Re: Device orientation/motion events privacy issues

2017-09-22 Thread Blair MacIntyre
>>> We discussed this a bit with Anne on IRC. It seems like this API is a good >>> use case for a permission prompt to the user. Since the API works by >>> registering an event listener, the only realistic option seems to be >>> Permission.request() before registering the event listeners. Unf

Re: Device orientation/motion events privacy issues

2017-09-22 Thread Ehsan Akhgari
On 09/22/2017 11:33 AM, Blair MacIntyre wrote: What's the reason for this? I don't know for sure, but it may be necessary for things like AR/VR to have higher resolution than that. The reason is to limit the frequency of sensor data the web application receives to allow it to guesstimate the c

Re: Device orientation/motion events privacy issues

2017-09-22 Thread Anne van Kesteren
On Fri, Sep 22, 2017 at 4:50 PM, Ehsan Akhgari wrote: > We discussed this a bit with Anne on IRC. It seems like this API is a good > use case for a permission prompt to the user. Since the API works by > registering an event listener, the only realistic option seems to be > Permission.request()

Re: Device orientation/motion events privacy issues

2017-09-22 Thread James Willcox
On Fri, Sep 22, 2017 at 8:39 AM, Ehsan Akhgari wrote: > Hi everyone, > > A couple of weeks ago, this proof of concept attack circled its way around > Twitter: > > https://krausefx.github.io/whats-the-user-doing/ > > This simple web app, once loaded on mobile, with a disturbing degree of > accurac

Re: Device orientation/motion events privacy issues

2017-09-22 Thread Blair MacIntyre
>> What's the reason for this? I don't know for sure, but it may be necessary >> for things like AR/VR to have higher resolution than that. > The reason is to limit the frequency of sensor data the web application > receives to allow it to guesstimate the changes to the device position to > limi

Re: Device orientation/motion events privacy issues

2017-09-22 Thread Ehsan Akhgari
On 09/22/2017 10:20 AM, James Willcox wrote: On Fri, Sep 22, 2017 at 8:39 AM, Ehsan Akhgari mailto:ehsan.akhg...@gmail.com>> wrote: Hi everyone, A couple of weeks ago, this proof of concept attack circled its way around Twitter: https://krausefx.github.io/whats-the-user-doi

Re: Device orientation/motion events privacy issues

2017-09-22 Thread Ehsan Akhgari
On 09/22/2017 09:53 AM, Tom Ritter wrote: On Fri, Sep 22, 2017 at 8:39 AM, Ehsan Akhgari wrote: * Ensure that we don't leak this information when fingerprinting resisting is turned on for the Tor Browser if we don't already. Tor sets device.sensors.enabled to false, which should disable the

Re: Device orientation/motion events privacy issues

2017-09-22 Thread Tom Ritter
On Fri, Sep 22, 2017 at 8:39 AM, Ehsan Akhgari wrote: > * Ensure that we don't leak this information when fingerprinting > resisting is turned on for the Tor Browser if we don't already. Tor sets device.sensors.enabled to false, which should disable these events. (If that's not the case, we'd l

Device orientation/motion events privacy issues

2017-09-22 Thread Ehsan Akhgari
Hi everyone, A couple of weeks ago, this proof of concept attack circled its way around Twitter: https://krausefx.github.io/whats-the-user-doing/ This simple web app, once loaded on mobile, with a disturbing degree of accuracy, can tell what the user is doing with their phone, for example, using