Re: Towards a getUserMedia/enumerateDevices fingerprinting solution

Den 07.02.2019 19:05, skrev youenn fablet:
> As shown
> by https://www.chromestatus.com/metrics/feature/timeline/popularity/1119, enumerateDevices
> is probably used for fingerprinting purposes.

However, I'm not sure the data actually supports this.
I looked at the same data through another lens, and that showed the
usage to be almost flat over the last 3 months (somehow the 1-year graph
failed to show).

It's possible that the jumps in the top graph indicate when the counter
was rolled out, not when the feature started to be used.

The second graph shows an usage pattern that is falling, not rising -
again, it does not correlate with the graph above.

It would be great to have some verification that the usage of
enumerateDevices is indeed unrelated to the page potentially wanting to
use those devices.

> A thread started on GitHub
> (https://github.com/w3c/mediacapture-main/issues/559) to tackle this issue.
> 
> The editors are seeking feedback on the following assumptions.
> 
> 1. It is assumed that:
> - Leaking any fingerprinting information silently through
> enumerateDevices is an issue.

I am not certain there's any consensus here. The WG, when designing this
iteration of enumerateDevices, has formerly decided that leaking:

a) whether or not camera and/or microphone is present
b) the number of audio and video devices present
c) whether these devices are the same as when the page was previously
granted access to them (aka "device ID is stable")

is an acceptable amount of leakage.

> - Leaking any fingerprinting information silently through getUserMedia
> is an issue.
> - Leaking some fingerprinting information after a getUserMedia prompt is
> ok, even if user denied access.
> - Leaking all capture device information is ok if a web page is granted
> capture access.
> 
> 2. enumerateDevices is widely used to implement capture device pickers.
> Capture device pickers are usually showing previews of the capture device.
> It is assumed that:
> - In regular flows, enumerateDevices is called after getUserMedia access
> is granted.
> 
> 3. enumerateDevices may be used to check for microphone/camera existence
> If no microphone or camera is exposed in enumerateDevices, web sites
> might not call getUserMedia at all.
> Web sites can discover that capture devices are missing by checking for
> NotFoundError in case of getUserMedia promise rejection.
> It is assumed that:
> - Getting capture device presence through getUserMedia is good enough so
> that enumerateDevices might not be required to always accurately provide
> this information.
> 
> Any feedback most welcome,
> Y

Received on Sunday, 10 February 2019 15:48:06 UTC