Tests for privacy in test-suite? from Harry Halpin on 2017-09-27 (public-html-media@w3.org from September 2017)

From: Harry Halpin <hhalpin@ibiblio.org>
Date: Wed, 27 Sep 2017 10:24:39 -1100
To: public-html-media@w3.org
Message-ID: <CAE1ny+79Pu=Hyta2Ge+UK5oAqBkVGoFNH_hEjbfsH0cLTWa9JQ@mail.gmail.com>

It would be great (particularly for those critical of EME's privacy
repercussions) to know what, if any, popular EME-enabled services in the
test-suite cover some of the recommendations in terms of persistent
identifiers. For example, as the spec notes, EME key systems ``may access
or create persistent or semi-persistent identifier(s) for a device or user
of a device'' and thus as ``identifiers are present in Key System messages,
then devices and/or users may be tracked." Therefore, as ``within a single
origin, a site can continue to track the user during a session, and can
then pass all this information to a third party'',  messages ``must be
encrypted, together with a timestamp or nonce, such that the Key System
messages are always different." I would assume that last part can be
tested, as well as possibly the creation of persistent identifiers in the
first place?

  yours,
     harry

Received on Wednesday, 27 September 2017 21:25:04 UTC