Re: Towards a getUserMedia/enumerateDevices fingerprinting solution from Jan-Ivar Bruaroey on 2019-02-27 (public-webrtc@w3.org from February 2019)

From: Jan-Ivar Bruaroey <jib@mozilla.com>
Date: Tue, 26 Feb 2019 23:54:25 -0500
To: Harald Alvestrand <harald@alvestrand.no>, public-webrtc@w3.org
Message-ID: <ad81d9e2-6381-c6af-ec93-77b2895818c2@mozilla.com>

On 2/11/19 9:38 AM, Harald Alvestrand wrote:
> On 02/11/2019 07:52 AM, youenn fablet wrote:
>>> On Feb 10, 2019, at 7:47 AM, Harald Alvestrand <harald@alvestrand.no> wrote:
>>>
>>> Den 07.02.2019 19:05, skrev youenn fablet:
>>>> As shown
>>>> by https://www.chromestatus.com/metrics/feature/timeline/popularity/1119, enumerateDevices
>>>> is probably used for fingerprinting purposes.
>>> However, I'm not sure the data actually supports this.
>>> I looked at the same data through another lens, and that showed the
>>> usage to be almost flat over the last 3 months (somehow the 1-year graph
>>> failed to show).
>>>
>>> It's possible that the jumps in the top graph indicate when the counter
>>> was rolled out, not when the feature started to be used.
>>>
>>> The second graph shows an usage pattern that is falling, not rising -
>>> again, it does not correlate with the graph above.
>>>
>>> It would be great to have some verification that the usage of
>>> enumerateDevices is indeed unrelated to the page potentially wanting to
>>> use those devices.
>>  From my reading of https://www.chromestatus.com, enumerateDevices is used on 1.8% of the pages while getUserMedia is used on less than 0.01% of the pages.
>> We also have internal evidence that web sites that are never calling getUserMedia are calling enumerateDevices.
>> My suspicion is that they are doing so to fingerprint users.
> So is mine. However, if we have decided that a certain amount of leakage
> is acceptable, that means that we have to accept it when it's being used
> for fingerprinting - the fact that it's being used isn't, per se, an
> indication that our call was wrong.
>
> If we decide that the leakage is not acceptable, we have to change it.
>
> (note - there's evidence that those who track users continue to leave
> stuff in their code even if it's not effective in returning a
> fingerprint. It's cheaper to collect everything than to remove what
> doesn't work any more.)
>
> Note - so far we've been 3 people on this thread. I'd like to hear other
> voices.


I'd like to throw Mozilla's support behind this. Firefox already 
implements a privacy.resistFingerprinting pref to limit 
enumerateDevices() exposure as part of the TOR project [1]. Concerned by 
the data Youenn mentions, we are looking to enable these protections for 
more of our users [2], ideally without sacrificing device selection 
after getUserMedia grant. Clarifications from the spec on how to do this 
compatibly would be welcome.

5 years since this was designed, I think we all have more information on 
how web sites use media capture and WebRTC. We've also seen how 
fingerprinting libraries make their way into even legitimate sites. 
Given this, I think it's fair to ask for examples of actual sites that 
stand to break from the limitations Youenn is proposing.

[1] 
https://www.ghacks.net/2018/03/01/a-history-of-fingerprinting-protection-in-firefox/
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1528042

.: Jan-Ivar :.

Received on Wednesday, 27 February 2019 04:54:48 UTC