Re: [mediacapture-main] Spec does no handle fingerprinting related to exposing non default capture devices (#559) from youennf via GitHub on 2019-01-22 (public-webrtc-logs@w3.org from January 2019)

From: youennf via GitHub <sysbot+gh@w3.org>
Date: Tue, 22 Jan 2019 17:50:53 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-456495781-1548179452-sysbot+gh@w3.org>

> As you mention, the spec already calls out the number of devices is a potential fingerprint. I believe the significance of outliers (fonts, dead pixels, uncommon configurations) is well known in the fingerprinting space

There are some evidence on the web that enumerateDevices is currently in use for fingerprinting purpose. If it seems useful for fingerprints, what is the benefit to allow this new fingerprinting vector and what do we forbid if we try removing this fingerprinting vector?

Two additional points:
1. Compared to other fingerprinting, devices might appear/disappear frequently and might be related to user activities.
2. It is not only about the number of devices, it is also about the three level of fingerprinting the current spec is defining:
a. never granted capture access: number of devices are exposed. can change over time.
b. granted capture access once: number of devices are exposed and individual device presence can be tracked.
c. capture is granted: everything is exposed.
The privacy section of the spec does not really points out the fingerprinting issues related to 'b', it only takes about 'a' and 'c'.

> FWIW, Firefox implements a `privacy.resistFingerprinting` preference used by the Tor browser (see [blog](https://www.ghacks.net/2018/03/01/a-history-of-fingerprinting-protection-in-firefox/) and [enumerateDevices specifics](https://bugzilla.mozilla.org/show_bug.cgi?id=1372073)), and was accomplished without changing or breaking the API.

That is nice. Why not making this kind of behavior the default then?
Or provide some guidance in the spec (privacy section maybe) on how to limit/prevent fingerprinting and the potential tradeoffs. The spec basically seems to imply an implementation model that allows fingerprinting.

For instance, the spec could explicitly state that, for privacy reasons, devices can be filtered and how it should be handled if at some point, the device is used for capture (trigger devicechange event).
The spec also does not say anything about how getUserMedia errors might leak information if one starts to filter devices to prevent fingerprinting.

-- 
GitHub Notification of comment by youennf
Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/559#issuecomment-456495781 using your GitHub account

Received on Tuesday, 22 January 2019 17:50:55 UTC