Re: Review of WebRTC 1.0 from Privacy Interest Group

Hi all,

I read through the WebRTC 1.0 spec, and I had a few things that jumped out,
would love to hear if the rest of the group agrees/disagrees.

First, I noticed that the getStats[1] API seems to get a ton of granular
data, some of which could be used to fingerprint users. Do we feel that
this level of granularity is in keeping with previous guidance on
Fingerprinting? [2]

Along similar lines, I noticed that consent for WebRTC seems to be quite
all or nothing - once granted it seems to be difficult to revoke.
Considering WebRTC can expose a user's local IP, maybe we should recommend
that this consent be easily revocable and visible when in place?


This has come up in two different reviews now[3], so we may want to give
some guidance in the privacy questionnaire. (I will be looking at our
current language and drafting some changes later this week)

[1] https://www.w3.org/TR/webrtc-stats/
[2] https://w3c.github.io/fingerprinting-guidance/
[3] The previous being the Permissions UI:
https://www.w3.org/TR/permissions/


/********************************************/
Greg Norcie (norcie@cdt.org)
Staff Technologist
Center for Democracy & Technology
District of Columbia office
(p) 202-637-9800
PGP: http://norcie.com/pgp.txt



*CDT's Annual Dinner (Tech Prom) is April 6, 2016.  Don't miss out!learn
more at https://cdt.org/annual-dinner <https://cdt.org/annual-dinner>*
/*******************************************/

On Mon, Feb 1, 2016 at 5:08 AM, Stefan Håkansson LK <
stefan.lk.hakansson@ericsson.com> wrote:

> Dear Privacy Interest Group,
>
> The WebRTC Working Group is working toward publishing the WebRTC 1.0
> specification to Candidate Recommendation and is thus seeking wide
> review on the document:
>
> https://www.w3.org/TR/2016/WD-webrtc-20160128/
>
> We are particularly interested on feedback on the following aspects from
> PING:
> - the privacy considerations,
> - more specifically, the risks associated with exposing IP addresses as
> part of the establishment of the P2P connection,
> - the privacy properties of the identity verification mechanism,
> - the guarantees provided by isolated mediastreams.
>
> We of course also welcome feedback on any other aspect of the
> specification..
>
> We would appreciate if that feedback could be provided before the week
> of February 22 where our next meeting in scheduled, and no later than
> March 1st.
>
> If you have any comments, we prefer you submit them as Github issues:
> https://github.com/w3c/webrtc-pc/issues
> Alternatively, you can send your comments by email to public-webrtc@w3.org
> .
>
> Thanks,
>
> For the WebRTC co-chairs,
> Stefan Håkansson
>
>
>

Received on Tuesday, 16 February 2016 20:36:24 UTC