Re: Device enumeration, Fingerprinting and other privacy risks

On 10/10/2012 09:59 AM, Dominique Hazael-Massieux wrote:
> Hi,
>
> During yesterday's call, we had some discussion around whether we needed
> to worry about allowing any Web page to enumerate audio/video capture
> devices without any permission request.
>
> One argument traditionally brought against that was that enumerations
> (in general) provide potentially a lot of bits for "fingerprinting",
> thus allowing to passively identify a user or a device via its unique
> combination of enumerated values.
>
> Anant in the call brought up the fact the Web App Sec Working Group had
> apparently given up on fighting fingerprinting, with the co-chair of
> that group qualifying it as W3C's rough consensus:
> http://lists.w3.org/Archives/Public/public-webappsec/2012Sep/0048.html
>
> As per my ACTION-10, I've gotten in touch with Brad to clarify that
> statement; I think it is fair to say that the qualification of statement
> as rough consensus is probably premature, or at least untested. Brad has
> generously offered to organize and lead a session during the upcoming
> TPAC day on this very topic:
> https://www.w3.org/wiki/TPAC2012/SessionIdeas#Is_user_agent_Fingerprinting_a_lost_cause.3F
>
> I also wanted to mention another privacy risk induced by AV device
> enumeration: getting a list of all the AV devices a user own does not
> only allow to identify the user passively, it also leaks potentially a
> lot of information about the user: for instance, if the user owns an
> expensive set of AV capture devices, a Web site could assume the user is
> wealthy, and thus start to offer its goods or services with a higher
> price tag.

In the current Editor's draft the app can not get to know of any device 
that the user has not approved.

In Travis' v4 proposal, the app gets to know about all devices of the 
same type (i.e. video or audio) that the user has approved access to, 
and can select any one of them without additional user consent.

I think we could easily move that back a bit, so that the app has no 
access at all to a device that the user has not approved.

The pain point would be: should the app be made aware of that a new 
device has been connected or not? I think this was the most appealing 
feature of Travis' proposal - with the current draft the app would not 
get to know that. Would this be a privacy risk even if the app would 
have to issue a new getUserMedia call and hope that the user selects the 
new camera (perhaps there was no camera in the first place), or would it 
not?

Stefan

>
> Dom
>
>
>

Received on Thursday, 11 October 2012 11:42:20 UTC