Skip to main content

Battery Status Not Included: Assessing Privacy in Web Standards

Author(s): Olejnik, Lukasz; Englehardt, Steven; Narayanan, Arvind

Download
To refer to this page use: http://arks.princeton.edu/ark:/88435/pr1052f
Abstract: The standardization process is core to the development of the open web. Until 2013, the process rarely included privacy review and had no formal privacy requirements. But today the importance of privacy engineering has become apparent to standards bodies such as the W3C as well as to browser vendors. Standards groups now have guidelines for privacy assessments, and are including privacy reviews in many new specifications. However, the standards community does not yet have much practical experience in assessing privacy. In this paper we systematically analyze the W3C Battery Status API to help inform future privacy assessments. We begin by reviewing its evolution — the initial specification, which only cursorily addressed privacy, the discovery of surprising privacy vulnerabilities as well as actual misuse in the wild, followed by the removal of the API from major browser engines, an unprecedented move. Next, we analyze web measurement data from late 2016 and confirm that the majority of scripts used the API for fingerprinting. Finally, we draw lessons from this affair and make recommendations for improving privacy engineering of web standards.
Publication Date: 2017
Citation: Olejnik, Lukasz, Steven Englehardt, and Arvind Narayanan. "Battery Status Not Included: Assessing Privacy in Web Standards." In 2017 International Workshop on Privacy Engineering (2017): pp. 17-24.
Pages: 17 - 24
Type of Material: Conference Article
Journal/Proceeding Title: 2017 International Workshop on Privacy Engineering
Version: Author's manuscript



Items in OAR@Princeton are protected by copyright, with all rights reserved, unless otherwise indicated.