Re privacy review of EME

Dear all,

Joe Hall very kindly volunteered to help with the privacy review of EME. 

https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html

Thank you Joe!

His comments are set out below.

Tara and I would like to invite you to share your views on the draft specification. In particular, we would like you to identify privacy issues (and ideally, ways in which they might be mitigated). We would also like you to provide feedback on the privacy considerations section.

We will be discussing this during the call today, but we encourage you to also share your views on the email list.

Christine and Tara

--------

I've looked at the current EME spec and the privacy and security text, and it seems quite good. 

In particular, the new privacy text[1] there is quite thorough. I only found a typo:

"if a Key System messages contains information derived from a user identifier in a consistent manner" - -> "if a Key System message contains information derived from a user identifier in a consistent manner"

I do think it's reasonable that the spec specify one tracking mitigation mechanism that should be available across all EME implementations (such as clearing persistent or semi-persistent
identifiers and storing and producing those on a same-origin basis), but I'm not sure if that's too prescriptive of UAs (getting to far into the browser).

[1] https://dvcs.w3.org/hg/html-media/raw-file/tip/encrypted-media/encrypted-media.html#privacy

Received on Thursday, 5 December 2013 14:42:22 UTC