- From: Dominique Hazael-Massieux <dom@w3.org>
- Date: Wed, 10 Oct 2012 09:59:49 +0200
- To: public-media-capture@w3.org
Hi, During yesterday's call, we had some discussion around whether we needed to worry about allowing any Web page to enumerate audio/video capture devices without any permission request. One argument traditionally brought against that was that enumerations (in general) provide potentially a lot of bits for "fingerprinting", thus allowing to passively identify a user or a device via its unique combination of enumerated values. Anant in the call brought up the fact the Web App Sec Working Group had apparently given up on fighting fingerprinting, with the co-chair of that group qualifying it as W3C's rough consensus: http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0048.html As per my ACTION-10, I've gotten in touch with Brad to clarify that statement; I think it is fair to say that the qualification of statement as rough consensus is probably premature, or at least untested. Brad has generously offered to organize and lead a session during the upcoming TPAC day on this very topic: https://www.w3.org/wiki/TPAC2012/SessionIdeas#Is_user_agent_Fingerprinting_a_lost_cause.3F I also wanted to mention another privacy risk induced by AV device enumeration: getting a list of all the AV devices a user own does not only allow to identify the user passively, it also leaks potentially a lot of information about the user: for instance, if the user owns an expensive set of AV capture devices, a Web site could assume the user is wealthy, and thus start to offer its goods or services with a higher price tag. Dom
Received on Wednesday, 10 October 2012 08:00:03 UTC