Fwd: [encrypted-media] Privacy: Prohibit access/use of sensitive data (e.g. location) by CDMs from Joseph Lorenzo Hall on 2016-04-13 (public-privacy@w3.org from April to June 2016)

From: Joseph Lorenzo Hall <joe@cdt.org>
Date: Wed, 13 Apr 2016 07:11:24 -0400
To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CABtrr-VYTSUEMffgBEc3vNRjAG+YyZMh09oXsJgJV+xhtkVkYw@mail.gmail.com>

I thought PING folks may be interested in this issue from the EME
speck about limiting access by a CDM to permissions-gated data (CDM =
content decryption module; recall that EME is a browser API interface
that encrypts and decrypts video frames (for now) by interacting with
an opaque binary decryption blob... that's the CDM)

best, Joe


---------- Forwarded message ----------
From: ddorwin via GitHub <sysbot+gh@w3.org>
Date: Tue, Apr 12, 2016 at 4:30 PM
Subject: [encrypted-media] Privacy: Prohibit access/use of sensitive
data (e.g.  location) by CDMs
To: public-html-media@w3.org


ddorwin has just created a new issue for
https://github.com/w3c/encrypted-media:

== Privacy: Prohibit access/use of sensitive data (e.g. location) by
CDMs ==
In
https://github.com/w3c/encrypted-media/issues/157#issuecomment-208844577,
 @mwatson2 says:
>For online viewing, services may indeed apply geographic
restrictions. ...it is a server function to apply these restrictions,
not something that is done by the DRM. This is important to recognize
because there would be privacy implications if the CDM could access
your location.

While we assume the CDM cannot access or use the client's/user's
location, I'm not sure it is currently expressly prohibited by the
spec.

More generally, the CDM should not use (have access to?) or expose
data that is not generally available to web applications or is
generally protected by a user permission and/or prompt. Location is a
primary example, but there are others, both exposed to the web (i.e.
user media, such as camera and mic) and not (i.e. LAN details or
devices).

While the examples above may seem clear cut, the phrasing could be
tricky, especially since unsandboxed CDMs often do have such access
and some CDMs use, for example, Distinctive Identifiers not otherwise
exposed.

Note that preventing exposure of such data is not sufficient since
even use of them could allow them to be derived (i.e. via a series of
licenses).

Please view or discuss this issue at
https://github.com/w3c/encrypted-media/issues/158 using your GitHub
account



-- 
Joseph Lorenzo Hall
Chief Technologist, Center for Democracy & Technology [https://www.cdt.org]
e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

Received on Wednesday, 13 April 2016 11:12:11 UTC