- From: Elad Alon via GitHub <sysbot+gh@w3.org>
- Date: Wed, 07 Apr 2021 18:55:26 +0000
- To: public-webrtc-logs@w3.org
Everything in the capture - audio, video and label - are all spoofable and therefore suspect. The capturing application should know this. It can only use the information in the tracks for unsensitive purposes. For example - for analytics, where the occasional mistake, wether intentional or accidental, is unimportant. In this example, Google Meet can safely assume that **very** few websites try to saw confusion between Wikipedia and Britannica, and that the majority of the time `label="Wikipedia"` is captured, it's safe enough for Meet's analytics module to record it as "user shared Wikipedia." (Analytics by the capturing app; not by the browser. The browser has more visibility and certainty and needs no spec-changes here.) I think opt-in for leaking title/origin/URL would be problematic. Here are my reservations with each option: * **Title:** Could include personal information which is not otherwise visible. Note that the user could zoom in and/or scroll so as to control what is being shared, but cannot do so with the title. For example, an e-governance site could show the user's tax-payer ID in the title, because that's never been captured until now. Such a site would never opt-in to sharing a title, and that's a missed opportunity, as it would probably be OK with self-declaring as Skatteverket (Swedish tax authority), which is a relatively bengin piece of information. * **Origin:** Not informative enough if multiple distinct applications are served from the same origin. For example, Google Slides and Google Docs are both currently served from docs.google.com. As a second example, I could also imagine that WeChat or some other mega-app could want to serve **all** of their very different, highly-popular services from the same origin (maybe so as to easily bypass some cross-origin hardships). * **URL**: Could expose GET parameters, etc. Even sites that make no use of these at the moment might be wary of opting-in to exposing something that could one day become a security/privacy leak. One last reservation is comprehensibility and maintainability for websites. I think it's much easier for a site to understand "I am self-declaring X; it will always be X; these are the dangers of X" than to understand "I am opting-in to leaking X; we need to make sure it does not deviate in the future to Y; what are the dangers of X and Y?" (E.g. title currently does not contain tax-payer ID, and now we must make sure it never does.) Above are my reservations about your counter-proposals. Do you have any reservations about my proposal which I have not yet addressed? -- GitHub Notification of comment by eladalon1983 Please view or discuss this issue at https://github.com/w3c/mediacapture-screen-share/issues/159#issuecomment-815148010 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 7 April 2021 18:55:28 UTC