Battery status not included: Assessing privacy in web standards

Lukasz Olejnik, Steven Englehardt, Arvind Narayanan

Research output: Contribution to journalConference article

1 Scopus citations

Abstract

The standardization process is core to the development of the open web. Until 2013, the process rarely included privacy review and had no formal privacy requirements. But today the importance of privacy engineering has become apparent to standards bodies such as the W3C as well as to browser vendors. Standards groups now have guidelines for privacy assessments, and are including privacy reviews in many new specifications. However, the standards community does not yet have much practical experience in assessing privacy. In this paper we systematically analyze the W3C Battery Status API to help inform future privacy assessments. We begin by reviewing its evolution-the initial specification, which only cursorily addressed privacy, the discovery of surprising privacy vulnerabilities as well as actual misuse in the wild, followed by the removal of the API from major browser engines, an unprecedented move. Next, we analyze web measurement data from late 2016 and confirm that the majority of scripts used the API for fingerprinting. Finally, we draw lessons from this affair and make recommendations for improving privacy engineering of web standards.

Original languageEnglish (US)
Pages (from-to)17-24
Number of pages8
JournalCEUR Workshop Proceedings
Volume1873
StatePublished - Jan 1 2017
Event3rd International Workshop on Privacy Engineering, IWPE 2017 - San Jose, United States
Duration: May 25 2017 → …

All Science Journal Classification (ASJC) codes

  • Computer Science(all)

Fingerprint Dive into the research topics of 'Battery status not included: Assessing privacy in web standards'. Together they form a unique fingerprint.

  • Cite this