Include Known Gyroscope Privacy Exposures in Gyroscope Document

[jasonanovak]

At the review of the Sensors API at TPAC 2017, PING and the Sensors WG discussed including known privacy exposures for a given sensor, e.g. the use of the gyroscope as a microphone, in the W3C specification for that specific sensor as opposed to incorporating the exposure by reference. The goal of doing so is that an implementer of the specific sensor API would see the specific privacy exposure — and mitigations — for a sensor in the spec for that sensor API.

In the case of gyroscope, that would entail incorporating a reference to the risk of a gyroscope acting as a microphone, e.g. https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-michalevsky.pdf. For mitigations, the proposed mitigations in the Generic Sensor API specification could be brought over or referenced.

[anssiko]

Proposed resolution: Generic Sensor API incorporates an eavesdropping section that references the paper you provided, see https://w3c.github.io/sensors/#eavesdropping

@jasonanovak, thank you for your review comments. If PING has any further questions or comments, please let us know. If we don't hear from you we assume you're fine with the proposed resolution.

[anssiko]

For the record, here's a summary of changes the group did to resolve this issue:

• Noted the eavesdropping attack in the Generic Sensor API: https://w3c.github.io/sensors/#eavesdropping
• Added a new informative reference: [GYROSPEECHRECOGNITION] https://w3c.github.io/sensors/#biblio-gyrospeechrecognition
• Added mitigations to https://w3c.github.io/gyroscope/#security-and-privacy proposed by papers: [KEYSTROKEDEFENSE], [TOUCHSIGNATURES] and [ACCESSORY]
• Linked https://w3c.github.io/sensors/#eavesdropping from Gyroscope: https://w3c.github.io/gyroscope/#security-and-privacy