Rapid changes to incoming light can provide information about a user's surroundings that can lead to fingerprinting and side-channel attacks on user privacy.
As an example, a light switch can be flipped in a room, causing the lighting estimation of two users in the same room to simultaneously change. If the precise time of the change can be observed by the sites, it can be inferred that the two users are co-located in the same physical space.
Another example occurs when a nearby monitor is playing a video, such as an advertisement. The light from the display reflects off many surfaces in the room, contributing to the observed ambient light estimate. A timeline of light intensity changes can uniquely identify the video that is playing, even if the monitor is not in direct line-of-sight to the XR device sensors.
The lighting-estimation specification should require temporal filtering of the light estimation to avoid such attacks. A low-pass filter effect can be achieved by averaging the values over the last several seconds. For single scalar values representing light intensity or color, such as XRLightProbe.indirectIrradiance
this can be applied directly. SH's have a convenient property that they can be summed and interpolated by simply interpolating their coefficients, assuming their orientation is not changing.
After temporal filtering, the values should be quantized. Any vectors, such as XRLightProbe.primaryLightDirection
should be quantized in 3d space and always return a unit vector.
The lighting estimation should describe the needed quantization and temporal filtering for all members in the webidl.