In the last Privacy IG call I pointed out a privacy issue in Media Capture (http://www.w3.org/TR/2015/WD-mediacapture-streams-20150414/#access-control-model) .

This is where a MediaDeviceInfo object with the deviceId property is returned without any authorisation. The value returned is effectively a UID cookie singling-out the device (and obviously therefore the individual using it). This creates the possibility to easily fingerprint any user agent that supports the API.

To say the privacy risk of this is alleviated because of the same origin policy is disingenuous, as this is equivalent to placing a user unique random number i.e. a UID cookie with an infinite persistence, and of course it will be used for tracking.

It is irrelevant that the value is scoped to a single origin because any embedded third-party in their own origin iframe will be able to identify the user and even pass the identifier server-side or via the many cross-site scripting methods to the top level browsing context or to other third-parties.

Even though the identifier is reset when cookies are cleared, it should not be a requirement on users that, in order the protect their fundamental right to privacy, they have to in perpetuity periodically scrub all their cookies, some of which they may have consented to, indicate a tracking “opt-out” or that do not have a privacy impact.

The following code shows the problem if you execute it in a page on Firefox (you have to use version 39 or higher, I used Nightly 41.0a1 and the Developer Toolbar)

navigator.mediaDevices.enumerateDevices()

.then(function(devices) {

  devices.forEach(function(device) {

    console.log(device.kind + ": " + device.label +

                " id = " + device.deviceId);

  });

})

.catch(function(err) {

  console.log(err.name + ": " + err.message);

});

On google.com I get:

audioinput:  id = tXIH1cq1vzHRkdcju5qTQIOCJzX5GP1jYwPwryhuwQs=

and on Yahoo.com I get:

audioinput:  id = tprWdvs/eh/pzhzYAcmutm+tzpHwLjebknxbqxN37dI=

If I close all the tabs, clear web history and cache, and reload the browser, on Yahoo.com I still get:

audioinput:  id = tprWdvs/eh/pzhzYAcmutm+tzpHwLjebknxbqxN37dI=

But if I clear all my cookies and again visit Yahoo.com, this time I get:

audioinput:  id = ksCnhotp5uP6utLbv7s2hqffIs0P+pW0Jakmmcnkeo0=

Conclusion.

The deviceId property should not be returned unless the user has authorised this to occur. This is in fact legally required in Europe (e.g. by the e-privacy and data protection directives).

In addition, as I also pointed out in the call, any persistent permission or user identifying storage should have a “sunset” duration associated with it, as RFC6265 allows for but other APIs (e.g. localStorage) do not. This has been asked for several times by the Article 29 Working Party amongst others.

My general point about the “fetishisation” of the same origin policy, was about the tendency to see it as a privacy or security panacea when, as exhibited clearly in this case, it is not. The SOP is a fundamental basis for higher level security and privacy enabling protocols but many times is insufficient in itself.

Mike

From: Greg Norcie [mailto:gnorcie@cdt.org]
Sent: 25 June 2015 17:13
To: public-privacy (W3C mailing list)
Subject: Fwd: Request for feedback: Media Capture and Streams Last Call