Recently a flaw was discovered in the security of the Pixel and the Pixel XL phones that allowed a user to be “tracked”. The good news is that the flaw has already been patched in the AOSP source code and is expected to roll out in the security update due any day now.
The front facing cameras (manufactured by HTC) serial number on the Pixel phones is currently accessible to third party apps. This flaw gives an app the ability to point people to specific devices. The description in the merged commit to the AOSP gives more information:
Restrict access to camera sensor’s serial number
Camera sensor’s serial number, stored in system property htc.camera.sensor.front_SN, appears to change between different devices and could thus facilitate tracking. This commit restricts access to this system property to cameraserver and dumpstate and shell SELinux domains.
The patch thus prevents apps (as well as certain parts of the system) from having readable access to the serial number of the front facing camera. The serial number can still be accessed via ADB though. The patch has apparently been tested and is running correctly without affecting the normal usage of the front facing camera (duckface selfies).
With the January security patch due in the next few days it is expected that this fix will be included with it. Keep an eye out for your OTA security update and let us know when you get it if it does have the fix for this flaw.