- From: Chris Needham via GitHub <sysbot+gh@w3.org>
- Date: Tue, 12 Jul 2016 14:48:08 +0000
- To: public-tvcontrol@w3.org
chrisn has just created a new issue for https://github.com/w3c/tvcontrol-api: == Privacy and fingerprinting considerations == The following documents provide guidance regarding user privacy: * [Self-Review Questionnaire: Security and Privacy](https://www.w3.org/TR/security-privacy-questionnaire/) * [Fingerprinting Guidance for Web Specification Authors](https://w3c.github.io/fingerprinting-guidance/) Considering first the [Self-Review Questionnaire](https://www.w3.org/TR/security-privacy-questionnaire/), although "it is not meant as a 'security checklist'", I found it useful to go through the list of questions: > Does this specification deal with personally-identifiable information? I don't think so, but I'm not an expert on what constitutes PII. > Does this specification introduce new state for an origin that persists across browsing sessions? No. > Does this specification expose persistent, cross-origin state to the web? Yes: * `TVManager` provides access (via the `TVTuner` and `TVSource` objects) to the list of channels available on the device, which exposes the type of service the user has access to (or has subscribed to, which may include encrypted services). Although the spec doesn't explicitly say so, the expectation is that the channel list is persisted on the device. * `TVManager` provides CI card information, including the CA System ID, which exposes which encryption schemes are available in the device. * `TVManager` provides access to the list of TV recordings the user has made. * `TVManager` also has several attributes that can be used for fingerprinting: `isParentalControlled`, `totalRecordingSize`, and `availableRecordingSize`. > Does this specification expose any other data to an origin that it doesn't currently have access to? Other than the data mentioned above, no. > Does this specification enable new script execution/loading mechanisms? No. > Does this specification allow an origin access to a user's location? Not with a great degree of precision. A broad geographic location (country or region) could be inferred from the list of channels available. > Does this specification allow an origin access to sensors on a user's device? Yes, if we regard tuners as being sensors. > Does this specification allow an origin access to aspects of a user's local computing environment? No. > Does this specification allow an origin access to other devices? No. > Does this specification allow an origin some measure of control over a user agent's native UI? No. > Does this specification expose temporary identifiers to the web? Yes, the `TVChannel`, `TVProgram` and `TVRecording` objects all include identifiers. > Does this specification distinguish between behavior in first-party and third-party contexts? No. > How should this specification work in the context of a user agent's "incognito" mode? This is to be determined. > Does this specification persist data to a user's local device? Yes. The channel list, parental control flag, PIN code to unlock parental control are all persisted on the device. > Does this specification have a "Security Considerations" and "Privacy Considerations" section? Not yet, but this is something we should do. > Does this specification allow downgrading default security characteristics? No. The [Fingerprinting Guidance](https://w3c.github.io/fingerprinting-guidance/) document describes a number of best practices that should be applied to the TV Control API spec: > Best Practice 1: Avoid unnecessary increases to the surface for passive fingerprinting. > Best Practice 2: Prefer functionally-comparable designs that don't increase the surface for active fingerprinting. > Best Practice 3: Mark features that contribute to fingerprintability. > Best Practice 4: Specify orderings and non-functional differences. > Best Practice 5: Design APIs to access only the entropy necessary. > Best Practice 6: Enable graceful degradation for privacy-conscious users or implementers. > Best Practice 7: Avoid unnecessary new cookie-like local state mechanisms. > Best Practice 8: Highlight any local state mechanisms to enable simultaneous clearing. All of this suggests to me that we should carefully consider the data that the API exposes, and consider alternatives that reduce the fingerprinting surface. Please view or discuss this issue at https://github.com/w3c/tvcontrol-api/issues/8 using your GitHub account
Received on Tuesday, 12 July 2016 14:48:16 UTC