RE: Device enumeration, Fingerprinting and other privacy risks

> -----Original Message-----
> From: Dominique Hazael-Massieux [mailto:dom@w3.org]
> Sent: Wednesday, October 10, 2012 1:00 AM
> To: public-media-capture@w3.org
> Subject: Device enumeration, Fingerprinting and other privacy risks
> 
> Hi,
> 
> During yesterday's call, we had some discussion around whether we needed
> to worry about allowing any Web page to enumerate audio/video capture
> devices without any permission request.
> 
> One argument traditionally brought against that was that enumerations
> (in general) provide potentially a lot of bits for "fingerprinting",
> thus allowing to passively identify a user or a device via its unique
> combination of enumerated values.
> 
> Anant in the call brought up the fact the Web App Sec Working Group had
> apparently given up on fighting fingerprinting, with the co-chair of
> that group qualifying it as W3C's rough consensus:
> http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0048.html

> 
> As per my ACTION-10, I've gotten in touch with Brad to clarify that
> statement; I think it is fair to say that the qualification of statement
> as rough consensus is probably premature, or at least untested. Brad has
> generously offered to organize and lead a session during the upcoming
> TPAC day on this very topic:
> https://www.w3.org/wiki/TPAC2012/SessionIdeas#Is_user_agent_Fingerprinti

> ng_a_lost_cause.3F
> 

I think more broadly that trying to ensure privacy protection at a technical level in the design of each API is a lost cause, and hamstrings the Web platform from the start. In approaching it this way, we are doomed to repeat the same nail-biting exercise over what contributes to fingerprinting, until we get to a comfortable illusion we can live with, or there is nothing left functionally in an API.

I would rather rebalance the consideration of privacy harms toward the trust that users place in the sites they are visiting, and provide more functionality on the API side. The user should be in the place of choosing to expose information through APIs, with adequate education about the risks and benefits (yes, there are some).

> I also wanted to mention another privacy risk induced by AV device
> enumeration: getting a list of all the AV devices a user own does not
> only allow to identify the user passively, it also leaks potentially a
> lot of information about the user: for instance, if the user owns an
> expensive set of AV capture devices, a Web site could assume the user is
> wealthy, and thus start to offer its goods or services with a higher
> price tag.
>

I would consider the choice of whether the user wanted to expose these attributes (what I own or have access to), and gain from the opportunity provided by marketing based upon those attributes, as the user's choice. Targeted marketing is not an evil, it's actually the market trying to work out inefficiencies in service delivery. The same can be said for content and service customization based upon context; if you provide no context, content and services tend toward the unusable. I would rather have useful services and control of how I am marketed to.

Thanks,
Bryan Sullivan

Received on Wednesday, 10 October 2012 17:14:14 UTC