[ttml2] Mention fingerprinting vectors in privacy considerations (#1189) from Jeffrey Yasskin via GitHub on 2019-12-19 (public-tt@w3.org from December 2019)

From: Jeffrey Yasskin via GitHub <sysbot+gh@w3.org>
Date: Thu, 19 Dec 2019 21:59:11 +0000
To: public-tt@w3.org
Message-ID: <issues.opened-540596958-1576792750-sysbot+gh@w3.org>

jyasskin has just created a new issue for https://github.com/w3c/ttml2:

== Mention fingerprinting vectors in privacy considerations ==
If TTML is implemented natively in a user agent, it could expose [fingerprinting vectors](https://w3c.github.io/fingerprinting-guidance/) that aren't otherwise exposed. The [spec](https://w3c.github.io/ttml2/index.html#security-and-privacy) should mention this risk so native implementations know to make intentional choices. The things I noticed to call out are:

* Anything that's "implementation dependent" might be a fingerprinting vector.
   * Many initial style values are defined by the specification, so they wouldn't reveal anything. However, `<tts:color>` and some others are described as implementation-dependent.
* A user's preference for how fast they consume media (e.g. 2x vs 2.5x).
* The request for timed text indicates the user's language (which is also exposed in other ways) and that the user wants captions or subtitles (which isn't).
* The [`tts:fontFamily` attribute](https://w3c.github.io/ttml2/index.html#style-attribute-fontFamily) could expose the system's fonts and should use the [same restrictions as CSS](https://github.com/w3c/csswg-drafts/issues/4497).
* The `<audio>` and `<image>` elements probably allow the server to detect the value of any `<condition>` expression. Many of the `condition-function`s seem to be already exposed by CSS media queries. The `supports-function`s probably don't expose any more than the UA string. So this may only be extra fingerprinting surface for UAs that aren't also general web browsers. However, if one of these functions exposes a user preference or device attribute, that would be extra fingerprinting surface.

* [`ttp:clockMode==local`](https://w3c.github.io/ttml2/index.html#parameter-attribute-clockMode) probably reveals the local time zone, if only by the timing of embedded resource requests. [`ttp:timeBase==clock`](https://w3c.github.io/ttml2/index.html#parameter-attribute-timeBase) reveals clock skew in the same way.
* If there's a way to pull out a display frame rate, that would also help fingerprinting.

Please view or discuss this issue at https://github.com/w3c/ttml2/issues/1189 using your GitHub account

Received on Thursday, 19 December 2019 21:59:13 UTC