Re: [mediacapture-main] What is the purpose of requiring a successful gUM call before enumerateDevices? (#1019) from Jan-Ivar Bruaroey via GitHub on 2024-12-03 (public-webrtc-logs@w3.org from December 2024)

From: Jan-Ivar Bruaroey via GitHub <sysbot+gh@w3.org>
Date: Tue, 03 Dec 2024 22:16:35 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-2515662505-1733264192-sysbot+gh@w3.org>
> > FWIW, I do not think we can go back and weaken the privacy story.

I agree with this.

> Gating eD labels to permissions does not weaken the privacy story IMO. 

It weakens the privacy story: a non-conferencing website can obtain camera/mic access a single time for a seemingly benign reason like scanning a QR code or snapping a listing photo. Users who have granted persistent permission to such websites — the sole choice in Chrome release still — unwittingly allow those websites to delegate permission to third-parties to help fingerprint them. Having to call gUM deters this.

Also, it's not just labels anymore, but the number of cameras and microphones the user has as well.

> For example, Safari's model is already this one since permissions are ephemeral, so a UA can implement the same guarantees if it wishes to do so.

Firefox shouldn't have to remove its persistent permission feature to provide the same guarantees as Safari. Spec agrees.

> I would argue that forcing a gUM call can be detrimental to user privacy in some cases.
> 
> Consider the following case:
> 
> 1. A frequent user of a VC application has given persistent permissions to avoid being prompted frequently.

Use case error: we should solve for _all_ users, not just those who have persisted permission.

> 2. This user starts the browser, and instructs the VC to join a meeting with the camera and mic off for privacy reasons. But wants the ability to turn them on in the middle of the meeting.
> 
> 3. The user has several devices (e.g., two or more microphones or cameras)
> 
>4. In the middle of the meeting the user decides to participate in the meeting, but wants to select the right microphone and/or camera. This should occur without the UA prompting the user because the  user gave persistent permissions for all the media devices, so device selection occurs via an in-app device picker.

This is entirely solvable for all users, because a website can turn on camera or microphone ahead of transmission.

> Some examples:
> 
> * For Zoom I think it is the default for joining an existing meeting, and it is a prominent feature to start a new meeting with video off. For returning users with persistent permissions, device pickers are broken.

Said differently: For returning users, device pickers aren't populated. Why single out a pity-group? What you call "broken" is the behavior everyone else gets today.

We've discussed Zoom at length. Zoom is handling it, so calling it "breakage" seems a stretch. Preferential treatment is no longer given to a sub-group of users.

This can be a good thing, challenging websites to solve this without discriminating or weakening privacy.

Here's a [demo page](https://jan-ivar.github.io/dummy/gum_picker_muted_gum_cache.html) employing multiple strategies for some ideas (it caches devices and calls gUM on selection).

> * Whereby before joining a meeting presents a dialog to choose camera and microphone. On Firefox an extra click is required for returning users with persistent permissions to make an initial gUM call so that the device pickers can be initialized. On Chrome the user goes directly to the UI with the correct device pickers.

Invalid, as explained in https://github.com/web-platform-tests/interop/issues/849#issuecomment-2494785406. Whereby does not enumerate ahead of gUM.

> * On Dialpad meetings, you can configure it to start with camera/mic off. For returning users with persistent permissions it opens the camera/mic and closes it quickly in order to provide a good UI. In this case the application has to go against the user setting in order to respect the user's wishes. They choose the text carefully in the settings "Turn off camera while joining a meeting?" to inform the user that they actually open the camera. While working as intended in a strict sense, they should be able to do it without turning the camera off if that is the user's preference, but gUM-before-eD makes it impossible.

From this description it sounds unaffected? I can try it tomorrow.

> * Zoho.com has behavior similar to Whereby. An extra click is required on Firefox for returning users for the gUM call, presumably to be able to get device information. I didn't see pickers, though. This application can also remember a setting to have the camera off by default, but, like Dialpad, opens and closes the camera and mic quickly.

If it's similar to Whereby then it's invalid here.

> * According to [this documentation](https://support.microsoft.com/en-us/office/turn-off-automatic-video-in-a-call-in-microsoft-teams-a32bd419-00a4-4da6-898c-242b745a21c7), scheduled meetings on Microsoft Teams start with video off. I have not tried this feature, so not sure if it breaks, but it might.

I use MS teams in Firefox regularly. No breakage observed. Though I confess, like probably 99% of users I have just a single front-facing camera.

-- 
GitHub Notification of comment by jan-ivar
Please view or discuss this issue at https://github.com/w3c/mediacapture-main/issues/1019#issuecomment-2515662505 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Tuesday, 3 December 2024 22:16:36 UTC