device calibration of accelerometers may reveal precise hardware fingerprint

[npdoty]

This paper focuses on orientation sensors, but also notes a similar risk in accelerometer sensors for at least some devices:
Zhang, Jiexin, Alastair R. Beresford, and Ian Sheret. “SensorID: Sensor Calibration Fingerprinting for Smartphones.” In 2019 IEEE Symposium on Security and Privacy (SP), 638–55. San Francisco, CA, USA: IEEE, 2019. https://doi.org/10.1109/SP.2019.00072.

High-resolution reporting of accelerometer values may provide an attacker access to the factory-set calibration of the sensor, which is a persistent, cross-origin identifier allowing for device fingerprinting. This is a serious privacy concern.

Based on related concerns noted in device orientation, specifying a particular rounding threshold for this API may mitigate the threat for all (or almost all) devices. Paul Jensen recommends rounding to 0.1 m/s^2. Currently the spec doesn't speak to precision, except through use of the double datatype.

This is a separate attack from the AccelPrint work that's already been cited in the Generic Sensor API, but it's possible the attack and potential mitigations are related. (The AccelPrint paper doesn't seem to quite get into what all the sources of the fingerprint are or what methods are sufficient mitigation.)

[reillyeon]

Discussed at the TPAC 2024 F2F. We think this and #57 are the same issue. @anssiko will be resolving that issue by adding a normative requirement similar to the mitigation in [DEVICE-ORIENTATION].