According to security expert Lukasz Olejnik, the ambient light sensors used in smartphones, tablets and notebooks on a number of browsers could be monitoring and gathering information on their users in ways that compromise their privacy.
The purpose of ambient light sensors is to adjust the brightness of a screen according to the user’s environment. They are able to determine surrounding light change, the user’s position in front of a device and the direction and mechanics of the user’s motion, relative to light sources.
Soon, every web browser will allow a web site to access the ambient light sensors of a device, facilitated by the W3C Ambient Light Sensors API, wrote Olejnik in a blog post. The sites would only need use a simple code to access all of the data mentioned above.
According to Olejnik, this could compromise users’ privacy in a number of ways. For example, ambient light sensors could map the inside of a building (assuming that light levels could be read accurately, and various rooms were lit differently). It may also be possible to determine the orientation of a house (eg. The room is always bright in the morning, meaning the windows must be east-facing).
Beyond this, the sensors could potentially discover the size and number of rooms in a house, with this information facilitating the creation of financial profiles on users. These profiles could be aligned with targeted web content, according to Olejnik. He also noted that users’ behavioural patterns could be used to profile, detect, recognise and track them. Examples include the time at which the user works, their preference in lighting and how frequently they move around their house.
Olejnik stated that some of these things are far-fetched, but others may be a reality in the near future. He has recommended that web browsers indicate when the information is accessed on a web site, as well as making the API subject to browser permissions.
“However, even if ambient light sensor is subject to permissions, the direct risks are still relevant on any web sites where the user has granted them,” said Olejnik.
“This information could be hijacked and abused, applied to profile the users and perhaps discriminate against them. It is challenging and interesting to design, create and analyse products with privacy in mind, [considering the] multiple factors that need to be taken into account.”