iwcg privacy update
play

IWCG Privacy Update 26.10.2018 TPAC, Lyon Agenda 15m - High-level - PowerPoint PPT Presentation

Mar 26, 2024 •167 likes •487 views

IWCG Privacy Update 26.10.2018 TPAC, Lyon Agenda 15m - High-level overview of documented threat vectors and potential mitigations based on issues and explainer at Privacy & Security repo

  1. IWCG Privacy Update 26.10.2018 TPAC, Lyon

  2. Agenda 15m - High-level overview of documented threat vectors and potential mitigations … based on issues and explainer at Privacy & Security repo https://github.com/immersive-web/privacy-and-security 15m - Questions and Discussion

  3. What is WebXR? API that allows sites to build virtual and augmented reality experiences. Provides an API for determining device orientation for rendering purposes, and exposes new types of real-world data for augmented reality. For VR, allows scenes to be rendered in a headset (+smartphone +desktop) For AR, allows rendering of virtual objects into the real world ● On screen-based displays, manages camera rendering… ● … and supports non-screen displays such as transparent HMDs

  4. Privacy Approach The privacy & security repo documents patterns for web-based XR threat vectors. Specifically - What are the threat vectors if a site has access to a data type - What are considerations and potential mitigations Focus of this presentation: Mitigations unique to the threat vector / data type. E.g. User consent is always a potential mitigation

  5. Threat vectors Considered thus far.. ● Perception of camera access ● Access to real-world geometry ● Object identification ● Permissions ● Pose (device orientation) and frame of reference data

  6. Perception of Camera Access

  7. Why does it matter? In AR, on screen-based devices the user may think the site has access to the camera… even if the site doesn’t.

  8. Perception of Camera Access Threat Vector #1… without actual camera access 1. A malicious site could create an AR session where the user agent displays the camera (and nothing else); 2. A smartphone user could visit that site, be presented with a front-camera view, potentially capturing a compromising situation; 3. The user would likely close the camera view, quickly; 4. The site could then say “Thank you for that picture! We’ll add to the public gallery. Please pay our $10 membership fee to control who can see the picture.” Threat Vector #2… without actual camera access 1. The user is using an optically see-through device; 2. A malicious 2D web page - without access to camera data - recognizes that it is on an optically see-through device (e.g. detecting through CSS that it is on an additive display); 3. The page renders a camcorder viewfinder with a blinking REC indicator in the corner (e.g. on an additive display, the viewfinder could be filled with black pixels, and would thus show the real world). This would make it appear that the web page can record real world imagery, even though it can’t. Mitigation: Clear communication to the user about site access to camera data

  9. Real-World Geometry Data

  10. Why does it matter? New web APIs allow sites to access 3D geometry that represents the user’s physical environment.

  11. Threat Vectors ● Personally Identifying Information ○ Face analysis ○ Embossed credit card # ● Fingerprinting ○ Room geometry ● Location ○ If near a known location (e.g. geometry of eiffel tower) ○ Independent of GPS sensors (and thus possibly without permission for geolocation) ● Physical security ○ Map out inside of private, secure area; get geometry of a door key

  12. Threat Vectors ● Profiling ○ Income estimation (size of house, valuable items) ○ User height (from ground plane) ○ Determine previously visited places based on what geometry is available ○ Even bounding boxes can be used for profiling, context ● Historical geometry / Session Data Privacy ○ Some AR systems have geometry from before the user’s current session ■ May allow analysis of where the user has previously been (e.g. historical path analysis) ○ Others merge geometry from the session into larger planes

  13. Potential Mitigations Throttling & Precision: Not clear what value this will bring, because ● Lower precision hurts the user experience ● Multiple sessions can merge inaccurate data to infer ground truth ● Low-resolution data still has threat vectors ○ But: Users can visualize low-resolution data; that may be a useful policy tool Filtering: User agent can limit geometry access: ● E.g. Only allow access to what is seen in the current session ● But: May need AR sub-system to cooperate (e.g. geometry behind wall) Clearing data: Where supported can prevent historical geometry being shared

