Resolving the question: should “MUST clear deviceId” become “MAY”?

Hi all,

this relates to Issue #359 [1] where it is proposed to change "MUST" 
clear devideIds at end of browsing session (given that the origin has 
never been allowed to use a camera or microphone) to "MAY".

We would like to understand if there is support for making such a change.

We’ve for a long time had the requirement that deviceIds (note that any
deviceId is always per origin) are to be persisted between sessions.
This enables the application to (by using enumerateDevices) check if the
preferred devices (camera, microphone, headset) are available, and
if so ask for those devices in getUserMedia and so on, in the interest
of a good user experience.

(Needless to say all persisted deviceIds must always be cleared if the 
user decides to clear "cookies and other persisted site data" (the spec 
should probably be even clearer on this).)

As a result of the Privacy Interest Group (PING) review we had to change
this a bit since persisting the deviceIds is a very big fingerprint [2].
The compromise reached [3] was that the UA should not be allowed to
persist deviceIds until the user has at least once given the origin
access to at least one device (camera or microphone). If this has not
happened the current deviceIds would only be valid until the end of the
current browsing session. The motivation for this is quite clear: if
they are not cleared, any web site, without any intention to ask for the
use of microphone or camera, could add a perfect fingerprint by doing
enumerateDevices, and the user is unable to detect or inspect this
(since it is not a cookie).

What the spec essentially says is:
- If the origin has never been given access to a camera or microphone 
the browser MUST clear deviceIds at the end of the current browsing session
- If the origin has at least once been given access to a camera or 
microphone the browser MUST persist deviceIds (so they remain the same 
at later browsing sessions for this origin)

Unfortunately the interpretation of "browsing session" initially varied.
Most read it as "until the tab is closed or navigated to another
origin", but some as "until the browser is closed", it has later been
clarified that the first interpretation is the valid one.

[1] also reports from some testing done with Chrome, Edge and Firefox
(e.g. [4], [5], [6]). The results show that (at the time of the test)
none of them are fully spec compliant (but all come close).

More specifically those tests show that Chrome and Firefox currently
fail on the part "MUST clear deviceIds" (however, the Chrome team has
acknowledged that Chrome is not spec compliant and are planning to fix
this [7] and for Firefox a patch making it spec compliant is available
[8]) while Edge fails on the part "MUST persist deviceIds".

Change proposal that has been brought forward

In [1] there is a proposal that the spec should change:

Instead of that (given that the origin has never been given access to a 
microphone or camera) "deviceIds MUST be cleared at the end of the 
browsing session" it is in [1] proposed to change this to "deviceIds MAY 
be cleared at the end of the browsing session". The motivation as we 
understand it is that persisted deviceIds are similar to cookies and 
should thus be treated as such, and also that it would not worsen 
privacy since a site can already use a cookie to identify a returning user.

We see issues with such a change:

DeviceIds are not the same as cookies, for example they do not show up
if the user inspects cookies. So persisting deviceIds even if the origin
has not been given (or even asked for) access to a microphone or camera
would be a privacy problem, and with the proposed change we would open
up for Browsers to do this. It would also break something we have agreed
with PING on and we would have to return to that discussion.

We would like to know if there is strong support for changing the spec 
(so far only one person has expressed that view) as described here.

We think the spec as is now strikes a reasonable balance between 
usability and privacy, and it has been discussed with and approved by 
PING, and if there is not strong support for the proposed change we will 
consider what the spec currently says as the group’s consensus.

Erik, Harald and Stefan


Received on Wednesday, 22 June 2016 14:55:02 UTC