W3C home > Mailing lists > Public > public-media-capture@w3.org > October 2012

Device enumeration, Fingerprinting and other privacy risks

From: Dominique Hazael-Massieux <dom@w3.org>
Date: Wed, 10 Oct 2012 09:59:49 +0200
Message-ID: <1349855989.10507.38.camel@cumulustier>
To: public-media-capture@w3.org
Hi,

During yesterday's call, we had some discussion around whether we needed
to worry about allowing any Web page to enumerate audio/video capture
devices without any permission request.

One argument traditionally brought against that was that enumerations
(in general) provide potentially a lot of bits for "fingerprinting",
thus allowing to passively identify a user or a device via its unique
combination of enumerated values.

Anant in the call brought up the fact the Web App Sec Working Group had
apparently given up on fighting fingerprinting, with the co-chair of
that group qualifying it as W3C's rough consensus:
http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0048.html

As per my ACTION-10, I've gotten in touch with Brad to clarify that
statement; I think it is fair to say that the qualification of statement
as rough consensus is probably premature, or at least untested. Brad has
generously offered to organize and lead a session during the upcoming
TPAC day on this very topic:
https://www.w3.org/wiki/TPAC2012/SessionIdeas#Is_user_agent_Fingerprinting_a_lost_cause.3F

I also wanted to mention another privacy risk induced by AV device
enumeration: getting a list of all the AV devices a user own does not
only allow to identify the user passively, it also leaks potentially a
lot of information about the user: for instance, if the user owns an
expensive set of AV capture devices, a Web site could assume the user is
wealthy, and thus start to offer its goods or services with a higher
price tag.

Dom
Received on Wednesday, 10 October 2012 08:00:03 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 16:15:02 GMT