diff --git a/index.bs b/index.bs
index cef7397..dc05de8 100644
--- a/index.bs
+++ b/index.bs
@@ -49,6 +49,54 @@ urlPrefix: https://w3c.github.io/sensors/; spec: GENERIC-SENSOR
text: mock sensor type
text: MockSensorType
text: mock sensor reading values
+ text: threshold check algorithm
+ text: reading quantization algorithm
+ text: latest reading
+urlPrefix: https://tc39.es/ecma262/; spec: ECMA-262
+ type: abstract-op
+ text: abs; url: eqn-abs
+
+
+
+{
+ "ALSPRIVACYANALYSIS": {
+ "title": "Privacy analysis of Ambient Light Sensors",
+ "authors": [
+ "Lukasz Olejnik"
+ ],
+ "href": "https://blog.lukaszolejnik.com/privacy-of-ambient-light-sensors/",
+ "id": "ALSPRIVACYANALYSIS",
+ "date": "31 August 2016"
+ },
+ "PINSKIMMINGVIASENSOR": {
+ "title": "PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices",
+ "authors": [
+ "Raphael Spreitzer"
+ ],
+ "href": "https://arxiv.org/abs/1405.3760",
+ "id": "PINSKIMMINGVIASENSOR",
+ "date": "15 May 2014"
+ },
+ "STEALINGSENSITIVEDATA": {
+ "title": "Stealing sensitive browser data with the W3C Ambient Light Sensor API",
+ "authors": [
+ "Lukasz Olejnik"
+ ],
+ "href": "https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/",
+ "id": "STEALINGSENSITIVEDATA",
+ "date": "19 April 2017"
+ },
+ "VIDEORECOGNITIONAMBIENTLIGHT": {
+ "title": "Video recognition using ambient light sensors",
+ "authors": [
+ "Raphael Spreitzer"
+ ],
+ "href": "https://doi.org/10.1109/PERCOM.2016.7456511",
+ "id": "VIDEORECOGNITIONAMBIENTLIGHT",
+ "publisher": "IEEE",
+ "date": "21 April 2016"
+ }
+}
Introduction {#intro}
@@ -185,14 +233,51 @@ the device environment. Potential privacy risks include:
the light levels associated with visited and unvisited links i.e. visited
links styled as a block of black screen; white for unvisited.
-To mitigate these Ambient Light Sensor specific threats, user agents should
-use one or both of the following mitigation strategies:
- - limit maximum sampling frequency
- - reduce accuracy of sensor readings
+Works such as [[ALSPRIVACYANALYSIS]], [[PINSKIMMINGVIASENSOR]],
+[[STEALINGSENSITIVEDATA]], and [[VIDEORECOGNITIONAMBIENTLIGHT]] delve further
+into these issues.
+
+To mitigate these threats specific to Ambient Light Sensor, user agents must
+reduce accuracy of sensor readings. User agents may also limit
+maximum sampling frequency.
These mitigation strategies complement the [=mitigation strategies|generic mitigations=]
defined in the Generic Sensor API [[!GENERIC-SENSOR]].
+Reducing sensor readings accuracy {#reduce-sensor-accuracy}
+-----
+
+In order to [=reduce accuracy=] of sensor readings, this specification defines
+a [=threshold check algorithm=] (the [=ambient light threshold check
+algorithm=]) and a [=reading quantization algorithm=] (the [=ambient light
+reading quantization algorithm=]).
+
+These algorithms make use of the [=illuminance rounding multiple=] and the
+[=illuminance threshold value=]. Implementations must adhere to the following
+requirements for their values:
+
+ - The [=illuminance rounding multiple=] must be at least 50 lux.
+ - The [=illuminance threshold value=] should be at least half of the
+ [=illuminance rounding threshold=].
+
+Note: Choosing an [=illuminance rounding multiple=] requires balancing not
+exposing readouts that are too precise while also providing readouts that are
+still useful for API users. The value of 50 lux as a minimum for the
+[=illuminance rounding multiple=] was determined in GitHub
+issue #13 after different ambient light level measurements under different
+lighting conditions were gathered
+ and shown to thwart the attack described in [[STEALINGSENSITIVEDATA]]. 50
+lux is also higher than the 5 lux required to make video recognition using
+ambient light sensor readings ([[VIDEORECOGNITIONAMBIENTLIGHT]]) infeasible.
+
+Note: The [=illuminance threshold value=] is used to prevent leaking the fact
+that readings are hovering around a particular value but getting quantized to
+different values. For example, if [=illuminance rounding multiple=] is 50, this
+prevents switching the illuminance value between 0 and 50 if the raw readouts
+switch between 24 and 26.
+
Model {#model}
=====
@@ -218,6 +303,17 @@ Note: The precise lux value reported by
different devices in the same light can be different,
due to differences in detection method, sensor construction, etc.
+The Ambient Light Sensor has an illuminance rounding
+multiple, measured in lux, which represents a number whose multiples the
+illuminance readings will be rounded up to.
+
+The Ambient Light Sensor has an illuminance threshold value,
+measured in lux, which is used in the [=ambient light threshold check
+algorithm=].
+
+Note: see [[#reduce-sensor-accuracy]] for minimum requirements for the values
+described above.
+
API {#api}
===
@@ -264,6 +360,45 @@ Abstract Operations {#abstract-operations}
1. Return |ambient_light_sensor|.
+Ambient light threshold check algorithm
+
+The [=Ambient Light Sensor=] [=sensor type=] defines the following [=threshold
+check algorithm=]:
+
+
+ : input
+ :: |newReading|, a [=sensor reading=]
+ :: |latestReading|, a [=sensor reading=]
+ : output
+ :: A [=boolean=] indicating whether the difference in readings is
+ significant enough.
+
+ 1. If |newReading|["illuminance"] is null, return true.
+ 1. If |latestReading|["illuminance"] is null, return true.
+ 1. Let |newIlluminance| be |newReading|["illuminance"].
+ 1. Let |latestIlluminance| be |latestReading|["illuminance"].
+ 1. If [$abs$](|latestIlluminance| - |newIlluminance|) >= [=illuminance
+ threshold value=], return true.
+ 1. Otherwise, return false.
+
+
+Ambient light reading quantization algorithm
+
+The [=Ambient Light Sensor=] [=sensor type=] defines the following [=reading
+quantization algorithm=]:
+
+
+ : input
+ :: |reading|, a [=sensor reading=]
+ : output
+ :: A [=sensor reading=]
+
+ 1. Let |quantizedReading| be |reading|.
+ 1. Set |quantizedReading|["illuminance"] to the multiple of the [=illuminance
+ rounding multiple=] that |reading|["illuminance"] is closest to.
+ 1. Return |quantizedReading|.
+
+
Automation {#automation}
==========
This section extends the [=automation=] section defined in the Generic Sensor API [[GENERIC-SENSOR]]