Re: Bug 23934 - Proposal: Always launch permission prompt to avoid leakage from Jan-Ivar Bruaroey on 2013-12-11 (public-media-capture@w3.org from December 2013)

From: Jan-Ivar Bruaroey <jib@mozilla.com>
Date: Wed, 11 Dec 2013 13:17:43 -0500
To: Eric Rescorla <ekr@rtfm.com>, Adam Bergkvist <adam.bergkvist@ericsson.com>
CC: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>, Jim Barnett <Jim.Barnett@genesyslab.com>, Martin Thomson <martin.thomson@gmail.com>, "Cullen Jennings (fluffy)" <fluffy@cisco.com>, Silvia Pfeiffer <silviapfeiffer1@gmail.com>, "public-media-capture@w3.org" <public-media-capture@w3.org>
Message-ID: <52A8AC47.5070801@mozilla.com>

On 12/11/13 5:27 AM, Eric Rescorla wrote:
> On Wed, Dec 11, 2013 at 6:16 PM, Adam Bergkvist
> <adam.bergkvist@ericsson.com> wrote:
>> I think there's more to this than only protecting against fingerprinting.
> Perhaps, but the only argument I have heard for why this needs to
> be a specification requirement is fingerprinting.

We're adding to the pool of hardware information being disclosed quite significantly. The fingerprint-battle-is-lost argument seems to assume no inherent value in this additional information, other than to produce a finer print. In general I would say the more you know, the more you know. At what point does it become about the privacy lost from the information itself?

Quiz (yes / no):

Is it reasonable for all webpages to know I have a camera?
Is it reasonable for all webpages to know what cameras I have?
Is it reasonable for all webpages to know how I've configured my cameras?

> This is a programming environment and it's not the browser's job to displace the programmer.

This is also the malicious programmer's environment. Sure, the mental shift to the installed app is seductive, and we must compete, but I may have punched a monkey to get here.

getUserMedia() is a funny API already in that it may wait forever, because it is primarily about user access, an odd API for other queries. If we didn't care about fingerprinting, then clearly this would have been superior to it:

   // returns immediately.
   var device = pickUserDevice({sourceId: "Logitech NightStalker Extreme 5000"});
   if (device)
     device.getMediaAccess(success, fail);

So at some point we passed the signpost for < Fingerprintville || Privacy City > and collectively we at least didn't turn left (we're somewhere in the weeds).

We also invented a declarative mini-language expressive enough for an app to describe its desired camera on the first try. Why?

Here's where I think apps are being greedy now:
1. A probing API is not needed to pick a better camera.
2. Optional constraints give consented access to the user's best camera for probing.
3. A probing API is only needed to learn whether the user is holding out.

I say #3, because you should already be providing an experience for the user who doesn't have a camera, and it should be no less rich than for the user who doesn't want to share their camera. Why make me unplug it?

While I have great sympathy for apps today having to socially engineering around the fact that many people don't see the UA doorhangers, those are ultimately UA bugs, and we should fix those bugs, not design APIs to satisfy "big pointy click-here arrow" workarounds IMHO.

.: Jan-Ivar :.

Received on Wednesday, 11 December 2013 18:18:12 UTC