
Stealing sensitive browser data with the W3C Ambient Light Sensor API (2017) - chrixs
https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
======
tyfon
> There is currently an ongoing discussion within a W3C Device and Sensors
> Working Group whether to allow websites access the light sensor without
> requiring the user’s permission.

Why is this even a thing?

Just make this the same as location or microphone prompts? I never understood
the fear of being transparent or give choice to users.

I hope at least firefox has a setting to permanently disable this feature.

~~~
wlesieutre
What a dumb idea. We just wised up and took away the battery API because it
was being used for fingerprinting, and now they want to add more
permissionless hardware info back in.

You just know the argument being made is "Light sensor input changes
frequently enough that it isn't useful for fingerprinting." But history tells
us that literally everything will be used for fingerprinting.

Provides a tiny amount of differentiation to maybe identify particular
devices? Scoop it up!

Or if you're already able to identify a particular person, how about keeping a
persistent log of whether they're indoors or outdoors and aggregating that
from as many different sites as possible? Collect _all_ the data and store it
forever! Maybe it will help sell ads 0.004% more effectively, and there's no
downside!

IMO, whatever amount of risk this carries clearly outweighs the benefit of
websites being able to access my light sensor without asking for permission,
because the value of that is 0.

~~~
throwaway_bad
> But history tells us that literally everything will be used for
> fingerprinting

I don't think you realize how right you are. Fingerprinting is eventually
going to be a lost cause. In 10 years or so, we will have the tech to
fingerprint anyone just by their writing style (some companies even claim to
be able to do this already today). What do you do then? Ban posting stuff
online?

~~~
gruez
>In 10 years or so, we will have the tech to fingerprint anyone just by their
writing style (some companies even claim to be able to do that already today).

...given a large enough corpus of text. I doubt that you're able to pick up
much from a dozen 1 sentence replies on reddit, for instance. You could even
use some sort of neural network based sentence transformer to scramble the
structure without significantly altering the meaning.

~~~
throwaway_bad
I am not sure it has to be too large.

It only takes 33 bits of information to identify 1 person out of 7 billion.
How many bits did you lose just by talking about neural networks in that one
sentence? How many bits did you lose from the timing/time zone of your
comment? By the language of your comment?

~~~
sokoloff
I imagine that there's a lot of information in the specific cadence of typing,
in addition to the final text.

[https://en.wikipedia.org/wiki/Keystroke_dynamics](https://en.wikipedia.org/wiki/Keystroke_dynamics)

~~~
gruez
As a low tech solution, you can always compose the contents in a separate
window and paste it in when you're done. Hardened browsers (eg. Firefox with
resistfingerprinting) can frustrate attempts by throttling key events (key
events get coalesced into 1s/5s/10s intervals).

~~~
phkahler
This is another browser stupidity. Dont send anything until the submit button
is pressed. It's the browsers job to implement the text edit box and spell
check, not every website.

~~~
jrockway
Being able to see keystrokes in Javascript is pretty useful for things like
autocomplete. Say you want to send an invoice to "Foo Bar, Inc.". Do you
really want to type that every time? Do you want to type "Foo" and then click
submit, and then be taken to search results? Why make a 700ms task into a 5s
task, especially when you're doing it hundreds of times a day.

There are hardened browsers that will make the script wait for a while to get
the key events. That seems like the right solution; most people using
controlled enterprise apps don't have to deal with huge amounts of input lag,
while people that are paranoid won't be profiled by their typing cadence.

~~~
phkahler
How limiting would it be to have auto complete implemented in the browser?
Probably not quite as nice as Google but still useful.

------
Khaine
I miss the time when web sites were just simple documents.

~~~
onion2k
I don't. The number of people who wanted to publish things online but couldn't
due to the technical barriers was huge. I'd much rather deal with the
complexities of browser security than keep the internet the exclusive domain
of technically-minded nerds. The internet as a platform is _far_ better now
even if the technology that drives it sucks.

------
arjunbajaj
Why not just ask the user for permission for all APIs that interact with
hardware?

Not all apps need it, and the ones who do, should be able to explain why.

The Battery API was removed due to fingerprinting concerns, but a permission-
asking battery API would still be helpful to bring web apps closer to native
apps.

------
milankragujevic
A logical evolution of what I did 5 years ago and other people did before me.
I can only assume what are ad networks doing...

[https://news.ycombinator.com/item?id=7863418](https://news.ycombinator.com/item?id=7863418)

Though this one is much cooler :)

------
jakoblorz
That’s insane but kind of valid - maybe restrict access to the light sensor
api to same-origin sources?

~~~
fenwick67
From the article:

> Perhaps the most obvious solution is to require the user to grant permission
> to the website requesting access to the sensor

Which makes sense... a light sensor is really a 1 pixel camera.

------
drdaeman
Can this also be exploited using CSS `@media (prefers-color-scheme: dark)` if
the device's configured to use dark mode in low-light conditions (as opposed
to time-based switching)?

~~~
gen3
That wouldn't work for a lot of people (like me), who have a dark theme on all
the time.

I don't have any statistics to back it up, but most everyone I know just
leaves dark theme on all the time (or in the case of one light theme on all
the time).

~~~
duskwuff
Automatic dark mode switching is also usually based on time, not lighting. And
even if it is based on lighting, it usually has a very low temporal resolution
-- if the user is in a dark room with occasional flashes of bright light (say,
a disco), the UI isn't expected to flash in synchrony.

------
IshKebab
I think in practice people would close a website that was flashing the screen
at them in black and white. _Maybe_ you can make it work with a more subtle
change but I bet your signal to noise ratio would be abysmal.

Totally impractical but a neat idea anyway!

