From 1d1ad4d45c96ddfd17aee3c66a12a4df707a0fce Mon Sep 17 00:00:00 2001
From: Raphael Kubo da Costa <raphael.kubo.da.costa@intel.com>
Date: Wed, 15 Dec 2021 17:08:42 +0100
Subject: [PATCH] Mandate that illuminance readings be rounded; require
 threshold value check.

Related to #63, which says the granularity of the data exposed by Ambient
Light Sensors should be specified normatively.

This commit goes a bit further and specifies the two anti-fingerprinting
measures currently implemented by Chrome -- namely, not only are illuminance
values rounded but there's also a threshold value check to avoid storing
values that are too close to the latest reading (and both are necessary).

We first define a few values:
- An "illuminance threshold value" of at least 50lx.
- An "illuminance rounding multiple" of at least 50lx.

These values are then used in the following algorithms:
- The "threshold check algorithm" checks that the difference between new and
  current illuminance values is above the illuminance threshold value.
- `AmbientLightSensor.illuminance`'s getter returns values that are rounded
  to the closest multiple of the illuminance rounding multiple.
---
 index.bs | 76 ++++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 69 insertions(+), 7 deletions(-)

diff --git a/index.bs b/index.bs
index 82c7703..5e49fd8 100644
--- a/index.bs
+++ b/index.bs
@@ -49,6 +49,12 @@ urlPrefix: https://w3c.github.io/sensors/; spec: GENERIC-SENSOR
     text: mock sensor type
     text: MockSensorType
     text: mock sensor reading values
+    text: threshold check algorithm
+    text: latest reading
+    text: reading change threshold
+urlPrefix: https://tc39.es/ecma262/; spec: ECMA-262
+  type: abstract-op
+    text: abs; url: eqn-abs
 </pre>
 
 Introduction {#intro}
@@ -185,14 +191,33 @@ the device environment. Potential privacy risks include:
     the light levels associated with visited and unvisited links i.e. visited
     links styled as a block of black screen; white for unvisited.
 
-To mitigate these Ambient Light Sensor specific threats, user agents should
-use one or both of the following mitigation strategies:
-  - <a>limit maximum sampling frequency</a>
-  - <a>reduce accuracy</a> of sensor readings
+To mitigate these Ambient Light Sensor specific threats, user agents must
+<a>reduce accuracy</a> of sensor readings. User agents may also <a>limit
+maximum sampling frequency</a>.
 
 These mitigation strategies complement the [=mitigation strategies|generic mitigations=]
 defined in the Generic Sensor API [[!GENERIC-SENSOR]].
 
+Reducing sensor readings accuracy {#reduce-sensor-accuracy}
+-----
+
+In order to [=reduce accuracy=] of sensor readings, this specification defines
+an [=ambient light threshold check=] algorithm and dictates that the
+{{AmbientLightSensor/illuminance}} attribute getter must return a rounded
+value.
+
+Note: these two mitigation measures complement each other. An implementation
+that only executes the [=ambient light threshold check=] algorithm would return
+illuminance values that are too precise, while an implementation that only
+rounded up the illuminance values could provide attackers with information
+about more precise readings when values are rounded to a different value.
+
+The [=illuminance threshold value=] used by the [=ambient light threshold
+check=] algorithm must be at least 50.
+
+The [=illuminance rounding multiple=] used by the
+{{AmbientLightSensor/illuminance}} attribute must be at least 50.
+
 Model {#model}
 =====
 
@@ -218,6 +243,39 @@ Note: The precise lux value reported by
 different devices in the same light can be different,
 due to differences in detection method, sensor construction, etc.
 
+The <a>Ambient Light Sensor</a> has an <dfn>illuminance threshold value</dfn>,
+measured in lux, which represents the [=reading change threshold=] for new
+readings to be stored in the [=latest readings=] map.
+
+The <a>Ambient Light Sensor</a> has an <dfn>illuminance rounding
+multiple</dfn>, measured in lux, which represents a number whose multiples the
+illuminance readings will be rounded up to.
+
+Note: see [[#reduce-sensor-accuracy]] for minimum requirements for the values
+described above.
+
+<h3 dfn>Ambient Light threshold check</h3>
+
+The [=Ambient Light Sensor=] [=sensor type=] defines the following [=threshold
+check algorithm=]:
+
+<div algorithm="ambient light threshold check">
+  : input
+  :: |newReading|, a [=sensor reading=]
+  :: |latestReading|, a [=sensor reading=]
+  : output
+  :: A [=boolean=] indicating whether the difference in readings is
+     significant enough.
+
+  1. Let |newIlluminance| be |newReading|["illuminance"].
+  1. If |newIlluminance| is null, return true.
+  1. Let |latestIlluminance| be |latestReading|["illuminance"].
+  1. If |latestIlluminance| is null, return true.
+  1. If [$abs$](|latestIlluminance| - |newIlluminance|) >= the [=illuminance
+     threshold value=], return true.
+  1. Otherwise, return false.
+</div>
+
 API {#api}
 ===
 
@@ -237,9 +295,13 @@ To construct an {{AmbientLightSensor}} object the user agent must invoke the
 
 ### The illuminance attribute ### {#ambient-light-sensor-reading-attribute}
 
-The <a attribute for="AmbientLightSensor">illuminance</a> attribute of the {{AmbientLightSensor}}
-interface represents the [=current light level=] and returns the result of invoking
-[=get value from latest reading=] with `this` and "illuminance" as arguments.
+The {{AmbientLightSensor/illuminance}} getter steps are:
+
+1. Let |rawIlluminance| be the result of invoking [=get value from latest
+   reading=] with [=this=] and "illuminance" as arguments.
+1. Let |illuminance| be the multiple of the [=illuminance rounding multiple=]
+   that |rawIlluminance| is closest to.
+1. Return |illuminance|.
 
 Abstract Operations {#abstract-operations}
 ===================