Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations

On Thu, Oct 29, 2015 at 8:51 AM, Rigo Wenning <rigo@w3.org> wrote:

> On Friday 23 October 2015 16:29:42 Eric Rescorla wrote:
> > In fact the RTCWEB Security Architecture documents used to require that
> > the site opt-in to persistent permissions and there was strong consensus
> > to remove that requirement precisely because browsers weren't interested
> > in implementing it.
>
> We are repeating the geolocation experience where (mostly US-policy
> inspired)
> browsers were saying that they would only implement a one time a permission
> request to use your location and they would never ask again.
>

I'm not saying that. In fact, I've said several times that Firefox does the
opposite.


My remark that the European Law here requires a permanent beacon to be shown
> as long as one is located was met with rather violent opposition and the
> requirement didn't make it into the Specification. But at the end of the
> day,
> everybody implemented the constant beacon as they wanted to ship in Europe.
>

Chrome and Firefox already show an indicator like this for gUM.



> I predict that if browsers do one time requests on WebRTC and it isn't a
> legal
> requirement yet in Europe to easily revoke it, it will become a legal
> requirement quickly.


Both Chrome and Firefox offer easy revocation.



> And this legal requirement will certainly be worse than
> doing it right in the first place. So while there may be an interest to
> benefit from the weak protections in some intermediate time, the refusal to
> implement will not be sustainable on the long run. It actually adds to the
> transatlantic unease. What is the gain to justify such important tradeoffs?


Your basic assumptions about what how browsers behave appear not
to be accurate.

-Ekr

Received on Wednesday, 28 October 2015 23:56:04 UTC