- From: Joseph Lorenzo Hall <joe@cdt.org>
- Date: Thu, 18 Feb 2016 11:28:39 -0500
- To: Greg Norcie <norcie@cdt.org>
- Cc: Keiji Takeda <tkeiji@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>
This is a great point, perhaps we can do a PING "check in" on WebRTC review and then follow up afterwards with a separate (non-regular) call about the spec. It's very difficult to adequately review such a big spec on a short timeline. best, Joe On Thu, Feb 18, 2016 at 10:28 AM, Greg Norcie <gnorcie@cdt.org> wrote: > It might be useful to discuss at the high level on the call, and then we can > divy up more detailed feedback (either on the call or offline). > > > /********************************************/ > Greg Norcie (norcie@cdt.org) > Staff Technologist > Center for Democracy & Technology > District of Columbia office > (p) 202-637-9800 > PGP: http://norcie.com/pgp.txt > > CDT's Annual Dinner (Tech Prom) is > April 6, 2016. Don't miss out! > learn more at https://cdt.org/annual-dinner > /*******************************************/ > > On Thu, Feb 18, 2016 at 9:51 AM, Joseph Lorenzo Hall <joe@cdt.org> wrote: >> >> I agree and we just got started on our review, so not sure discussing >> WebRTC is ripe for next week (I'll be out of town so can't join the >> call, dang it). best, Joe >> >> On Thu, Feb 18, 2016 at 8:17 AM, Keiji Takeda <tkeiji@w3.org> wrote: >> > This message is being sent only to PING mailing list. >> > >> > Since the spec to review is relatively large and complex and having >> > significant impact to user privacy so I think it is better to spend >> > enough >> > time to exchange thoughts before the actual meeting since the time is >> > limited. >> > >> > Should we share our review results or questions on this mailing list? >> > Or is there any good way for such internal discussion? (GitHub?) >> > >> > Keiji >> > >> > >> > On 2/17/16 4:43 PM, Joseph Lorenzo Hall wrote: >> >> >> >> We do provide review comments and will consolidate them and bring them >> >> back to you. I have to warn you that some of the stuff we may raise >> >> will have been argued to death already at IETF and W3C, so it may be a >> >> case of a bunch of responses on your end of the variety: "Yes, we >> >> considered that before and the consensus of the group was x." ::) >> >> >> >> On Wed, Feb 17, 2016 at 2:10 PM, Stefan Håkansson LK >> >> <stefan.lk.hakansson@ericsson.com> wrote: >> >>> >> >>> Thanks Greg and Keiji for your reviews. Is it correct to interpret >> >>> Christine's message as that PING will discuss further and come back >> >>> with >> >>> review comments representing the whole group? >> >>> >> >>> Br, >> >>> Stefan >> >>> >> >>> >> >>> >> >>> On 17/02/16 18:09, Greg Norcie wrote: >> >>>> >> >>>> I don't think you're misunderstanding, these all seem like valid >> >>>> points >> >>>> :) >> >>>> >> >>>> Looking forward to discussing! >> >>>> >> >>>> >> >>>> /********************************************/* >> >>>> *Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org>) >> >>>> Staff Technologist >> >>>> Center for Democracy & Technology >> >>>> District of Columbia office >> >>>> (p) 202-637-9800 >> >>>> PGP: http://norcie.com/pgp.txt >> >>>> >> >>>> *CDT's Annual Dinner (Tech Prom) is >> >>>> April 6, 2016. Don't miss out! >> >>>> learn more at https://cdt.org/annual-dinner* >> >>>> /*******************************************/* >> >>>> * >> >>>> >> >>>> On Wed, Feb 17, 2016 at 10:54 AM, Keiji Takeda <tkeiji@w3.org >> >>>> <mailto:tkeiji@w3.org>> wrote: >> >>>> >> >>>> Greg, >> >>>> >> >>>> Thank you for sharing your thought. >> >>>> >> >>>> I also have been reviewing the spec and have some points need to >> >>>> be >> >>>> discussed. >> >>>> >> >>>> I feel like WebRTC is defining functions beyond current web >> >>>> security >> >>>> and privacy practices/principles so we need to examine their >> >>>> appropriateness carefully. >> >>>> >> >>>> For example ... >> >>>> >> >>>> - It makes holes in same origin policy. >> >>>> - It reveals client's IP addresses behind VPN or Tor. >> >>>> - It provides more fingerprinting surface to track users. >> >>>> - Most functions are all or nothing(as Greg pointed out) and it >> >>>> is >> >>>> difficult to be conscious unless users intentionally use WebRTC. >> >>>> (Attack can be effective against user who do not use WebRTC.) >> >>>> >> >>>> I may be missing some point but please let me know if I am >> >>>> misunderstanding. >> >>>> >> >>>> Keiji Takeda >> >>>> >> >>>> >> >>>> On 2/16/16 3:35 PM, Greg Norcie wrote: >> >>>> >> >>>> Hi all, >> >>>> >> >>>> I read through the WebRTC 1.0 spec, and I had a few things >> >>>> that >> >>>> jumped out, >> >>>> would love to hear if the rest of the group >> >>>> agrees/disagrees. >> >>>> >> >>>> First, I noticed that the getStats[1] API seems to get a ton >> >>>> of >> >>>> granular >> >>>> data, some of which could be used to fingerprint users. Do >> >>>> we >> >>>> feel that >> >>>> this level of granularity is in keeping with previous >> >>>> guidance >> >>>> on >> >>>> Fingerprinting? [2] >> >>>> >> >>>> Along similar lines, I noticed that consent for WebRTC seems >> >>>> to >> >>>> be quite >> >>>> all or nothing - once granted it seems to be difficult to >> >>>> revoke. >> >>>> Considering WebRTC can expose a user's local IP, maybe we >> >>>> should >> >>>> recommend >> >>>> that this consent be easily revocable and visible when in >> >>>> place? >> >>>> >> >>>> >> >>>> This has come up in two different reviews now[3], so we may >> >>>> want >> >>>> to give >> >>>> some guidance in the privacy questionnaire. (I will be >> >>>> looking >> >>>> at our >> >>>> current language and drafting some changes later this week) >> >>>> >> >>>> [1] https://www.w3.org/TR/webrtc-stats/ >> >>>> [2] https://w3c.github.io/fingerprinting-guidance/ >> >>>> [3] The previous being the Permissions UI: >> >>>> https://www.w3.org/TR/permissions/ >> >>>> >> >>>> >> >>>> /********************************************/ >> >>>> Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org>) >> >>>> Staff Technologist >> >>>> Center for Democracy & Technology >> >>>> District of Columbia office >> >>>> (p) 202-637-9800 <tel:202-637-9800> >> >>>> PGP: http://norcie.com/pgp.txt >> >>>> >> >>>> >> >>>> >> >>>> *CDT's Annual Dinner (Tech Prom) is April 6, 2016. Don't >> >>>> miss >> >>>> out!learn >> >>>> more at https://cdt.org/annual-dinner >> >>>> <https://cdt.org/annual-dinner>* >> >>>> >> >>>> /*******************************************/ >> >>>> >> >>>> On Mon, Feb 1, 2016 at 5:08 AM, Stefan Håkansson LK < >> >>>> stefan.lk.hakansson@ericsson.com >> >>>> <mailto:stefan.lk.hakansson@ericsson.com>> wrote: >> >>>> >> >>>> Dear Privacy Interest Group, >> >>>> >> >>>> The WebRTC Working Group is working toward publishing >> >>>> the >> >>>> WebRTC 1.0 >> >>>> specification to Candidate Recommendation and is thus >> >>>> seeking wide >> >>>> review on the document: >> >>>> >> >>>> https://www.w3.org/TR/2016/WD-webrtc-20160128/ >> >>>> >> >>>> We are particularly interested on feedback on the >> >>>> following >> >>>> aspects from >> >>>> PING: >> >>>> - the privacy considerations, >> >>>> - more specifically, the risks associated with exposing >> >>>> IP >> >>>> addresses as >> >>>> part of the establishment of the P2P connection, >> >>>> - the privacy properties of the identity verification >> >>>> mechanism, >> >>>> - the guarantees provided by isolated mediastreams. >> >>>> >> >>>> We of course also welcome feedback on any other aspect >> >>>> of >> >>>> the >> >>>> specification.. >> >>>> >> >>>> We would appreciate if that feedback could be provided >> >>>> before the week >> >>>> of February 22 where our next meeting in scheduled, and >> >>>> no >> >>>> later than >> >>>> March 1st. >> >>>> >> >>>> If you have any comments, we prefer you submit them as >> >>>> Github issues: >> >>>> https://github.com/w3c/webrtc-pc/issues >> >>>> Alternatively, you can send your comments by email to >> >>>> public-webrtc@w3.org <mailto:public-webrtc@w3.org> >> >>>> . >> >>>> >> >>>> Thanks, >> >>>> >> >>>> For the WebRTC co-chairs, >> >>>> Stefan Håkansson >> >>>> >> >>>> >> >>>> >> >>>> >> >>>> >> >>> >> >>> >> >>> >> >> >> >> >> >> >> > >> >> >> >> -- >> Joseph Lorenzo Hall >> Chief Technologist, Center for Democracy & Technology >> [https://www.cdt.org] >> e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key >> Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 >> >> CDT's annual dinner, Tech Prom, is April 6, 2016! >> https://cdt.org/annual-dinner >> > -- Joseph Lorenzo Hall Chief Technologist, Center for Democracy & Technology [https://www.cdt.org] e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 CDT's annual dinner, Tech Prom, is April 6, 2016! https://cdt.org/annual-dinner
Received on Thursday, 18 February 2016 16:29:29 UTC