Are Some W3C Browser APIs Compromising User Privacy?

ProgrammableWeb recently reported that Lukasz Olejnik, a security and privacy consultant, researcher, and W3C Invited Expert, published a blog post raising privacy concerns regarding the Editor’s draft of the W3C Proximity Sensor API specification. Olejnik has written several blog posts raising privacy concerns about W3C API specification drafts including the Vibration API, Ambient Light Sensor API, Proximity Sensor API, and most recently the Web Bluetooth API. Olejnik suggests that a malicious attacker may be able to use these browser APIs to obtain user behavioral information which can then be used for browser fingerprinting. The W3C describes browser fingerprinting as "the capability of a site to identify or re-identify a visiting user, user agent or device via configuration settings or other observable characteristics."

There has been some confusion regarding the status of the W3C API specifications mentioned above. The Ambient Light Sensor API and Proximity Sensor API specifications are standards track work currently being done by the W3C Device and Sensors Working Group. The Vibration API specification became a W3C recommendation in February 2015 and last month the W3C published a second edition of the specification. The Web Bluetooth API specification is not on a W3C standards recommendation track. This API specification is pre-standards work being done in the Web Bluetooth Community Group, a group that is not chartered by W3C membership.

ProgrammableWeb reached out to Olejnik who provided some insight into his privacy analysis of the above-mentioned W3C API specifications work. Olejnik said that "new browser features are definitely providing sensitive information. They must be designed and assessed with care on the standards level, on browser implementation level, and finally - when used on sites."

Olejnik explained that the W3C working groups are focused on reviewing privacy aspects of Web specifications. The W3C is providing privacy requirements and guidance for implementers (e.g. browser vendors) whenever possible. Browser vendors decide how to handle specific cases of Web features which are still in line with W3C specifications. "I must stress that the last line of design and development is in the hands of sites and Web developers," says Olejnik. "They must know their responsibilities and the intricacies of new and modern powerful Web features. I believe it will often be necessary to conduct Web Privacy Impact Assessment. We’ll see it becoming a new standard."

The W3C Web Application Security Working Group is working on a Permissions API specification draft that aims to define a common infrastructure for other W3C specifications that may require user permissions via a Web browser. Regarding the W3C Web Bluetooth API pre-standards work draft, Olejnik’s blog post states that "it's necessary to think whether Web Permissions for Web Bluetooth are enough."

"The new version of Permissions API is versatile; it’s a good mechanism. My main concern is its granularity. I am not exactly sure if it allows - as currently defined - to be fully flexible," explains Olejnik. "I believe Web browsers should focus more on transparency and accountability aspects. When I visit a site, why can’t we still easily see which APIs are being used there and in what way?"

"Lukasz is a participant in W3C's Privacy Interest Group. His analyses of draft specifications for Working Groups helps us to improve the APIs before we recommend them to the Web community. We welcome this kind of review to protect privacy and address other potential issues," W3C Strategy Lead Wendy Seltzer told ProgrammableWeb." In the case of W3C Community Groups such as Bluetooth API, it is also valuable to see the development of draft reports before they are even considered for potential standards track work."

"Privacy is one of many horizontal reviews (accessibility, security, internationalization being others) that W3C staff, members, invited experts, and public stakeholders review throughout the complex process of developing Web standards," says Karen Myers, business development officer at World Wide Web Consortium. "While these reviews are on-going, it is especially important that these horizontal reviews are done before the specifications reach "Candidate Recommendation" in the W3C process."

To find out more about the W3C, visit https://www.w3.org. To read Olejnik’s W3C APIs privacy analyses, visit https://blog.lukaszolejnik.com.

Janet Wagner is a technical writer and contributor to ProgrammableWeb covering breaking news, in-depth analysis, and product reviews. She specializes in creating well-researched, in-depth content about APIs, machine learning, deep learning, computer vision, analytics, GIS/maps, and other advanced technologies.

Comments