From 0ee403765a71c457cbc7cb4db60ac8aeb93a452b Mon Sep 17 00:00:00 2001 From: Raphael Kubo da Costa Date: Wed, 15 Dec 2021 17:08:42 +0100 Subject: [PATCH 1/2] editorial: Add reading quantization and threshold check algorithms. Related to #63, which says the granularity of the data exposed by Ambient Light Sensors should be specified normatively. This commit goes a bit further and specifies the two anti-fingerprinting measures currently implemented by Chrome -- namely, not only are illuminance values rounded but there's also a threshold value check to avoid storing values that are too close to the latest reading. w3c/sensors#429 defines the concepts of "reading quantization algorithm" and "threshold check algorithm" that concrete sensors can specify. We specify both here, along with some values used by them (based on the current Chromium values): - An "illuminance rounding multiple" of at least 50lx. - An "illuminance threshold value" of at least 25lx (half the illuminance roundig multiple, to be more precise). These values are then used in the following algorithms: - The "threshold check algorithm" checks that the difference between new and current illuminance values is above the illuminance threshold value. - The "reading quantization algorithm" rounds up readings to the closest multiple of the illuminance rounding multiple. --- index.bs | 161 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 157 insertions(+), 4 deletions(-) diff --git a/index.bs b/index.bs index cef7397..00f9fc8 100644 --- a/index.bs +++ b/index.bs @@ -49,6 +49,54 @@ urlPrefix: https://w3c.github.io/sensors/; spec: GENERIC-SENSOR text: mock sensor type text: MockSensorType text: mock sensor reading values + text: threshold check algorithm + text: reading quantization algorithm + text: latest reading +urlPrefix: https://tc39.es/ecma262/; spec: ECMA-262 + type: abstract-op + text: abs; url: eqn-abs + + +
+{
+  "ALSPRIVACYANALYSIS": {
+    "title": "Privacy analysis of Ambient Light Sensors",
+    "authors": [
+      "Lukasz Olejnik"
+    ],
+    "href": "https://blog.lukaszolejnik.com/privacy-of-ambient-light-sensors/",
+    "id": "ALSPRIVACYANALYSIS",
+    "date": "31 August 2016"
+  },
+  "PINSKIMMINGVIASENSOR": {
+    "title": "PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices",
+    "authors": [
+      "Raphael Spreitzer"
+    ],
+    "href": "https://arxiv.org/abs/1405.3760",
+    "id": "PINSKIMMINGVIASENSOR",
+    "date": "15 May 2014"
+  },
+  "STEALINGSENSITIVEDATA": {
+    "title": "Stealing sensitive browser data with the W3C Ambient Light Sensor API",
+    "authors": [
+      "Lukasz Olejnik"
+    ],
+    "href": "https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/",
+    "id": "STEALINGSENSITIVEDATA",
+    "date": "19 April 2017"
+  },
+  "VIDEORECOGNITIONAMBIENTLIGHT": {
+    "title": "Video recognition using ambient light sensors",
+    "authors": [
+      "Raphael Spreitzer"
+    ],
+    "href": "https://doi.org/10.1109/PERCOM.2016.7456511",
+    "id": "VIDEORECOGNITIONAMBIENTLIGHT",
+    "publisher": "IEEE",
+    "date": "21 April 2016"
+  }
+}
Introduction {#intro} @@ -185,14 +233,56 @@ the device environment. Potential privacy risks include: the light levels associated with visited and unvisited links i.e. visited links styled as a block of black screen; white for unvisited. -To mitigate these Ambient Light Sensor specific threats, user agents should -use one or both of the following mitigation strategies: - - limit maximum sampling frequency - - reduce accuracy of sensor readings +Works such as [[ALSPRIVACYANALYSIS]], [[PINSKIMMINGVIASENSOR]], +[[STEALINGSENSITIVEDATA]], and [[VIDEORECOGNITIONAMBIENTLIGHT]] delve further +into these issues. + +To mitigate these threats specific to Ambient Light Sensor, user agents must +reduce accuracy of sensor readings. User agents may also limit +maximum sampling frequency. These mitigation strategies complement the [=mitigation strategies|generic mitigations=] defined in the Generic Sensor API [[!GENERIC-SENSOR]]. +Reducing sensor readings accuracy {#reduce-sensor-accuracy} +----- + +In order to [=reduce accuracy=] of sensor readings, this specification defines +a [=threshold check algorithm=] (the [=ambient light threshold check +algorithm=]) and a [=reading quantization algorithm=] (the [=ambient light +reading quantization algorithm=]). + +These algorithms make use of the [=illuminance rounding multiple=] and the +[=illuminance threshold value=]. Implementations must adhere to the following +requirements for their values: + + - The [=illuminance rounding multiple=] must be at least 50 lux. + - The [=illuminance threshold value=] should be at least half of the + [=illuminance rounding multiple=]. + +Note: Choosing an [=illuminance rounding multiple=] requires balancing not +exposing readouts that are too precise while also providing readouts that are +still useful for API users. The value of 50 lux as a minimum for the +[=illuminance rounding multiple=] was determined in GitHub +issue #13 after different ambient light level measurements under different +lighting conditions were gathered + and shown to thwart the attack described in [[STEALINGSENSITIVEDATA]]. 50 +lux is also higher than the 5 lux required to make video recognition using +ambient light sensor readings ([[VIDEORECOGNITIONAMBIENTLIGHT]]) infeasible. + +Note: The [=illuminance threshold value=] is used to prevent leaking the fact +that readings are hovering around a particular value but getting quantized to +different values. For example, if [=illuminance rounding multiple=] is 50, this +prevents switching the illuminance value between 0 and 50 if the raw readouts +switch between 24 and 26. The efficacy of the [=threshold check algorithm=] as +an auxiliary fingerprinting mitigation strategy has not been mathematically +proven, but it has been added to this specification based on implementation +experience. Chromium bug 1332536 and Chromium review 3666917 contain more +information about this. + Model {#model} ===== @@ -218,6 +308,17 @@ Note: The precise lux value reported by different devices in the same light can be different, due to differences in detection method, sensor construction, etc. +The Ambient Light Sensor has an illuminance rounding +multiple, measured in lux, which represents a number whose multiples the +illuminance readings will be rounded up to. + +The Ambient Light Sensor has an illuminance threshold value, +measured in lux, which is used in the [=ambient light threshold check +algorithm=]. + +Note: see [[#reduce-sensor-accuracy]] for minimum requirements for the values +described above. + API {#api} === @@ -264,6 +365,58 @@ Abstract Operations {#abstract-operations} 1. Return |ambient_light_sensor|. +

