[Bug 20965] EME results in a loss of control over security and privacy.

https://www.w3.org/Bugs/Public/show_bug.cgi?id=20965

--- Comment #9 from Henri Sivonen <hsivonen@iki.fi> ---
(In reply to comment #8)
> [steele] Can you suggest some text that we could add to the spec?

## Privacy

### Persistent uniquely identifying key material in the CDM

If the Key System involves key material unique to a particular computer or
device that the CDM runs on (e.g. device keys permanently included in the
hardware and unique to a particular device instance as opposed to common to a
device model or unique keys assigned to a particular computer during CDM
installation or setup of a software CDM), it is possible to use these unique
values to track users across multiple sites and over time by serving users a
trivial media file (e.g. a minimal-length audio file consisting of silence)
that triggers needkey and/or keymessage events with CDM-specific messages that
show evidence of the possession of the unique key material.

When the user agent is to fire a needkey or keymessage event whose message
contains information that can be used for uniquely identifying a particular
device or computer and the user has not already authorized the origin of the
needkey or keymessage event handlers to receive such uniquely identifying
information, the user agent should a display non-modal notification asking for
the user to authorize the exposure of uniquely identifying information to the
origin of the needkey and keymessage event handlers and the user agent should
defer the delivery of the needkey or keymessage event until the user authorizes
the exposure of uniquely identifying information. If the user chooses to
dismiss the notification without authorizing the exposure of uniquely
identifying information, the user agent should fire a keyerror event in place
of a keymessage event or an error event in place of a needkey event, stop
further processing of the media element (until next media load on the element)
and discard the deferred needkey or keymessage event. (XXX specify error codes
in the previous sentence.)

Note: The circumstances that require user authorization can be avoided by using
key material that is common to the large number of devices or computers (e.g.
common for a given version of the CDM that's installed on a large number of
devices or computers) and/or by using key material that is randomly generated
upon need, specific to the origin of the needkey and keymessage event handlers
and discarded after the user navigates away from the origin or at the end of
the user agent session at the latest.

### Persistently stored data

The CDM or the user agent must not write initialization data extracted from
media files or data received through the update() and createSession() methods
(or parts of such data) into persistent storage. Such data could be used by Web
sites to track repeat visits and could be used by people who have access to the
computing device that the CDM or the user agent run on to gain clues about what
sites have been visited. Storing such data persistently is not required for
streaming use cases.

(XXX If offline use cases, such as caching a movie on disk for watching in
transit with no or bad connectivity, are to be addressed at all, they should be
addressed using an explicit mechanism rather than being addressed as a
CDM-dependent hand wavy magic side effect of update() and createSession(). The
NavigationController work that is being proposed as a replacement for app cache
could be used to cache movies and licenses so that the NavigationController
would be in charge of caching both and handing them to the media stack and EME
as if the requests happened online.)

-- 
You are receiving this mail because:
You are the QA Contact for the bug.

Received on Thursday, 21 February 2013 08:20:26 UTC