centimeter) from the sensor to the closest visible surface.  

New W3C API could be used for user fingerprinting

Lukasz Olejnik, security and privacy consultant, researcher at University College London, and a W3C Invited Expert, claims that this new API might pose a threat to user privacy in the future.

Olejnik argues that threat actors can use (malicious) code embedded on a website to leak information about the phone's user and their behavior. He says that this data could be used to fingerprint users, a technique advertisers might also be very interested in using.

An attacker could use the W3C Proximity Sensor API to gather information about how the user interacts with the device, the frequency at which they interact with it, interaction patterns, or mechanics for holding the device in different positions, close to their head, or the distance from their face.

Olejnik: There's no need for verbose distance results

The problem, he says, comes from the fact that the new Proximity Sensor API allows two query modes. One that uses "near" and "far" distance indicators, and one that uses verbose data, in centimeters (cm).

Olejnik says that there's no need for the second. "Is there a need to provide a verbose proximity readout at all?" he writes on his blog. "For example, is providing readouts of proximity (distance) value up to 150 cm necessary?"

Besides limiting access to verbose data, the researcher also recommends that the Proximity Sensor API should also be subject to user permissions. The device must ask the user for this data, and they should be able to review what websites accessed this API and how often.

Olejnik's criticism, which is dated August 8, has been taken into account. The latest version of the W3C Permission Sensor API features support for browser permissions, according to a draft dated August 26. The verbose distance results have been kept. Work on the W3C Proximity Sensor API is still ongoing.