Re: Towards a getUserMedia/enumerateDevices fingerprinting solution

On 2/11/19 9:38 AM, Harald Alvestrand wrote:
> On 02/11/2019 07:52 AM, youenn fablet wrote:
>>> On Feb 10, 2019, at 7:47 AM, Harald Alvestrand <> wrote:
>>> Den 07.02.2019 19:05, skrev youenn fablet:
>>>> As shown
>>>> by, enumerateDevices
>>>> is probably used for fingerprinting purposes.
>>> However, I'm not sure the data actually supports this.
>>> I looked at the same data through another lens, and that showed the
>>> usage to be almost flat over the last 3 months (somehow the 1-year graph
>>> failed to show).
>>> It's possible that the jumps in the top graph indicate when the counter
>>> was rolled out, not when the feature started to be used.
>>> The second graph shows an usage pattern that is falling, not rising -
>>> again, it does not correlate with the graph above.
>>> It would be great to have some verification that the usage of
>>> enumerateDevices is indeed unrelated to the page potentially wanting to
>>> use those devices.
>>  From my reading of, enumerateDevices is used on 1.8% of the pages while getUserMedia is used on less than 0.01% of the pages.
>> We also have internal evidence that web sites that are never calling getUserMedia are calling enumerateDevices.
>> My suspicion is that they are doing so to fingerprint users.
> So is mine. However, if we have decided that a certain amount of leakage
> is acceptable, that means that we have to accept it when it's being used
> for fingerprinting - the fact that it's being used isn't, per se, an
> indication that our call was wrong.
> If we decide that the leakage is not acceptable, we have to change it.
> (note - there's evidence that those who track users continue to leave
> stuff in their code even if it's not effective in returning a
> fingerprint. It's cheaper to collect everything than to remove what
> doesn't work any more.)
> Note - so far we've been 3 people on this thread. I'd like to hear other
> voices.

I'd like to throw Mozilla's support behind this. Firefox already 
implements a privacy.resistFingerprinting pref to limit 
enumerateDevices() exposure as part of the TOR project [1]. Concerned by 
the data Youenn mentions, we are looking to enable these protections for 
more of our users [2], ideally without sacrificing device selection 
after getUserMedia grant. Clarifications from the spec on how to do this 
compatibly would be welcome.

5 years since this was designed, I think we all have more information on 
how web sites use media capture and WebRTC. We've also seen how 
fingerprinting libraries make their way into even legitimate sites. 
Given this, I think it's fair to ask for examples of actual sites that 
stand to break from the limitations Youenn is proposing.


.: Jan-Ivar :.

Received on Wednesday, 27 February 2019 04:54:48 UTC