[Bug 20965] EME results in a loss of control over security and privacy. from bugzilla@jessica.w3.org on 2013-02-20 (public-html-bugzilla@w3.org from February 2013)

From: <bugzilla@jessica.w3.org>
Date: Wed, 20 Feb 2013 06:54:05 +0000
To: public-html-bugzilla@w3.org
Message-ID: <bug-20965-2486-4Rg3cJdhci@http.www.w3.org/Bugs/Public/>

https://www.w3.org/Bugs/Public/show_bug.cgi?id=20965

--- Comment #7 from Henri Sivonen <hsivonen@iki.fi> ---
(In reply to comment #6)
> I do not believe that having a unique key or cookie is, in and of itself, a
> violation of privacy.

Exposing the same unique value to all sites is enough of an enabler of privacy
violations that it should be addressed.

> Having such a key that the user cannot exercise any
> control over seems like a problem. I would expect CDMs to be subject to the
> same constraints that browsers are today, i.e. they should provide a
> "private" mode where such information is not retained and provide mechanisms
> for the user to remove such information if it already exists.

Private browsing modes primarily address privacy relative to other users of the
same computing device that the browser runs on. They either aren't or are less
about addressing privacy relative to the sites that are accessed or relative to
third parties whose components (typically ads) are included on the sites.

Especially addressing privacy relative to third parties (such as ad
aggregators) is an issue that browsers seek to address in their normal mode of
operation without requiring the user to enter a private browsing mode. For
example, Safari, by default, outside the private browsing mode, tries to avoid
honoring third-party cookies. Therefore, the issue of each CDM installation
having unique key material whose uniqueness is detectable by Web sites is the
kind of issue browser care about addressing in the normal mode of operation.

Persistently storing content keys/licenses to last beyond the end of the
current browsing session would be the kind of thing that would need addressing
in order to address privacy relative to other users of the same computing
device that the browser runs on. However, to the extent EME is meant to be
about streaming, it should be possible to make EME or its CDMs not use
permanent storage for content keys/licenses. (If the implementors of EME or
CDMs are planning on addressing non-streaming use cases that involve writing
content keys/licenses in permanent storage, I think it would be good for them
to speak up about their intentions.)

> There is
> nothing in the EME specification that prevents compliance with good privacy
> practices.

EME should have some kind of privacy considerations section that points out the
risks and suggests remedies so that each implementor doesn't need to discover
the problems independently.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Wednesday, 20 February 2013 06:54:07 UTC