W3C home > Mailing lists > Public > public-media-capture@w3.org > October 2015

Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations

From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 23 Oct 2015 16:29:42 -0700
Message-ID: <CABcZeBP_qa4A3PQhmrcPhV7_c+tEe6dPLTwjUKn825Cy8nCNFg@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Nick Doty <npdoty@w3.org>, Mathieu Hofman <Mathieu.Hofman@citrix.com>, Harald Alvestrand <harald@alvestrand.no>, "public-media-capture@w3.org" <public-media-capture@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
On Fri, Oct 23, 2015 at 4:18 PM, Martin Thomson <martin.thomson@gmail.com>

> On 23 October 2015 at 16:02, Nick Doty <npdoty@w3.org> wrote:
> > We have discussed in other groups, for example at Geolocation last TPAC,
> > other "opt-in" style permissions. As part of the basic principle of data
> > minimization, we consider it good API design for site developers to be
> able
> > to specify the minimum data that they need, not just to make the request
> > more palatable to the end user, but also to limit their own risk. I think
> > persisted permission is a special case of this in the security space, and
> > something we've become more aware of with evidence of pervasive
> monitoring.
> This isn't entirely about minimization.  I know that we've discussed
> this before and the view here at least was that persisting permissions
> is useful in reducing user training.  That being the phenomenon where
> users get so accustomed to seeing a dialog that muscle memory takes
> over whenever they see it.
> We need to be sensitive to the potential for this sort of training as
> it can significantly reduce the level of assurance we get that the
> consent is real.  And it's already the case that consent is marginal
> as it is.
> This is - I think - the principle that drives the Chrome policy of
> persisting these sorts of choices.  Firefox offers users a choice, and
> defaults to non-persistent permissions for gUM.  Defaults are very
> important here.
> I think that both are valid choices, but if you were to suggest that a
> site could override UX choices for browsers, even toward an arguably
> "safer" posture you might get some resistance on those grounds

In fact the RTCWEB Security Architecture documents used to require that
the site opt-in to persistent permissions and there was strong consensus
to remove that requirement precisely because browsers weren't interested
in implementing it.


Received on Friday, 23 October 2015 23:30:51 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:26:34 UTC