Re: Slides for Media Capture discussion (was: PING - 28 March 2013 - agenda and call details) from Dominique Hazael-Massieux on 2013-03-28 (public-privacy@w3.org from January to March 2013)

From: Dominique Hazael-Massieux <dom@w3.org>
Date: Thu, 28 Mar 2013 14:04:06 +0100
To: Thomas Roessler <tlr@w3.org>
Cc: "public-privacy@w3.org Privacy" <public-privacy@w3.org>
Message-ID: <1364475846.7395.172.camel@cumulustier>

Le jeudi 28 mars 2013 à 12:12 +0100, Thomas Roessler a écrit :
> I'll be unavailable to join the call, but would suggest the unique
> identifiers generated as part of this API as an important topic for a
> privacy discussion.

Indeed.

> Specific points to look at:
> 
> 1. What is the exact rationale for a media source identifier that is
> (it seems) supposed to be globally unique and persistent across
> sessions?  It would be useful to look at the requirements in more
> detail, and see what the functionality and privacy tradeoffs are
> between low-entropy and high-entropy identifiers.

I assume we will be discussing this on the call as well, but since you
won't be there, the main rationale is to enable a smooth user experience
across sessions.

The idea is that if a user has selected a set of devices to use in a
given Web app, the Web app should be able to easily obtain streams from
the same set of devices when the user reconnects later on.

The way this is currently enabled is the said Web app to keep track of
these unique device ids and use them in the invocation of getUserMedia.

> 2. Scope of this identifier.  If the identifier is high-entropy, then
> scoping it by origin is probably insufficient: Instead, you'd want to
> scope it by origin pair, i.e., origin of the top-level frame, and
> origin from which the script is executed.  Otherwise, a third party
> iframe might be able to discover that identifier across multiple first
> parties, which would generate another readily trackable identifier.

There has been (so far inconclusive) discussions on the interactions
between getUserMedia and the depth of the browsing context; it's
certainly another area where getting perspectives and momentum from PING
would be very useful.

(I think this is a topic that is actually recurrent in pretty much any
sensitive API, and it would be again useful to have more generic
guidance on this; but I'd be happy to start with media capture as a
first concrete example)

Dom

Received on Thursday, 28 March 2013 13:04:22 UTC