Re: [webrtc-stats] Privacy & Security self review from Dominique Hazael-Massieux via GitHub on 2017-09-25 (public-webrtc-logs@w3.org from September 2017)

From: Dominique Hazael-Massieux via GitHub <sysbot+gh@w3.org>
Date: Mon, 25 Sep 2017 18:57:45 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-331979041-1506365852-sysbot+gh@w3.org>

Here is a first stab at reviewing the spec through the questionnaire for discussion tomorrow with @vr000m and @aboba.

I think the relevant [questions in the questionnaire](https://w3ctag.github.io/security-questionnaire/#questions) for this spec are:
* personally identifiable information
* persistent state
* cross-origin perstatent state
* access to new data
* new exposure on local device configuration?
* temporary identifiers? (aplenty)
* 1st vs 3rd party? (exploitability by ads?)
* incognito mode?

(from my review the others are orthogonal to WebRTC stats).

In analyzing which data might expose new state, and in particular potential new cross-origin state, we should distinguish:
* data that is already exposed in WebRTC 1.0 (for which we should indicate similar fingerprinting concerns and invite similar mitigations)
* data that is uniquely exposed by WebRTC stats

One way also to think of the overall question is to look at 2 questions:
* whether and how can WebRTC stats be used to fingerprint the user in absence of an actual WebRTC session?
* what can an adversary learn on the user's device once a connection is established? is there a difference between a audio-video session vs a simple data channel session from that perspective?

Some more random notes on possible specific concerns:
* how closely have we looked at the impact of  isolated media streams on WebRTC Stats? [WebRTC 1.0 has some high level guidance on the topic](http://w3c.github.io/webrtc-pc/webrtc.html#isolation-protection), but it's unclear to me whether it has been applied in practice to this spec. Also, it feels like a lot of data on the media content may leak through stats 
* we're exposing both local and remote ntp clocks - I vaguely remember some concerns about that in other specs

-- 
GitHub Notification of comment by dontcallmedom
Please view or discuss this issue at https://github.com/w3c/webrtc-stats/issues/99#issuecomment-331979041 using your GitHub account

Received on Monday, 25 September 2017 18:57:40 UTC