TY - JOUR
T1 - Battery status not included
T2 - 3rd International Workshop on Privacy Engineering, IWPE 2017
AU - Olejnik, Lukasz
AU - Englehardt, Steven
AU - Narayanan, Arvind
N1 - Funding Information:
ACKNOWLEDGMENTS We would like to thank Hadley Beeman (W3C TAG), Mar-cos Caceres (Mozilla) and Anssi Konstiainen (Intel) for help and useful feedback. Englehardt and Narayanan are supported by NSF award CNS 1526353. Measurements were funded with an AWS Cloud Credits for Research grant.
PY - 2017
Y1 - 2017
N2 - The standardization process is core to the development of the open web. Until 2013, the process rarely included privacy review and had no formal privacy requirements. But today the importance of privacy engineering has become apparent to standards bodies such as the W3C as well as to browser vendors. Standards groups now have guidelines for privacy assessments, and are including privacy reviews in many new specifications. However, the standards community does not yet have much practical experience in assessing privacy. In this paper we systematically analyze the W3C Battery Status API to help inform future privacy assessments. We begin by reviewing its evolution-the initial specification, which only cursorily addressed privacy, the discovery of surprising privacy vulnerabilities as well as actual misuse in the wild, followed by the removal of the API from major browser engines, an unprecedented move. Next, we analyze web measurement data from late 2016 and confirm that the majority of scripts used the API for fingerprinting. Finally, we draw lessons from this affair and make recommendations for improving privacy engineering of web standards.
AB - The standardization process is core to the development of the open web. Until 2013, the process rarely included privacy review and had no formal privacy requirements. But today the importance of privacy engineering has become apparent to standards bodies such as the W3C as well as to browser vendors. Standards groups now have guidelines for privacy assessments, and are including privacy reviews in many new specifications. However, the standards community does not yet have much practical experience in assessing privacy. In this paper we systematically analyze the W3C Battery Status API to help inform future privacy assessments. We begin by reviewing its evolution-the initial specification, which only cursorily addressed privacy, the discovery of surprising privacy vulnerabilities as well as actual misuse in the wild, followed by the removal of the API from major browser engines, an unprecedented move. Next, we analyze web measurement data from late 2016 and confirm that the majority of scripts used the API for fingerprinting. Finally, we draw lessons from this affair and make recommendations for improving privacy engineering of web standards.
UR - http://www.scopus.com/inward/record.url?scp=85027853115&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85027853115&partnerID=8YFLogxK
M3 - Conference article
AN - SCOPUS:85027853115
SN - 1613-0073
VL - 1873
SP - 17
EP - 24
JO - CEUR Workshop Proceedings
JF - CEUR Workshop Proceedings
Y2 - 25 May 2017
ER -