  14. Object Identification

  15. Why does it matter? It’s useful in augmented reality for the site to be able to identify 2D images or 3D objects. But: The user may not know what’s being looked for. Bottle of water

  16. Threat Vectors (Object Identification) ● Location ○ Storefronts, QR codes, street signs, configurations of objects ● Profiling ○ Income estimation (particularly dangerous if location is known) ● Compromising info ○ E.g. Embarrassing imagery or objects ● User Safety / Obscuring ○ Put user in a dangerous situation, e.g. covering a stop sign or a hole in the ground ○ Put others in a dangerous situation, e.g. make it look like someone else holds a gun ○ Embarrassing situations, e.g. insert inflammatory images during a negotiation

  17. Object Identification Possible Mitigations ● Throttling ○ Limit # of objects or images the site can identify ● User visibility ○ Allow the user to see what the site is looking for ● No access to object position ○ Prevent site from actually knowing where in the user’s space an object was located ○ However, even the existence of an object may be enough for a bad actor ● Composition rules : UA prevents obscuring important objects ○ E.g. a “safe field” where the user always sees the real world

  18. Permissions

  19. Permissions AR uses a lot of sensors and data! Considerations for web permissions: ● Permission fatigue ● Ambiguity and complexity: What is the site doing exactly? ● Persistent or long-running permissions beyond scope of session Possible mitigations ● Time-limited permissions ● Session-scoped ‘modes’ (e.g. AR Mode) ○ Flexibility: Could either ask for consent, or give notification, or both depending on data access ○ Clear scope: User agent has more UX flexibility to inform the user clearly ○ Enforcement: Only the data permitted is allowed, and only during the session

  20. Pose and Frame of Reference Data (This is still a WIP…)

  21. Access to Pose and Frame of Reference Data Sites can access: ● Pose of viewer or device: Position and Orientation ○ Note: Position is real-world scale, but is not a real-world location ● Floor height, space bounds On a variety of devices and in various contexts ● Immersive (HMDs) ● Inline ○ On phone ○ On desktop/laptop ○ In HMD while 2D browsing

  22. Threat Vectors ● Gaze Tracking ○ What is user looking at? ● Input sniffing ○ When: Input ⇒ Device Orientation / Motion ⇒ Pose ○ This has been demonstrated to read PINs on mobile devices at 20Hz ○ May be possible on desktop/laptop (keyboard) or HMDs (gaze inputs, virtual keyboards) ● Profiling ○ Using: Bounds, Floor Height, Action Analysis (e.g. walking) ● Fingerprinting ○ Using: Bounds, Floor Height, Gait Analysis ● Location ○ May be possible to identify specific location based on trajectory or path ○ Example: Recognizing pattern of major roadways, recognizing pathways of a campus

  23. WebXR Modes, Implied Threats Mode (>> Submode) Available Data Implied Threat Vectors frameOfRef = NULL None None Stationary >> position-disabled Orientation Input sniffing Stationary >> eye-level Orientation, Position Input sniffing, Location, Profiling, Gaze, Fingerprinting Stationary >> floor-level Orientation, Position, Floor Level Input sniffing, Location, Profiling, Gaze, Fingerprinting Bounded Orientation, Position, Region Input sniffing, Location, Profiling, bounds, Floor Level Gaze , Fingerprinting Unbounded Orientation, Position Input sniffing, Location, Profiling, Gaze , Fingerprinting

  24. Potential Mitigations Input Sniffing ● Focused & Visible ● Restrict pose data to: ○ Same origin only (i.e. pose data only provided to same-origin elements) ○ Single-origin only (i.e. only one origin can have pose data at a time) ● Secure context ● Feature policy ● User consent

  25. … more generally... Potential mitigations similar to Generic Sensor API ● Focused & Visible ● Same origin only ● Secure context only ● Feature policy ● User consent (as appropriate)

