- From: Harald Alvestrand <harald@alvestrand.no>
- Date: Tue, 29 Oct 2013 12:45:22 +0100
- To: Martin Thomson <martin.thomson@gmail.com>, Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>
- CC: "public-media-capture@w3.org" <public-media-capture@w3.org>
On 10/28/2013 06:34 PM, Martin Thomson wrote: > On 28 October 2013 10:30, Stefan Håkansson LK > <stefan.lk.hakansson@ericsson.com> wrote: >> Do we really think that the average user would be able to understand >> different levels of (essentially) access to a camera or microphone? > That's not something that I can answer at this current moment. It > probably depends a great deal on how the question is presented. > >> And with the current UIs, would we not get to a click through behavior? >> E.g. the site first asks for "peeridentity"-access, the user clicks >> "accept", the site upgrades and the user gets a new prompt and does not >> read/understand the difference and just clicks accept again? > Given the proposed state machine, I don't see there ever being a case > where the user gets two prompts. That is, unless the site is playing > games with them. I can think of several ways to discourage bad > behaviour like that if it comes to that. Martin, I think I understand what you are getting at now - the "noaccess" constraint is something one would use to wire up the streams and devices while delaying the prompt to the user for permission to a point where it's appropriate to do so. This would also mean that probing the identity of the user's devices for fingerprinting purposes needs to be defined as "not a problem" - since with "noaccess", he can do all that probing without ever triggering an user prompt. One case that worries me is the case where a site says "look, all the streams I request are noaccess, you can trust me", and then somehow gets whitelisted. If a stream is opened "noaccess", and the site changes it to "full", and then immediately back to "noaccess", the site can get a picture of the user without the user noticing anything, even if he watches the indicator that says whether he's authorized outgoing video or not. I think I'll repeat what I asked earlier: Can you write up a complete use case where you will want to use the "noaccess" constraint, so that we can see what it does, and why it's beneficial to the scenario? Harald -- Surveillance is pervasive. Go Dark.
Received on Tuesday, 29 October 2013 11:45:59 UTC