W3C home > Mailing lists > Public > public-privacy@w3.org > October to December 2016

Re: Review of Audio Output Devices API from Privacy Interest Group

From: Craig Spiezle <craigs@otalliance.org>
Date: Mon, 31 Oct 2016 21:13:01 +0000
To: Joseph Lorenzo Hall <joe@cdt.org>
CC: Stefan Håkansson LK <stefan.lk.hakansson@ericsson.com>, "runnegar@isoc.org" <runnegar@isoc.org>, "tjwhalen@google.com" <tjwhalen@google.com>, "public-privacy@w3.org" <public-privacy@w3.org>
Message-ID: <04259F8D-7830-4E93-9DE3-AA61B2CE4A55@otalliance.org>
another scenario we are looking at are the ads which auto run video & audio.. effectively drive bys

Sent from my iPhone

> On Oct 31, 2016, at 1:33 PM, Joseph Lorenzo Hall <joe@cdt.org> wrote:
> (if an issue arises, happy to put them into github... staying here for
> the moment)
> Heya, I took a look at this spec and had a question about the example
> in the privacy considerations section:
> https://www.w3.org/TR/2016/WD-audio-output-20161014/#privacy-considerations
> There, is says, "Authorization is necessary because playing audio out
> of a non-default device may be unexpected behavior to the user, and
> may cause a nuisance. For example, suppose a user is in a library or
> other quiet public place where she is using a laptop with system audio
> directed to a USB headset. Her expectation is that the laptop’s audio
> is private and she will not disturb others. If any Web application can
> direct audio output through arbitrary output devices, a mischievous
> website may play loud audio out of the laptop’s external speakers
> without the user’s consent."
> The case I can think of at the moment (because it's happening on my
> system right now!) is Spotify... we'll pretend through a browser UA
> and not it's native app. Presumably, in typical use of a site like
> spotify.com to play audio, the user quickly (within a few days) gives
> permission (if needed) to spotify.com to output audio to external
> speakers and any headsets they may use. So, certainly spotify.com
> would be able to switch audio from one to the other (and from the
> spec, it sounds like if the USB headset is removed an becomes
> unavailalbe, the sinkId for the external speakers is likely to be
> chosen in a non-paused state)?
> It might make sense to have that example be a bit more robust... for
> example, you could describe the user listening to audio at foo.com on
> USB headset and another tab at bar.com wants to direct audio ouput to
> external speakers, perhaps to play an ultrasonic beacon code that
> humans can't hear? (e.g., trying to signal across origins in different
> tabs or something).
> Or maybe I have this wrong? best, Joe
> On Wed, Oct 19, 2016 at 9:24 AM, Stefan Håkansson LK
> <stefan.lk.hakansson@ericsson.com> wrote:
>> Dear Privacy Interest Group,
>> The WebRTC Working Group and Device and Sensors Working Group are
>> working toward publishing their Audio Output Devices API to Candidate
>> Recommendation and are thus seeking review from a variety of groups on
>> the document:
>> https://www.w3.org/TR/2016/WD-audio-output-20161014/
>> We are particularly interested on feedback from the Privacy Interest
>> Group on the impact on privacy (and the proposed mitigations) to the new
>> ability to play sound on specific audio devices.
>> We of course also welcome feedback on any other aspect of the
>> specification.
>> We would appreciate to receive feedback before November 11. We hope to
>> transition request to Candidate Recommendation by the end of this year.
>> If you have any comments, we prefer you submit them as Github issues:
>> https://github.com/w3c/mediacapture-output/issues
>> Alternatively, you can send your comments by email to
>> public-mediacapture@w3.org.
>> Thanks,
>> For the WebRTC and DAS chairs,
>> Stefan Hakansson
> -- 
> Joseph Lorenzo Hall
> Chief Technologist, Center for Democracy & Technology [https://www.cdt.org]
> 1401 K ST NW STE 200, Washington DC 20005-3497
> e: joe@cdt.org, p: 202.407.8825, pgp: https://josephhall.org/gpg-key
> Fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
> Tech Prom, CDT's Annual Dinner, is April 20, 2017! https://cdt.org/annual-dinner
Received on Monday, 31 October 2016 21:13:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:49:33 UTC