Re: Towards a getUserMedia/enumerateDevices fingerprinting solution

On 02/11/2019 07:52 AM, youenn fablet wrote:
>> On Feb 10, 2019, at 7:47 AM, Harald Alvestrand <> wrote:
>> Den 07.02.2019 19:05, skrev youenn fablet:
>>> As shown
>>> by, enumerateDevices
>>> is probably used for fingerprinting purposes.
>> However, I'm not sure the data actually supports this.
>> I looked at the same data through another lens, and that showed the
>> usage to be almost flat over the last 3 months (somehow the 1-year graph
>> failed to show).
>> It's possible that the jumps in the top graph indicate when the counter
>> was rolled out, not when the feature started to be used.
>> The second graph shows an usage pattern that is falling, not rising -
>> again, it does not correlate with the graph above.
>> It would be great to have some verification that the usage of
>> enumerateDevices is indeed unrelated to the page potentially wanting to
>> use those devices.
> From my reading of, enumerateDevices is used on 1.8% of the pages while getUserMedia is used on less than 0.01% of the pages.
> We also have internal evidence that web sites that are never calling getUserMedia are calling enumerateDevices.
> My suspicion is that they are doing so to fingerprint users.

So is mine. However, if we have decided that a certain amount of leakage
is acceptable, that means that we have to accept it when it's being used
for fingerprinting - the fact that it's being used isn't, per se, an
indication that our call was wrong.

If we decide that the leakage is not acceptable, we have to change it.

(note - there's evidence that those who track users continue to leave
stuff in their code even if it's not effective in returning a
fingerprint. It's cheaper to collect everything than to remove what
doesn't work any more.)

Note - so far we've been 3 people on this thread. I'd like to hear other

Received on Monday, 11 February 2019 14:38:44 UTC