-
Notifications
You must be signed in to change notification settings - Fork 410
Spec: Define sensitive information and user intent #757
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
Pulls a lot of text directly out of privacy-security-explainer.md to define some of the various terms necessary to discuss user consent and the data that it protects.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Looking forward to the algorithmic updates for the other sections!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments below. There are some specific requirements in the privacy & security explainer around user profiling and fingerprinting data protections, wasn't sure whether you wanted to include those here or in a new PR?
index.bs
Outdated
|
||
In the context of XR, <dfn>sensitive information</dfn> includes, but is not limited to, user configurable data such as interpupillary distance (IPD) and sensor-based data such as {{XRPose}}s. All {{XRSessionMode/"immersive-vr"}} and {{XRSessionMode/"immersive-ar"}} sessions will expose some amount of sensitive data, due to the user's pose being necessary to render anything. However, in some cases, the same sensitive information will also be exposed via {{XRSessionMode/"inline"}} sessions. | ||
|
||
Trustworthy Documents and Origins {#trustworthy-documents} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
TIL that the term "potentially trustworthy" has an established meaning within secure contexts. Any concerns about using similar terminology in WebXR? Sorry @NellWaliczek that I didn't catch this before.
-------------- | ||
|
||
Given that the API describes hardware available to the user and its capabilities it will inevitably provide additional surface area for fingerprinting. While it's impossible to completely avoid this, steps can be taken to mitigate the issue. This spec limits reporting of available hardware to only a single device at a time, which prevents using the rare cases of multiple headsets being connected as a fingerprinting signal. Also, the devices that are reported have no string identifiers and expose very little information about the devices capabilities until an XRSession is created, which may only be triggered via user activation in the most sensitive case. | ||
Given that the API describes hardware available to the user and its capabilities it will inevitably provide additional surface area for fingerprinting. While it's impossible to completely avoid this, user agents should take steps to mitigate the issue. This spec limits reporting of available hardware to only a single device at a time, which prevents using the rare cases of multiple headsets being connected as a fingerprinting signal. Also, the devices that are reported have no string identifiers and expose very little information about the devices capabilities until an XRSession is created, which requires additional protections when [=sensitive information=] will be exposed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are explicit requirements for user agents to anonymize values which may be unique to the device. Do you want to call out those scenarios here? For reference, those requirements apply to:
- XRPose data, when based on underlying raw sensor data (to avoid fingerprinting sensor calibration data)
- Factory-configured data including IPD or screen geometry data
- User-configured data including IPD, viewer height, or display locations for CAVE systems
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, sensitive data that could be used for user profiling does not appear to be addressed. Will that be in a different PR?
Sensitive Information {#sensitive-information-header} | ||
--------------------- | ||
|
||
In the context of XR, <dfn>sensitive information</dfn> includes, but is not limited to, user configurable data such as interpupillary distance (IPD) and sensor-based data such as {{XRPose}}s. All {{XRSessionMode/"immersive-vr"}} and {{XRSessionMode/"immersive-ar"}} sessions will expose some amount of sensitive data, due to the user's pose being necessary to render anything. However, in some cases, the same sensitive information will also be exposed via {{XRSessionMode/"inline"}} sessions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want to include information about data that could be used to profile the user (e.g. viewer height, IPD data?)
Pulls a lot of text directly out of privacy-security-explainer.md to
define some of the various terms necessary to discuss user consent and
the data that it protects. This PR does not include several things from
the privacy explainer such as the restrictions on pose data and data
mitigation strategies. I expect to address them in a follow-up PR.