- From: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>
- Date: Wed, 22 Jun 2016 14:53:16 +0000
- To: "public-media-capture@w3.org" <public-media-capture@w3.org>
Hi all, this relates to Issue #359 [1] where it is proposed to change "MUST" clear devideIds at end of browsing session (given that the origin has never been allowed to use a camera or microphone) to "MAY". We would like to understand if there is support for making such a change. Background: ----------- We’ve for a long time had the requirement that deviceIds (note that any deviceId is always per origin) are to be persisted between sessions. This enables the application to (by using enumerateDevices) check if the preferred devices (camera, microphone, headset) are available, and if so ask for those devices in getUserMedia and so on, in the interest of a good user experience. (Needless to say all persisted deviceIds must always be cleared if the user decides to clear "cookies and other persisted site data" (the spec should probably be even clearer on this).) As a result of the Privacy Interest Group (PING) review we had to change this a bit since persisting the deviceIds is a very big fingerprint [2]. The compromise reached [3] was that the UA should not be allowed to persist deviceIds until the user has at least once given the origin access to at least one device (camera or microphone). If this has not happened the current deviceIds would only be valid until the end of the current browsing session. The motivation for this is quite clear: if they are not cleared, any web site, without any intention to ask for the use of microphone or camera, could add a perfect fingerprint by doing enumerateDevices, and the user is unable to detect or inspect this (since it is not a cookie). What the spec essentially says is: - If the origin has never been given access to a camera or microphone the browser MUST clear deviceIds at the end of the current browsing session - If the origin has at least once been given access to a camera or microphone the browser MUST persist deviceIds (so they remain the same at later browsing sessions for this origin) Unfortunately the interpretation of "browsing session" initially varied. Most read it as "until the tab is closed or navigated to another origin", but some as "until the browser is closed", it has later been clarified that the first interpretation is the valid one. [1] also reports from some testing done with Chrome, Edge and Firefox (e.g. [4], [5], [6]). The results show that (at the time of the test) none of them are fully spec compliant (but all come close). More specifically those tests show that Chrome and Firefox currently fail on the part "MUST clear deviceIds" (however, the Chrome team has acknowledged that Chrome is not spec compliant and are planning to fix this [7] and for Firefox a patch making it spec compliant is available [8]) while Edge fails on the part "MUST persist deviceIds". Change proposal that has been brought forward --------------------------------------------- In [1] there is a proposal that the spec should change: Instead of that (given that the origin has never been given access to a microphone or camera) "deviceIds MUST be cleared at the end of the browsing session" it is in [1] proposed to change this to "deviceIds MAY be cleared at the end of the browsing session". The motivation as we understand it is that persisted deviceIds are similar to cookies and should thus be treated as such, and also that it would not worsen privacy since a site can already use a cookie to identify a returning user. We see issues with such a change: DeviceIds are not the same as cookies, for example they do not show up if the user inspects cookies. So persisting deviceIds even if the origin has not been given (or even asked for) access to a microphone or camera would be a privacy problem, and with the proposed change we would open up for Browsers to do this. It would also break something we have agreed with PING on and we would have to return to that discussion. Question: --------- We would like to know if there is strong support for changing the spec (so far only one person has expressed that view) as described here. We think the spec as is now strikes a reasonable balance between usability and privacy, and it has been discussed with and approved by PING, and if there is not strong support for the proposed change we will consider what the spec currently says as the group’s consensus. Erik, Harald and Stefan [1] https://github.com/w3c/mediacapture-main/issues/359 [2] https://lists.w3.org/Archives/Public/public-media-capture/2015Jun/0042.html [3] https://lists.w3.org/Archives/Public/public-media-capture/2015Jul/0004.html [4] https://github.com/w3c/mediacapture-main/issues/359#issuecomment-222127313 [5] https://github.com/w3c/mediacapture-main/issues/359#issuecomment-223008440 [6] https://github.com/w3c/mediacapture-main/issues/359#issuecomment-223297039 [7] https://bugs.chromium.org/p/webrtc/issues/detail?id=5967 [8] https://bugzilla.mozilla.org/show_bug.cgi?id=1223773
Received on Wednesday, 22 June 2016 14:55:02 UTC