W3C home > Mailing lists > Public > public-media-capture@w3.org > October 2015

Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations

From: Harald Alvestrand <harald@alvestrand.no>
Date: Thu, 29 Oct 2015 23:55:57 +0100
To: Mike O'Neill <michael.oneill@baycloud.com>, 'Eric Rescorla' <ekr@rtfm.com>
Cc: 'Rigo Wenning' <rigo@w3.org>, 'Martin Thomson' <martin.thomson@gmail.com>, "'public-privacy (W3C mailing list)'" <public-privacy@w3.org>, 'Mathieu Hofman' <Mathieu.Hofman@citrix.com>, 'Nick Doty' <npdoty@w3.org>, public-media-capture@w3.org
Message-ID: <5632A3FD.4020407@alvestrand.no>
On 10/29/2015 04:29 PM, Mike O'Neill wrote:
>
> So what would be a reasonable default, somewhere between a few hours
> and eternity?
>

If it's easy to discover that the permission has been given and revoke
it, I don't see a problem with "lifetime of browser profile" (which is
slightly shorter than "eternity").

In addition to the revocation available through the camera icon, Chrome
has implemented clearing all permissions if an user clears cookies for a
domain; the assumption is that if the user clears cookies, he's likely
to want all relationships with that domain to "start from zero".


>  
>
> Mike
>
>  
>
>  
>
> *From:*Eric Rescorla [mailto:ekr@rtfm.com]
> *Sent:* 29 October 2015 07:17
> *To:* Mike O'Neill <michael.oneill@baycloud.com>
> *Cc:* Rigo Wenning <rigo@w3.org>; Martin Thomson
> <martin.thomson@gmail.com>; public-privacy (W3C mailing list)
> <public-privacy@w3.org>; Mathieu Hofman <Mathieu.Hofman@citrix.com>;
> Harald Alvestrand <harald@alvestrand.no>; Nick Doty <npdoty@w3.org>;
> public-media-capture@w3.org
> *Subject:* Re: Comments/Questions on Media Capture Streams – Privacy
> and Security Considerations
>
>  
>
> There's really not much point in having a a persistent permission for
> camera
>
> and microphone that is measured in hours, because that means that the
>
> vast majority of times when people want to use these devices (like one
>
> video call every day or two) they will be prompted for permission.
>
>  
>
> -Ekr
>
>  
>
>  
>
> On Thu, Oct 29, 2015 at 4:08 PM, Mike O'Neill
> <michael.oneill@baycloud.com <mailto:michael.oneill@baycloud.com>> wrote:
>
>     Even when there is a visual indication people can miss it or not
>     understand
>     what it is . Given the sensitivity of having a "hot" mike/camera,
>     persistent
>     permissions should also have an expiry so even if people are
>     unaware of them
>     they will not be there for perpetuity.
>
>     In general all permissions should have an expiry in my view, with the
>     duration reported when the permission is requested. (i.e. this
>     should be
>     part of the permissions API, not just MediaCapture). Those that
>     are less
>     sensitive may have a longer duration but MediaCapture should be
>     relatively
>     short (hours?).
>
>
>     Mike
>
>
>
>     -----Original Message-----
>     From: Rigo Wenning [mailto:rigo@w3.org <mailto:rigo@w3.org>]
>     Sent: 29 October 2015 06:52
>     To: Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>>
>     Cc: Martin Thomson <martin.thomson@gmail.com
>     <mailto:martin.thomson@gmail.com>>; public-privacy (W3C mailing
>     list) <public-privacy@w3.org <mailto:public-privacy@w3.org>>;
>     Mathieu Hofman <Mathieu.Hofman@citrix.com
>     <mailto:Mathieu.Hofman@citrix.com>>;
>     Harald Alvestrand <harald@alvestrand.no
>     <mailto:harald@alvestrand.no>>; Nick Doty <npdoty@w3.org
>     <mailto:npdoty@w3.org>>;
>     public-media-capture@w3.org <mailto:public-media-capture@w3.org>
>     Subject: Re: Comments/Questions on Media Capture Streams – Privacy and
>     Security Considerations
>
>     On Thursday 29 October 2015 15:37:12 Eric Rescorla wrote:
>     > On Thu, Oct 29, 2015 at 3:35 PM, Rigo Wenning <rigo@w3.org
>     <mailto:rigo@w3.org>> wrote:
>     > > On Thursday 29 October 2015 15:04:05 Eric Rescorla wrote:
>     > > > Chrome and Firefox do both of the two things listed in this
>     quoted
>     block
>     > > >
>     > > > 1. Inform the user that the devices are hot.
>     > >
>     > > Ok, in this case I can understand that if one has a visual
>     indication
>     that
>     > > mic
>     > > and camera are "on" the need for an additional prompt is
>     somewhat moot.
>     > >
>     > > > 2. Provide mechanisms for revoking consent.
>     > >
>     > > This is then a question of usability. Is clicking on the visual
>     indication
>     > > allowing to revoke the consent/permission?
>     >
>     > Yes, generally.
>
>     In this case, my earlier criticism was based on insufficient
>     information. I
>     think this does what it is supposed to do. I still think that
>     persistent
>     (forever) permissions are a mistake. But this is mitigated by the
>     fact that
>     the browser indicates when mic and camera are "on".
>
>      --Rigo
>
>  
>


-- 
Surveillance is pervasive. Go Dark.
Received on Thursday, 29 October 2015 22:56:36 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 29 October 2015 22:56:36 UTC