Researcher Raises Privacy Concerns Regarding W3C Proximity Sensor API

In June of this year, W3C released the first draft of the Proximity Sensor API based on the Generic Sensor API specification. The W3C Generic Sensor API specification aims to define a Framework for exposing sensor data and promote consistency across sensor APIs. The Proximity Sensor API specification has been updated so that it extends the Generic Sensor API providing data about the proximity level and defining a sensor interface for detecting nearby objects and reporting their distance (proximity to the device) in centimeters.

Lukasz Olejnik, a security and privacy consultant, researcher, and W3C Invited Expert, recently published a blog post raising privacy concerns regarding the updated draft of the W3C Proximity Sensor API, the draft based on the Generic Sensor API. Olejnik suggests that it is possible for a malicious attacker to use the W3C Proximity Sensor API to obtain behavioral information about individual users which can then be used for user fingerprinting. He makes several recommendations in regards to the issue of fingerprinting e.g. the device should be able to alert users in the event proximity sensor data is accessed by a website and that proximity sensors should be subject to user permissions.

About a month ago the W3C released an updated working draft of the Generic Sensor API that includes security and privacy considerations such as user fingerprinting. The draft says that when sensors are used together along with other functionality, privacy risks can arise such as "correlation of data and user identification through fingerprinting." The draft also mentions the need for developers to enable user permissions when it comes to sensors: "User agents should consider providing the user an indication of when the sensor is used and allowing the user to disable it."

There is also an interesting paper on the Cornell University Library arXiv site titled "Stealing PINs via Mobile Sensors: Actual Risk versus User Perception." The research paper takes a look at using JavaScript-based code, mobile sensors, and an artificial neural network to successfully steal user PINs on mobile devices.

Clearly developers need to take into consideration user privacy and security when creating applications and websites that utilize mobile sensors and specifications like the W3C Proximity Sensor API.

For more information about the W3C Proximity Sensor API, visit the W3C Editor's Draft on GitHub or the current working draft on the official W3C website.

Be sure to read the next Standards article: How Industry Standardization Will Impact Data Access