[Privacy] Fingerprinting Based on outputLatency

[jasonanovak]

As this value "depends on the platform and the connected hardware audio output device” it can be used to determine what device is being used to render the webpage and thus provides fingerprint capabilities. One way to mitigate this would be to either describe the latency using a defined set of enums or a set of defined outputLatency values.

[rtoy]

baseLatency may have a similar issue since it returns a number that depends on the OS and audio output device as well as the value of latencyHint.

[svgeesus]

Rounding up to the nearest enum would greatly increase the latency. Mostly, feedback is that people want to minimse the latency or (for live work) have the exact latency

[svgeesus]

See also https://padenot.github.io/web-audio-perf/#latency by @padenot

[rtoy]

The purpose of baseLatency and outputLatency is to allow the developer to synchronize (possibly), the audio generated by WebAudio to other audio or video sources.

It's probably ok to reduce the accuracy of values to a few milliseconds, say no more than 5. That's probably good enough to synchronize things for musical applications, but I think if you're playing sine tones, you will hear some beating effect.

But I'm not a audio sound/studio engineer.

[hoch]

I thought the purpose of baseLatency is to compensate the drift between the visual change (e.g. UI) and the audio stream produced by the system. So this supposedly should not be fed back into the audio processing. @rtoy What do you mean by the beating effect?

[rtoy]

That's getOutputTimestamp. baseLatency is for telling you how much internal buffering is being done by WebAudio.

If you're playing a video that has a sine tone, and you want webaudio to use an oscillator to produce the same tone, the difference in time stamps could cause the tones to be out of phase. I guess it wouldn't beat, but you could get constructive or destructive interference.

[svgeesus]

The spec now says:

Fingerprinting via latency is also possible; it might be possible to deduce this from baseLatency and outputLatency. Mitigation strategies include adding jitter (dithering) and quantization so that the exact skew is incorrectly reported. Note however that most audio systems aim for low latency, to synchronise the audio generated by WebAudio to other audio or video sources or to visual cues (for example in a game, or an audio recording or music making environment). Excessive latency decreases usability and may be an accessibility issue.
https://webaudio.github.io/web-audio-api/#priv-sec

[svgeesus]

@jasonanovak Does that wording satisfy your concern?

[jasonanovak]

Yes, thanks.