- From: Jan-Ivar Bruaroey <jib@mozilla.com>
- Date: Mon, 29 Jun 2015 11:02:24 -0400
- To: public-privacy@w3.org
- Message-ID: <55915E00.5090709@mozilla.com>
> It is irrelevant that the value is scoped to a single origin because > any embedded third-party in their own origin iframe will be able to > identify the user and even pass the identifier server-side or via the > many cross-site scripting methods to the top level browsing context or > to other third-parties. Can't/don't they do this today with cookies? > Even though the identifier is reset when cookies are cleared, it > should not be a requirement on users that, in order the protect their > fundamental right to privacy, they have to in perpetuity periodically > scrub all their cookies, some of which they may have consented to, > indicate a tracking “opt-out” or that do not have a privacy impact. While I agree with this sentiment, this seems to be the reality even before device enumeration, hence various features like: 1. The Forget (last hour/hours/day/week) button (which clears cookies by default BTW), 2. Clear history (including cookies) on shutdown, 3. Private browsing mode (where deviceIds are not persisted). Few people take the time to manage their cookies manually. Also, it is not true you must clear ALL cookies to erase the deviceIds. They have time-stamps just like regular cookies, so if your first visit to a site was less than an hour ago, clearing the last hour clears all its deviceIds. > The following code shows the problem if you execute it in a page on > Firefox (you have to use version 39 or higher, I used Nightly 41.0a1 > and the Developer Toolbar) > > navigator.mediaDevices.enumerateDevices() > .then(function(devices) { > devices.forEach(function(device) { > console.log(device.kind + ": " + device.label + > " id = " + device.deviceId); > }); > }) > .catch(function(err) { > console.log(err.name + ": " + err.message); > }); > > On google.com I get: > > audioinput: id = tXIH1cq1vzHRkdcju5qTQIOCJzX5GP1jYwPwryhuwQs= > > and on Yahoo.com I get: > > audioinput: id = tprWdvs/eh/pzhzYAcmutm+tzpHwLjebknxbqxN37dI= > > If I close all the tabs, clear web history and cache, and reload the > browser, on Yahoo.com I still get: > > audioinput: id = tprWdvs/eh/pzhzYAcmutm+tzpHwLjebknxbqxN37dI= Cookies are cleared by default when people "clear recent history" in Firefox. Did you purposely expand "Details" in the Clear Recent History dialog and uncheck "cookies" to do this? If so, then I think the browser is doing what you asked. > But if I clear all my cookies and again visit Yahoo.com, this time I get: > > audioinput: id = ksCnhotp5uP6utLbv7s2hqffIs0P+pW0Jakmmcnkeo0= I.e. cleared. This is the default behavior. > Conclusion. > > The deviceId property should not be returned unless the user has > authorised this to occur. This is in fact legally required in Europe > (e.g. by the e-privacy and data protection directives). > > In addition, as I also pointed out in the call, any persistent > permission or user identifying storage should have a “sunset” duration > associated with it, as RFC6265 allows for but other APIs (e.g. > localStorage) do not. This has been asked for several times by the > Article 29 Working Party amongst others. I think you also had a point about third-party status? .: Jan-Ivar :.
Received on Monday, 29 June 2015 15:02:53 UTC