My work touches multiple dimensions: research, technology, standards and technology policy. One of the aspects of my security and privacy research involvement are the study of sensors privacy - and especially sensors exposed to websites via web browsers. The practical outcome of this work are privacy analyses of Web APIs. I made some of them available here on this blog.

In case of Battery Status API, the identified https://blog.lukaszolejnik.com/battery-status-readout-as-a-privacy-risk/ (i.e. tracking, fingerprinting, data leaks) resulted in web browsers changing the way the information is provided, limiting the access to the API, or purging it entirely, as in the case of Firefox and WebKit. This purge of an entire API was pretty unprecedented.

Another subjects of my focus were Proximity API, and Ambient Light Sensor API (also here), notably in the context of the profiling or data leaks risk. In the case of the latter - with a demonstration of stealing web browsing history.

Firefox limiting access to sensors

Now Firefox has decided to limit access to some (now obsolete) APIs enabling the readout of proximity and light level status, and disabling them by default.

The appropriate notes can be found here, here and here. The actual patch is here. Firefox is disabling devicelight, deviceproximity, userproximity events, citing privacy concerns. Access to these APIs will be behind a user-controlled flag, which is good. This will come with Firefox 62.

I am naturally happy with that decision - this is definitely a step in the right direction. However, I also hope that these flags will also encompass the modern mechanisms based on the Sensors API: the actual Ambient Light Sensor API or Proximity Sensor API.

Summary

Privacy research is often a painful and long-term journey. Effective impact can be seen well beyond the timeframes of some of the traditional research activities, understood as conference or journal papers. It takes time. For example, the original Battery Status API privacy analysis has been made public in 2015, and the actual action made at the end of 2016 and 2017. In case of sensors privacy analyses, I spent time on these and published reports in 2016 and 2017.

Privacy engineering and privacy by design take time. But with the changing attitudes, including the shift of the engineering and organizational cultures and standards, tied with regulatory landscape, this time will likely decrease at some point. We are not just there yet.