RE: Request for feedback: Media Capture and Streams Last Call from Mike O'Neill on 2015-06-28 (public-media-capture@w3.org from June 2015)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Sun, 28 Jun 2015 20:34:46 +0100
To: "'Eric Rescorla'" <ekr@rtfm.com>
Cc: "'public-privacy $W3C mailing list$'" <public-privacy@w3.org>, <public-media-capture@w3.org>
Message-ID: <02d201d0b1d9$7e3f1f70$7abd5e50$@baycloud.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



From: Eric Rescorla [mailto:ekr@rtfm.com]
Sent: 28 June 2015 18:56
To: Mike O'Neill
Cc: Greg Norcie; public-privacy (W3C mailing list); Simon Rice; public-media-capture@w3.org
Subject: Re: Request for feedback: Media Capture and Streams Last Call



On Sun, Jun 28, 2015 at 4:26 AM, Mike O'Neill <michael.oneill@baycloud.com> wrote:
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In the last Privacy IG call I pointed out a privacy issue in Media Capture (http://www.w3.org/TR/2015/WD-mediacapture-streams-20150414/#access-control-model) .

This is where a MediaDeviceInfo object with the deviceId property is returned without any authorisation. The value returned is effectively a UID cookie singling-out the device (and obviously therefore the individual using it). This creates the possibility to easily fingerprint any user agent that supports the API.

To say the privacy risk of this is alleviated because of the same origin policy is disingenuous, as this is equivalent to placing a user unique random number i.e. a UID cookie with an infinite persistence, and of course it will be used for tracking.

It is irrelevant that the value is scoped to a single origin because any embedded third-party in their own origin iframe will be able to identify the user and even pass the identifier server-side or via the many cross-site scripting methods to the top level browsing context or to other third-parties.

Even though the identifier is reset when cookies are cleared, it should not be a requirement on users that, in order the protect their fundamental right to privacy, they have to in perpetuity periodically scrub all their cookies, some of which they may have consented to, indicate a tracking “opt-out” or that do not have a privacy impact.

I'm having trouble following your argument here.

In general, sites which can access this API can also set cookies and/or write data
to indexeddb (modulo third-party cookie blocking [0]) which allows them to equally
well track the user. And since they can put either random data or data of their own
choice there, it seems that this API is strictly less powerful than cookies [1]. Given that,
I'm not sure why you think it represents an incremental threat to user privacy.

I don't think it's really that useful to characterize this as "fingerprinting", since the
typical value proposition of fingerprinting is opposed to cookies is that it provides
a stable identifier across origins, which deviceId does not.

Tracking via cookies is relatively understood by users, user-agents or extensions making them more or less transparent. There are various ways to see what cookies have been placed, by whom, how long they will persist etc. There are now often ways for users to have fine granular control of them, again often built into browsers or if not available via extension tools. The privacy risk is still there but users at least have been given some ability to see what is happening and take some control.

The ability to fingerprint users via an always accessible UID is invisible and no existing browsers or tools help users to be aware of it. Should there be yet another browser UI to indicate “such-and-such origin has executed enumerateDevices, watch out you may be being tracked”. How will that be explained to users who are increasingly concerned about being tracked without their knowledge? The predictable result of all this will be content blocking of any third-party that executes the API (without consent if that is detectable, in any case if not).

Of course other APIs also have been released that expose fingerprinting risks, but that is no reason to add to the chaos. Every time a new API is introduced that enables invisible tracking people’s trust in the web is diminished. This will  also lead to widespread blocking of third-party behaviour e.g. any third-party iframe that executes XHR or creates a beacon, a ridiculous arms race that is no good for anyone.

I have already pointed out that single origin scoping does not help with this. The value of fingerprinting is that it is mostly undetectable, shooting ids across origins is a minor problem – already solved in many ways. To ubiquitous third-parties it is not an issue at all.



- -Ekr

[0] I don't know how implementations presently behave in the face of third-party
cookie blocking, but I wouldn't be averse to requiring some sort of comparable
behavior for deviceId.

Zeroing out deviceId in non top level browsing contexts might work, how about that?

[1] Modulo restrictions on the maximum lifetime of a cookie.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using gpg4o v3.4.103.5490 - http://www.gpg4o.com/
Charset: utf-8

iQEcBAEBAgAGBQJVkExVAAoJEHMxUy4uXm2JxzAIANlGDVa1XeWpBgrxH3nmm33X
uIzFee7JrkWItxi8pmSpvTsmsJGm+N9C9B/n7+DTrzLLvRUDGPbl+X/sfu6SlRm+
C0LnR9k6c1QGFfmtsmeFs1qGqYOuw7IcQ4HhQNjXK+DxGhw93SLy1KFi6a1dXuoK
5CVv/wzyk54sYTYfHQjLoC+WOBZR0NhsPKUL4sXCr3ii9Dib/c/8vZ2a06zN/FIV
xHfUbPK7mM+MK1dl/wCBaCZxwR9aNzAMa4EiNkTKHm3gJumFXr1+4F1l5SCldHK9
S//8oV+8hxB4Sk93Kzz4k0tkPLi2ir9u+SFjeDMfmQRQiHmb00Iw52c+uRKYmG4=
=8ycj
-----END PGP SIGNATURE-----
Attachments

text/html attachment: PGPexch.htm
application/octet-stream attachment: PGPexch.htm.sig
Received on Sunday, 28 June 2015 19:35:18 UTC