Re: Review of Audio Output Devices API from Privacy Interest Group

(if an issue arises, happy to put them into github... staying here for
the moment)

Heya, I took a look at this spec and had a question about the example
in the privacy considerations section:

There, is says, "Authorization is necessary because playing audio out
of a non-default device may be unexpected behavior to the user, and
may cause a nuisance. For example, suppose a user is in a library or
other quiet public place where she is using a laptop with system audio
directed to a USB headset. Her expectation is that the laptop’s audio
is private and she will not disturb others. If any Web application can
direct audio output through arbitrary output devices, a mischievous
website may play loud audio out of the laptop’s external speakers
without the user’s consent."

The case I can think of at the moment (because it's happening on my
system right now!) is Spotify... we'll pretend through a browser UA
and not it's native app. Presumably, in typical use of a site like to play audio, the user quickly (within a few days) gives
permission (if needed) to to output audio to external
speakers and any headsets they may use. So, certainly
would be able to switch audio from one to the other (and from the
spec, it sounds like if the USB headset is removed an becomes
unavailalbe, the sinkId for the external speakers is likely to be
chosen in a non-paused state)?

It might make sense to have that example be a bit more robust... for
example, you could describe the user listening to audio at on
USB headset and another tab at wants to direct audio ouput to
external speakers, perhaps to play an ultrasonic beacon code that
humans can't hear? (e.g., trying to signal across origins in different
tabs or something).

Or maybe I have this wrong? best, Joe

On Wed, Oct 19, 2016 at 9:24 AM, Stefan Håkansson LK
<> wrote:
> Dear Privacy Interest Group,
> The WebRTC Working Group and Device and Sensors Working Group are
> working toward publishing their Audio Output Devices API to Candidate
> Recommendation and are thus seeking review from a variety of groups on
> the document:
> We are particularly interested on feedback from the Privacy Interest
> Group on the impact on privacy (and the proposed mitigations) to the new
> ability to play sound on specific audio devices.
> We of course also welcome feedback on any other aspect of the
> specification.
> We would appreciate to receive feedback before November 11. We hope to
> transition request to Candidate Recommendation by the end of this year.
> If you have any comments, we prefer you submit them as Github issues:
> Alternatively, you can send your comments by email to
> Thanks,
> For the WebRTC and DAS chairs,
> Stefan Hakansson

Joseph Lorenzo Hall
Chief Technologist, Center for Democracy & Technology []
1401 K ST NW STE 200, Washington DC 20005-3497
e:, p: 202.407.8825, pgp:
Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

Tech Prom, CDT's Annual Dinner, is April 20, 2017!

Received on Monday, 31 October 2016 20:31:13 UTC