Data leakage via ambient light
Yesterday I came across a tweet from Lukasz Olejnik, sharing his work on privacy assessment in web standards – and data leakage via the W3C Ambient Light Sensor API in particular.
TLDR; It deals with a sort of side channel attack: A list of domains is shown on the top of the screen, domain by domain; The background of the page is styled differently (black or white background) depending on whether the link is visited or not; The reflection of this background from the user's facial skin is picked up via the device's ambient light sensors. The user's browsing history can thereby be leaked.
This is a great example of privacy by design!
Check out a video (mp4) of his presentation at the International Workshop on Privacy Engineering – including a POC of the attack – and the paper it's based on.