W3C home > Mailing lists > Public > public-webrtc-logs@w3.org > July 2019

Re: [mediacapture-main] fixed, per origin, device ID creates tracking risk (#607)

From: pes via GitHub <sysbot+gh@w3.org>
Date: Fri, 26 Jul 2019 21:47:33 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-515609327-1564177652-sysbot+gh@w3.org>
@jan-ivar I'm not quite following the suggestion, because other cookies don't have a capped lifetime (HTTP set cookies), and the cookie jar doesn't clear after 7 days, just the lifetime "at set" of each individual cookie is reduced, so its not clear to me how any of this lines up with the text in the standard, which says `reset per-origin device identifiers when other persistent storage are cleared`.

The larger point though, is that "device ids should be cleared when cookies are clear" is a necessary, but not sufficient, condition for protecting user privacy.  Particularly as vendors are becoming more aggressive / thoughtful about ways of protecting user privacy that have nothing to do with clearing other persistent storage.

> Double-keying deviceIds without double-keying cookies would break #607 (comment).

I'm not following here.  The narrow suggestion here isn't to have idea of a device Id, its to make the device identifier not uniquely identifying.  What functionality is lost by replacing UUIDs with, say, simple integers, and having the client keep track of

1) all observed devices (w/ a simple integer identifier for each one)
2) permission of whether its ever given permission of device X (likely single digit int) (instead of UUID) to site A

A privacy preserving application can just keep track of whether it has access to "3" (not privacy violating) instead of some globally unique device id (potentially privacy harming).

> In Firefox, we're considering some mitigations for enumerateDevices pre-gUM-grant but those are motivated more by the actual user system bits exposed, like number of cameras and number of microphones, not the id.

Sorry I let the above drop off.  I think this is a fantastic idea, to the point that the standard is privacy harmful w/o it. Querying hardware capabilities w/o user permission is a hard line the standard can't allow.  Is there a current issue tracking this concern, or would it be better to open a separate issue.

-- 
GitHub Notification of comment by snyderp
Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/607#issuecomment-515609327 using your GitHub account
Received on Friday, 26 July 2019 21:47:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:22:26 UTC