Privacy analysis of Ambient Light Sensors

Introduction

Smartphones are equipped with a sensor letting the device to detect the brightness levels in their environment (modern sensors are even capable to measure the intensity of green, red and blue lights). The simplest application of the sensor is to adjust the screen's brightness in accordance with the environment.

Soon, every web browser will allow a web site to access Ambient Light Sensors of a device. This will be facilitated via the W3C Ambient Light Sensors API. Web designers will be enabled to unleash their creativity. The readout is provided in lux unit.

Ambient Light information is currently provided in modern smartphones, tablets and notebooks (such as MacBook Pro) on a number of web browsers.

Ambient Light Sensor is very interesting from privacy point of view and offers a lot of information, so let's have a look from the privacy engineering perspective.

In this note, I am also introducing my project SensorsPrivacy, which will be covering issues around security and privacy of web and sensors mechanisms. It also has a research angle.

UPDATE: I add more details (with demos) of some of the attacks discussed in this post can be found here.

Details

Ambient Light Sensors use is simple. using the following code, any web site can access it:

window.addEventListener('devicelight', function(event) {
  if(event.value<100) {
   // it's quite dark in here
 } 
  else {
   //More light!
 }
});

There is also a new pattern using Generic Sensors API:

let sensor = new AmbientLightSensor();
sensor.start();
    
sensor.onchange = function(event) {
  if(event.reading.illuminance<100) {
   // it's quite dark in here
 } 
  else {
   //More light!
 }
};

Similarly to proximity sensor, the way mechanism is being used makes little difference for this privacy analysis.

Ambient Light Sensor provides only one readout value: the current illuminance in the direct user environment.

Privacy analysis

Ambient Light Sensors provides rich data about the user. The light level conveys information about the user, the user's environment, the user's behaviour and life patterns. There are several important points, also bringing consequences to Internet of Things and Web of Things.

Information leaks

Ambient Light Sensors may introduce non-obvious and unexpected information leaks. In particular, it could possibly allow to map the inside of a building. This would be feasible provided that (1) ambient light levels could be read with sufficient precision, and (2) assuming that different rooms are lit differently.
Additionally, it might also be possible to detect the orientation of the user's house or apartment (example: it is bright in the morning, so windows face east!).

Potential to profiling

Many entities, such as web advertisements providers, trackers, analytic scripts - also law enforcement - profile users using specialized techniques and for various purposes. Many aspects of users and their behaviours are taken into account.

If it's possible to map the user's home arrangement, this information could be potentially possible to discover its size, number or rooms, etc. Such information is related to the user's financial situation, and consequently it would lead to a profile the user - allowing to assign him to a particular category such as "this user has a large house, he is wealthy". Why not target web content based on this information?

Behavioural analysis

Users behave differently, and users' behavioural patterns can be used to profile, detect, recognize and track them. Example of information that could be conveyed by Ambient Light levels:

  • At what time is the user usually working (night, day)?
  • What lighting conditions does the user prefer?
  • How frequently does the user move in his house?

And so on.

Cross-device aspects

Ambient Light Sensor provides fascinating consequences in presence of other devices (think Internet of Things).

Cross-device linking/tracking

Consider a script on a web site accessing Ambient Light Sensors with sufficient
accuracy. If it's possible to cross-check light sensor readout with a readout of a similar sensor from another device (computer, smartphone, tablet, or other device) it could offer reasoning that those devices reside in the same place (possibly used by the same user), and consequently pair them together. Ultimately this could lead to an non-obvious, unexpected vector of cross-device linking.

Distance tracking

This might be a bit far fetched, but nonetheless it's fascinating. The inverse square law allows to compute the distance between the light detector and a light emitting object via the following equation: d=sqrt(L / 4*pi*B), where L (luminosity) is roughly constant for a light source, and B (brightness) is obtained from the sensor. Consequently - light level convey information about the device's movement.