  26. Potential Mitigations Location ● Limit position ranges based on frame of reference (e.g. bounded, stationary) ● User consent (e.g. unbounded) Non-solutions ● Data throttling ● Errors or rounding ● Inline vs. exclusive

  27. Potential Mitigations Gaze Tracking ● No position (orientation only) ● Only give pose when user is looking at inline element ● … or only when user is looking at page (when inline) ● Blur when a frame is not focused

  28. Potential Mitigations Fingerprinting ● Data errors / rounding (for bounds) ○ E.g. Restrict bounds to rectangle only ● Fixed position (for gait) Profiling ● Restrict bounds data to rectangle ○ Harder to determine room type

  29. Join the conversation! https://github.com/immersive-web/privacy-and-security

  30. Q&A

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GLOBAL PRIVACY & CYBERSECURITY UPDATE View PDF | Forward | Subscribe | Subscribe to RSS |

GLOBAL PRIVACY & CYBERSECURITY UPDATE View PDF | Forward | Subscribe | Subscribe to RSS |

Global Privacy & Cybersecurity Update Issue 21 | February 2019 Jones Day GLOBAL PRIVACY & CYBERSECURITY UPDATE View PDF | Forward | Subscribe | Subscribe to RSS | Related Publications United States | Latin America | Europe | Asia |

257 views • 15 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
The Platform for Privacy Preferences ( P3 P) December 2000 Update A user empowerment approach

The Platform for Privacy Preferences ( P3 P) December 2000 Update A user empowerment approach

The Platform for Privacy Preferences ( P3 P) December 2000 Update A user empowerment approach Marc Langheinrich ETH Zurich APPEL Subgroup Chair P3P Working Group Outline P3P December 2000 Update Platform for Privacy Preferences ! What

914 views • 55 slides
The Platform for Privacy Preferences (P3P) February 2000 Update A user empowerment approach

The Platform for Privacy Preferences (P3P) February 2000 Update A user empowerment approach

The Platform for Privacy Preferences (P3P) February 2000 Update A user empowerment approach Marc Langheinrich ETH Zurich P3P Preference Group Chair Outline P3P February 2000 Update Platform for Privacy Preferences Policy Background

761 views • 37 slides
DRIVERS PRIVACY PROTECTION ACT (DPPA) UPDATE Wisconsin Department of Justice Office of the

DRIVERS PRIVACY PROTECTION ACT (DPPA) UPDATE Wisconsin Department of Justice Office of the

DRIVERS PRIVACY PROTECTION ACT (DPPA) UPDATE Wisconsin Department of Justice Office of the Attorney General Office of Open Government State Bar of Wisconsin Public Records, Open Meetings Update September 7, 2016 Drivers Privacy

657 views • 20 slides
October 2011 This Client Alert is a monthly update on privacy and information management

October 2011 This Client Alert is a monthly update on privacy and information management

October 2011 This Client Alert is a monthly update on privacy and information management developments as posted on Hunton & Williams Privacy and Information Security Law Blog. If you would like to receive email alerts when new posts are

278 views • 5 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

Presentation Slides $ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

429 views • 13 slides
CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies US Privacy Laws Sources: Baase: A Gift of Fire and Quinn: Ethics for the Information Age Ethics Spring 2010 Privacy 1 Privacy The original

725 views • 45 slides
Access and Privacy Update Renee Barrette, Director of Policy Lauren Silver, Policy Analyst

Access and Privacy Update Renee Barrette, Director of Policy Lauren Silver, Policy Analyst

Access and Privacy Update Renee Barrette, Director of Policy Lauren Silver, Policy Analyst Information and Privacy Commissioner of Ontario AMCTO Zone 4 Spring Meeting May 2, 2017 Our Office The Information and Privacy Commissioner (IPC)

485 views • 46 slides
Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is

1.01k views • 76 slides
Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in many ways over the years. Usually privacy is concerned with the individual human being. We may talk about privacy as the control over your own

230 views • 21 slides
Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy Commissioner of Ontario https://www.ipc.on.ca/images/resources/7foundationalprinciples.pdf Privacy by Design Let's have it! Article 25 European

1.32k views • 118 slides
Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy.

Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy.

Anonymity & Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy. College Bescherming Persoonsgegevens (CBP) What is privacy? Users must be able to determine for themselves when, how, to what extent and

798 views • 45 slides
Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics

Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics

ECE598NB Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics Course Structure Privacy Define privacy Privacy History Privacy has always existed Cities / large populations have made

173 views • 14 slides
Web Tracking (Continued) Side Channels Autumn 2018 Tadayoshi (Yoshi) Kohno

Web Tracking (Continued) Side Channels Autumn 2018 Tadayoshi (Yoshi) Kohno

CSE 484 / CSE M 584: Computer Security and Privacy Web Tracking (Continued) Side Channels Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John

737 views • 40 slides
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking Mateusz j00ru Jurczyk REcon 2017, Montreal Alternative title (cheers Alex Ionescu!) Memory Disclosure Alternative title KERNELBLEED Agenda

1.7k views • 140 slides
Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October

Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October

Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 1 Who am I? Dipl.-Inf. Matthias Deeg Expert IT Security Consultant CISSP, CISA, OSCP, OSCE

1.09k views • 81 slides
SemanticModeling Aquerylanguageforthe21 st century CliffordHeath

SemanticModeling Aquerylanguageforthe21 st century CliffordHeath

SemanticModeling Aquerylanguageforthe21 st century CliffordHeath Semantics Thesharedmeaningsofacommunity Expressedinfacts Here,amodelis: Standardforcomparison

969 views • 53 slides
Virtualised USB Fuzzing using QEMU and Scapy Breaking USB for Fun and Profit Tobias Mueller (c)

Virtualised USB Fuzzing using QEMU and Scapy Breaking USB for Fun and Profit Tobias Mueller (c)

Intro Fuzzing Results Virtualised USB Fuzzing using QEMU and Scapy Breaking USB for Fun and Profit Tobias Mueller (c) 2015, CC-BY-SA 3.0 2015-10-01 1 / 25 Intro Fuzzing Results 1 Intro Motivation USB Architecture 2 Fuzzing Obtaining

416 views • 23 slides
ACCESSIBILITY Is it another checkbox to be ticked? By Ann Mwangi CROSS FUNCTIONAL REQUIREMENTS

ACCESSIBILITY Is it another checkbox to be ticked? By Ann Mwangi CROSS FUNCTIONAL REQUIREMENTS

U S E R E X P E R I E N C E ACCESSIBILITY Is it another checkbox to be ticked? By Ann Mwangi CROSS FUNCTIONAL REQUIREMENTS 2 WHY ACCESSIBILITY Over 4 million people in Australia have some form of disability. That's 1 in 5 people. (ABS)

516 views • 22 slides
Micro Processor & Controller Organization Organization Outline Outline Project Examples

Micro Processor & Controller Organization Organization Outline Outline Project Examples

Micro Processor & Controller Organization Organization Outline Outline Project Examples CPU 8, 16, 32 Bits FPU General Architecture of Computer CPU - MEM - I/O Peripheral Memory Hierarchy Main Memory

254 views • 13 slides
Hiding @ Depth: Exploring & Subverting NAND Flash memory Josh m0nk Thomas (A DARPA CFT

Hiding @ Depth: Exploring & Subverting NAND Flash memory Josh m0nk Thomas (A DARPA CFT

Hiding @ Depth: Exploring & Subverting NAND Flash memory Josh m0nk Thomas (A DARPA CFT Project by MonkWorks, LLC) RIP 4.1.13 - Long Live CFT Thx Mudge Saturday, June 22, 13 My Path, And You Can Too! Saturday, June 22, 13 My Path,

379 views • 16 slides

More recommend