- From: Joseph Lorenzo Hall <joe@cdt.org>
- Date: Wed, 17 Feb 2016 16:43:45 -0500
- To: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>
- Cc: "norcie@cdt.org" <norcie@cdt.org>, Keiji Takeda <tkeiji@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>, "runnegar@isoc.org" <runnegar@isoc.org>, "tjwhalen@google.com" <tjwhalen@google.com>
We do provide review comments and will consolidate them and bring them back to you. I have to warn you that some of the stuff we may raise will have been argued to death already at IETF and W3C, so it may be a case of a bunch of responses on your end of the variety: "Yes, we considered that before and the consensus of the group was x." ::) On Wed, Feb 17, 2016 at 2:10 PM, Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com> wrote: > Thanks Greg and Keiji for your reviews. Is it correct to interpret > Christine's message as that PING will discuss further and come back with > review comments representing the whole group? > > Br, > Stefan > > > > On 17/02/16 18:09, Greg Norcie wrote: >> I don't think you're misunderstanding, these all seem like valid points :) >> >> Looking forward to discussing! >> >> >> /********************************************/* >> *Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org>) >> Staff Technologist >> Center for Democracy & Technology >> District of Columbia office >> (p) 202-637-9800 >> PGP: http://norcie.com/pgp.txt >> >> *CDT's Annual Dinner (Tech Prom) is >> April 6, 2016. Don't miss out! >> learn more at https://cdt.org/annual-dinner* >> /*******************************************/* >> * >> >> On Wed, Feb 17, 2016 at 10:54 AM, Keiji Takeda <tkeiji@w3.org >> <mailto:tkeiji@w3.org>> wrote: >> >> Greg, >> >> Thank you for sharing your thought. >> >> I also have been reviewing the spec and have some points need to be >> discussed. >> >> I feel like WebRTC is defining functions beyond current web security >> and privacy practices/principles so we need to examine their >> appropriateness carefully. >> >> For example ... >> >> - It makes holes in same origin policy. >> - It reveals client's IP addresses behind VPN or Tor. >> - It provides more fingerprinting surface to track users. >> - Most functions are all or nothing(as Greg pointed out) and it is >> difficult to be conscious unless users intentionally use WebRTC. >> (Attack can be effective against user who do not use WebRTC.) >> >> I may be missing some point but please let me know if I am >> misunderstanding. >> >> Keiji Takeda >> >> >> On 2/16/16 3:35 PM, Greg Norcie wrote: >> >> Hi all, >> >> I read through the WebRTC 1.0 spec, and I had a few things that >> jumped out, >> would love to hear if the rest of the group agrees/disagrees. >> >> First, I noticed that the getStats[1] API seems to get a ton of >> granular >> data, some of which could be used to fingerprint users. Do we >> feel that >> this level of granularity is in keeping with previous guidance on >> Fingerprinting? [2] >> >> Along similar lines, I noticed that consent for WebRTC seems to >> be quite >> all or nothing - once granted it seems to be difficult to revoke. >> Considering WebRTC can expose a user's local IP, maybe we should >> recommend >> that this consent be easily revocable and visible when in place? >> >> >> This has come up in two different reviews now[3], so we may want >> to give >> some guidance in the privacy questionnaire. (I will be looking >> at our >> current language and drafting some changes later this week) >> >> [1] https://www.w3.org/TR/webrtc-stats/ >> [2] https://w3c.github.io/fingerprinting-guidance/ >> [3] The previous being the Permissions UI: >> https://www.w3.org/TR/permissions/ >> >> >> /********************************************/ >> Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org>) >> Staff Technologist >> Center for Democracy & Technology >> District of Columbia office >> (p) 202-637-9800 <tel:202-637-9800> >> PGP: http://norcie.com/pgp.txt >> >> >> >> *CDT's Annual Dinner (Tech Prom) is April 6, 2016. Don't miss >> out!learn >> more at https://cdt.org/annual-dinner >> <https://cdt.org/annual-dinner>* >> >> /*******************************************/ >> >> On Mon, Feb 1, 2016 at 5:08 AM, Stefan Håkansson LK < >> stefan.lk.hakansson@ericsson.com >> <mailto:stefan.lk.hakansson@ericsson.com>> wrote: >> >> Dear Privacy Interest Group, >> >> The WebRTC Working Group is working toward publishing the >> WebRTC 1.0 >> specification to Candidate Recommendation and is thus >> seeking wide >> review on the document: >> >> https://www.w3.org/TR/2016/WD-webrtc-20160128/ >> >> We are particularly interested on feedback on the following >> aspects from >> PING: >> - the privacy considerations, >> - more specifically, the risks associated with exposing IP >> addresses as >> part of the establishment of the P2P connection, >> - the privacy properties of the identity verification mechanism, >> - the guarantees provided by isolated mediastreams. >> >> We of course also welcome feedback on any other aspect of the >> specification.. >> >> We would appreciate if that feedback could be provided >> before the week >> of February 22 where our next meeting in scheduled, and no >> later than >> March 1st. >> >> If you have any comments, we prefer you submit them as >> Github issues: >> https://github.com/w3c/webrtc-pc/issues >> Alternatively, you can send your comments by email to >> public-webrtc@w3.org <mailto:public-webrtc@w3.org> >> . >> >> Thanks, >> >> For the WebRTC co-chairs, >> Stefan Håkansson >> >> >> >> >> > > > -- Joseph Lorenzo Hall Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 CDT's annual dinner, Tech Prom, is April 6, 2016! https://cdt.org/annual-dinner
Received on Wednesday, 17 February 2016 21:44:43 UTC