Cross-device communication

Verbose readout of Ambient Light Sensor data could be used to receive messages emitted by other nearby devices. Imagine one device flashing with its screen or LED in a previously-established manner, another reading those. This applies especially to the Internet and Web of Things paradigm, where number of devices is large.

Technical look on Ambient Light Sensor

Firefox and Chrome

One of the core issues central to technological aspects of privacy engineering are identifiers.
Sometimes, software is developed in a way that reveals too much about the user's system. Sometimes this is formed from tiny, possibly even innocuous data snippets. But it turns out those may introduce interesting consequences when this data can be used as identifiers. I encountered a similar situation during privacy analysis of the
Battery API. It turns out that Ambient Light Sensor implemented on certain systems is affected with a similar issue.

Firefox Mobile under Android provides a too verbose readout of illuminance. It is not possible to justify providing precise floating point values of illuminance.

Physically and practically, there is no difference between the following values of illuminance in lux:

  • 1 and 1.333
  • 13 and 13.9376983642578125

This means that the browser is providing data of the following type (real readouts):

75.2131500244140625 lx
435.8228149414062500 lx
548.1655883789062500 lx
13 lx
14 lx
13.9376983642578125 lx
12.9482421875000000 lx

Browsers should round those values to reduce the possible surface of identification and limit the risks of using Ambient Light to track users on the Web. This can be safely done without reducing any usability of sensor data. I have filled an appropriate Firefox bug report.

As of today, Firefox Mobile for Android has received between 1 and 5 millions of downloads.
In any case, users wishing to disable Ambient Light Sensors can browse set an about:config setting device.sensors.enabled to false.

Additionally, I observed an identical issue on a development version (54.0.2839.0) of Chromium browser under Android. I reported this issue to Chrome.

Another issue is perhaps more esoteric.
The type and quality of illuminance depends on factors such as hardware design and software implementation. Quality of data may differ among software and hardware. Those differences can then be potentially used to distinguishing between users, identifying, deidentifying, fingerprinting and/or tracking users.

How come? Example: if the frequency of readout, the maximum and minimum reported values of ambient light readouts varies among the user's devices (smartphones, laptops, etc.) this would result in a clear privacy risk.

How to simply verify this? By comparing multiple setups of same software and hardware configurations. Under similar conditions I placed two generations of MacBook Pro, one from 2012 and the other from 2014 year. Both the frequency, the current, maximum and minimum detected values of illuminance differed interestingly among them. This means that illuminance was an identifier.

It is very hard, challenging and complex to design systems with all this in mind.

Demonstration - SensorsPrivacy.com

Ambient Light Sensor use is demonstrated on my SensorsPrivacy project. You see how the sensor readout changes in response to environmental changes by visiting this project page. It currently works best on Firefox Mobile under Android, and modern notebooks such as Mac Book Pro. You also have an option to help in privacy research by agreeing to provide sensor readout from your device.

Recommendations

For these and other reasons, the readout of Ambient Light Sensors should be protected. For example:

  • Offer a discrete readouts of a limited number of values, e.g. between "dark" and "brightly lit". Similarly to Media Queries Level 4 light-level feature.
  • Web browsers should indicate when the information is accessed on a web site.
  • making the API subject to browser permissions. Fortunately, this will be the case, while the version with a small number of discrete values (similar to the one described above) will be provided by a different browser mechanism.

However, even if Ambient Light Sensor is subject to permissions, the direct risks are still relevant on any web sites where the user has granted them. Especially since the nature of the web means that all scripts included on a site have access to a sensor. It is thus also required to work on the transparency layer.

Summary

Lighting conditions in the user's surrounding convey rich and sensitive data describing users and their behavior. This information could be hijacked and abused, applied to profile the users and perhaps discriminate them.

That's why web standards and APIs are designed and implemented with privacy in mind.

It is challenging and interesting to design, create and analyse products with privacy in mind, as multiple factors need to be taken into account.