- From: Greg Norcie <gnorcie@cdt.org>
- Date: Tue, 16 Feb 2016 15:35:36 -0500
- To: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>
- Cc: "public-privacy@w3.org" <public-privacy@w3.org>, "runnegar@isoc.org" <runnegar@isoc.org>, "tjwhalen@google.com" <tjwhalen@google.com>
- Message-ID: <CAMJgV7a5BHnNeCrz8fwSDegoTdU9rqfopnKRFnb2gMORRCLeVA@mail.gmail.com>
Hi all, I read through the WebRTC 1.0 spec, and I had a few things that jumped out, would love to hear if the rest of the group agrees/disagrees. First, I noticed that the getStats[1] API seems to get a ton of granular data, some of which could be used to fingerprint users. Do we feel that this level of granularity is in keeping with previous guidance on Fingerprinting? [2] Along similar lines, I noticed that consent for WebRTC seems to be quite all or nothing - once granted it seems to be difficult to revoke. Considering WebRTC can expose a user's local IP, maybe we should recommend that this consent be easily revocable and visible when in place? This has come up in two different reviews now[3], so we may want to give some guidance in the privacy questionnaire. (I will be looking at our current language and drafting some changes later this week) [1] https://www.w3.org/TR/webrtc-stats/ [2] https://w3c.github.io/fingerprinting-guidance/ [3] The previous being the Permissions UI: https://www.w3.org/TR/permissions/ /********************************************/ Greg Norcie (norcie@cdt.org) Staff Technologist Center for Democracy & Technology District of Columbia office (p) 202-637-9800 PGP: http://norcie.com/pgp.txt *CDT's Annual Dinner (Tech Prom) is April 6, 2016. Don't miss out!learn more at https://cdt.org/annual-dinner <https://cdt.org/annual-dinner>* /*******************************************/ On Mon, Feb 1, 2016 at 5:08 AM, Stefan Håkansson LK < stefan.lk.hakansson@ericsson.com> wrote: > Dear Privacy Interest Group, > > The WebRTC Working Group is working toward publishing the WebRTC 1.0 > specification to Candidate Recommendation and is thus seeking wide > review on the document: > > https://www.w3.org/TR/2016/WD-webrtc-20160128/ > > We are particularly interested on feedback on the following aspects from > PING: > - the privacy considerations, > - more specifically, the risks associated with exposing IP addresses as > part of the establishment of the P2P connection, > - the privacy properties of the identity verification mechanism, > - the guarantees provided by isolated mediastreams. > > We of course also welcome feedback on any other aspect of the > specification.. > > We would appreciate if that feedback could be provided before the week > of February 22 where our next meeting in scheduled, and no later than > March 1st. > > If you have any comments, we prefer you submit them as Github issues: > https://github.com/w3c/webrtc-pc/issues > Alternatively, you can send your comments by email to public-webrtc@w3.org > . > > Thanks, > > For the WebRTC co-chairs, > Stefan Håkansson > > >
Received on Tuesday, 16 February 2016 20:36:24 UTC