Ambient light threshold check algorithm

+ +The [=Ambient Light Sensor=] [=sensor type=] defines the following [=threshold +check algorithm=]: + +
+ : input + :: |newReading|, a [=sensor reading=] + :: |latestReading|, a [=sensor reading=] + : output + :: A [=boolean=] indicating whether the difference in readings is + significant enough. + + 1. If |newReading|["illuminance"] is null, return true. + 1. If |latestReading|["illuminance"] is null, return true. + 1. Let |newIlluminance| be |newReading|["illuminance"]. + 1. Let |latestIlluminance| be |latestReading|["illuminance"]. + 1. If [$abs$](|latestIlluminance| - |newIlluminance|) < [=illuminance + threshold value=], return false. + 1. Let |roundedNewIlluminance| be the result of invoking the [=ambient light + reading quantization algorithm=] algorithm with |newIlluminance|. + 1. Let |roundedLatestIlluminance| be the result of invoking the [=ambient + light reading quantization algorithm=] algorithm with |latestIlluminance|. + 1. If |roundedNewIlluminance| and |roundedLatestIlluminance| are equal, + return false. + 1. Otherwise, return true. +
+ +Note: This algorithm invokes the [=ambient light reading quantization +algorithm=] to ensure that readings that round up to the same value do not +trigger an update in the main [=update latest reading=] algorithm. Not doing so +would indicate to users that the raw illuminance readings are within a range +where they differ by at least the [=illuminance threshold value=] but do not +round up to different [=illuminance rounding multiple=]. + +

Ambient light reading quantization algorithm

+ +The [=Ambient Light Sensor=] [=sensor type=] defines the following [=reading +quantization algorithm=]: + +
+ : input + :: |reading|, a [=sensor reading=] + : output + :: A [=sensor reading=] + + 1. Let |quantizedReading| be |reading|. + 1. Set |quantizedReading|["illuminance"] to the multiple of the [=illuminance + rounding multiple=] that |reading|["illuminance"] is closest to. + 1. Return |quantizedReading|. +
+ Automation {#automation} ========== This section extends the [=automation=] section defined in the Generic Sensor API [[GENERIC-SENSOR]] From 44e8b4168472ec98108605692a3c579424877779 Mon Sep 17 00:00:00 2001 From: Raphael Kubo da Costa Date: Thu, 2 Jun 2022 18:09:11 +0200 Subject: [PATCH 2/2] Add the "tracking-vector" class to the security section. This follows https://w3c.github.io/fingerprinting-guidance/#mark-fingerprinting and makes it clear that this API can increase the fingerprinting surface despite the proposed mitigations. --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 00f9fc8..8b9dd15 100644 --- a/index.bs +++ b/index.bs @@ -214,7 +214,7 @@ Examples {#examples} Security and Privacy Considerations {#security-and-privacy} =================================== -Ambient Light Sensor provides information about lighting conditions near +

Ambient Light Sensor provides information about lighting conditions near the device environment. Potential privacy risks include: - Profiling. Ambient Light Sensor can leak information about user's use