Re: [mediacapture-main] Spec does no handle fingerprinting related to exposing non default capture devices (#559)

> devices might appear/disappear frequently and might be related to user activities.

Inserting or unplugging a USB device *is* user activity, much like a user pressing a key. Use `onkeypress` for the latter, and `navigator.mediaDevices.ondevicechange` for the former, [with limitations](https://w3c.github.io/mediacapture-main/getusermedia.html#mediadevices) like:

When inactive or not in focus (unless there's active gum or ["device-info"](https://w3c.github.io/permissions/#dom-permissionname-device-info) permission), we MUST defer firing. Otherwise, we "MAY add fuzzing on the timing of events to avoid cross-origin activity correlation."

> a. never granted capture access: number of devices are exposed. can change over time.

Note that there are [mitigations](https://bugzilla.mozilla.org/show_bug.cgi?id=1397978) that prevent polling of *enumerateDevices()*, to prevent it being used to simulate the `devicechange` event. Therefore, the limitations I mention above also apply to *enumerateDevices()* and your (a) here. Specifically, the (a) ability does not extend to background tabs, unless they have active gum or "device-info" permission.

> b. granted capture access once: number of devices are exposed and individual device presence can be tracked.

Known device presence is already leaked by `OverconstrainedError`. See [this demo](https://jsfiddle.net/jib1/n0scjq18/).

Therefore, in this case, the exposure of *enumerateDevices()* matches that of *getUserMedia()* itself.

> Why not making this kind of behavior the default then?

Trade-offs. `privacy.resistFingerprinting` removes all ability to pick non-default devices in Firefox. There's also a philosophical/product question whether it is possible to make a significant dent in fingerprinting without breaking web compat, so I think it is up to implementations how to productize and innovate in this area.

For the record, I'm encouraged by Safari innovating here. I'm merely opposed to changing the spec to make such implementation "easier", which is why I referenced our work. In my view, the spec already outlines the web compat requirements. I outlined earlier how I think it could be done compatibly (assuming I undersstand what you're attempting):
 1. Before grant: Expose two devices (two, at least initially ephemeral, unique random ids)
 2. After grant: Expose any addtional devices (and their ids) & fire devicechange event.
 3. Treat all ids the same.
 4. Make decision on whether to support ids that JS may push to local storage, in future sessions (spec says you MUST, I don't know how you can get around this).

This would be indistinguishable from a user inserting several devices at once, and seems web compatible.

Additionally, if you wanted to protect users without devices, you could add fake devices that always fail, at some cost (users with a camera and no mic or vice versa would probably have a hard time).

If you plan to remove *enumerateDevices()* entirely, then I question the value of that, given my earlier points about *getUserMedia()* and *devicechange*.

-- 
GitHub Notification of comment by jan-ivar
Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/559#issuecomment-456598662 using your GitHub account

Received on Tuesday, 22 January 2019 23:08:05 UTC