As privacy engineering is getting more and more mature as a field in some settings experts are creating a "privacy checklist" of things to have. It's useful in design, development, and deployment, but also audits. Many useful things could be added to such a list. Of Read More
Is Privacy Sandbox’s Federated Learning of Cohorts leaking information about web browsing history? Let's find out. Federated Learning of Cohorts is computing a SimHash on a user's web browsing history (the lists of visited websites) to obtain the cohort ID. In principle, it is a Read More
Digital web advertising is an ecosystem undergoing strategic changes. Google’s Privacy Sandbox is promising to redesign web advertising technology in ways that will respect user’s privacy, including based on some previous designs. Detailed technically-enabled analysis should wait until more design features are known. In this post I focus Read More
User tracking technologies are ubiquitous on the web. In recent times web browsers try to fight abuses. This led to an arms race where new tracking and anti-tracking measures are being developed. The use of one of such evasion techniques, the CNAME cloaking technique is recently quickly gaining popularity. Our Read More
We may be in the middle of a process of redesigning how the web economy functions. Considerations include web advertisements. Such works involve many actors. Some big platforms. Some web browser vendors. Some ads companies, with a modest list of analysts or researchers keeping a close eye. I believe it’ Read More
There’s a trend of bringing web apps closer to smartphone native apps. You can see it in the increasingly popular Progressive Web Applications (PWAs), web applications that can be installed locally to a smartphone, to subsequently be available to the user just like any other native apps, for example Read More
This post is built around my paper (presented to/at the International Workshop on Privacy Engineering) devoted to privacy assessment in web standards. After the previous one (Battery Status Not Included: Assessing Privacy in W3C Web Standards) this is the next insight in this domain. While I point out the Read More
Magnetometer is a less known sensor. It equips web browsers with the ability to read the magnetic field strength using the built-in magnetometer device sensors and the W3C Magnetometer API. It might be useful in some specific use cases such as peripheral devices (like a gamepad, to control the user’ Read More
Users increasingly encounter moments when a website asks for permission to gather some personal data or access to their device hardware: "Can we access your GPS position? Your microphone or camera? Your Bluetooth? Can we send you push notifications about breaking news or premium chocolate subscription offers?" Permissions, Read More
Interesting proposals of web standards amending the way some aspects of web architecture work emerged from Apple and Google. This marks a pretty unprecedented competition over web architecture. The grand battleground is web standardization. As such it will happen in the open and involve the larger community. Web advertisements are Read More
Welcome to the privacy analysis of Progressive Web Applications. With new features in steady supply, the web is changing in exciting ways. One of the more interesting trends is the concept of Progressive Web Applications (PWA). PWAs use modern and powerful web features to further blur the boundaries between web Read More
Soon every website will be able to know if its visitors have a disability, or not. Well, not quite. That will relate to those who use assistive technologies (i.e. screen readers for vision-impaired), and who gave access for this feature. This thanks to Accessibility Object Model (AOM), a feature Read More
Unsecured ways of web browsing are fading away at accelerating pace. Technically this is done thanks to the increased deployment of HTTPS on the of web. Data indicates that above 70% of websites are now accessed via this secured protocol, those numbers quickly increasing. This is an important milestone in Read More
Simple payment standard will be the new cool thing web browsers can do. This happens thanks to W3C Payment Request API. Early on it has been even featured in the New York Times and rightly so, as it has a big potential. Why? Introduction Chances are that the days of Read More
Websites routinely include third-party hosted resources - images, scripts, stylesheets and so on. It's now a standard practice. One thing to keep in mind is that if your website includes a JavaScript script from another site (example.org): <script src=“https://example.org/CoolLib.js"> Read More
The work on ePrivacy continues and enters a hot period. I’m interested in it from the very beginning, I’m also actively involved in these works, also as a stakeholder. The draft proposal with amendments is now public. Being involved in those works, I’m impressed how good suggestions Read More
In this post we describe and demonstrate a neat trick to exfiltrate sensitive information from your browser using a surprising tool: your smartphone or laptop’s ambient light sensor. In short: 1. We provide background about the light sensor API and current discussions to expose it more broadly to websites. Read More
Designing standards with privacy in mind should be a standard in itself. Historically this was not always the case and the idea of designing systems with privacy is relatively new - it dates from the beginning of this decade. One of the milestones is accepting this view on the IETF Read More
Web Bluetooth - a web API under development, and will be one of the core components of Web of Things, the application layer of Internet of Things. It will enable sensors, beacons and user devices to communicate with each other. But at first: it will enable a web browser to Read More
Ambient Light Sensor is one of the more interesting data sources from privacy point of view. I recently highlighted a number of potential privacy issues in my analysis. I described how the ability to access and track the changes of lighting conditions in the user's environment might contribute Read More
Introduction Smartphones are equipped with a sensor letting the device to detect the brightness levels in their environment (modern sensors are even capable to measure the intensity of green, red and blue lights). The simplest application of the sensor is to adjust the screen's brightness in accordance with Read More
Introduction Privacy risks and threats arise and surface even in seemingly innocuous mechanisms. We have seen it before, and we will see it again. Recently, I participated in a study assessing the risk of W3C Battery Status API. The mechanism allows a web site to read the battery level of Read More
Vibrating devices are a familiar thing. From the era of flip-phones, to vibrations induced by mobile apps. Or websites. [Edit 15/11/19: Firefox is limiting access to Vibration API] Vibration API The mechanism allowing websites to utilize device's vibration motor is called Vibration API. The mechanism allows Read More