Re-evaluate security & privacy text assumptions about HW connections

[noamr]

https://webaudio.github.io/web-midi-api/#security-and-privacy-considerations-of-midi:

"Few systems will have significant numbers of MIDI devices attached; those systems that do will typically use hardware MIDI interfaces, not fanning out a dozen USB-MIDI connections through USB hubs."

In my personal experience as someone who uses MIDI a lot, this is an incorrect statement and the privacy considerations are based on it. Today's MIDI devices come with a USB connection, sometimes with their own USB-based software plugin, and often without a hardware MIDI interface at all. I personally have 5 MIDI devices connected via USB. Note that the text doesn't specify what "significant number" is but I believe a significant portion of MIDI users today would be uniquely identifiable based on their USB-connected MIDI interfaces.

I believe the text should be made more accurate and present a link to the data it's based off, or the privacy considerations based on it should be re-examined or reworded.

[cwilso]

This assumption should definitely be removed - it was written over a decade ago, and I expect the "usual" setup has changed as well. (My own personal studio has certainly changed to a blend of MIDI interfaces and direct
USB-MIDI interfaces in that time.). This text should definitely be updated.

I will say, however, that the net conclusion is likely very much the same - "The vast majority of systems have relatively few MIDI interfaces attached" - but this text should be examined again. Thanks for filing.

[noamr]

This assumption should definitely be removed - it was written over a decade ago, and I expect the "usual" setup has changed as well. (My own personal studio has certainly changed to a blend of MIDI interfaces and direct USB-MIDI interfaces in that time.). This text should definitely be updated.

Great! Thanks for the quick response.

I will say, however, that the net conclusion is likely very much the same - "The vast majority of systems have relatively few MIDI interfaces attached" - but this text should be examined again. Thanks for filing.

"Relatively few": Relatively to what and based off what statistics? I concede that relatively to the users of the internet few would have MIDI devices at all and would visit WebMIDI sites... but I believe that (arguably) most people who will actively use WebMIDI sites would have slightly different USB-connected MIDI-device setups which would make them uniquely identifiable.

[cwilso]

The wording is a bit off, yes. It should really say something like "The vast majority of sites will have no MIDI devices attached at all." Of those that do, the probability will decrease in inverse proportion to the number of devices (identifiers). (I looked at data on this a long, long time ago, and fresh data should be examined before defining an answer here.) I doubt most systems will be unique - unless you've got lots of devices connected (like I do) - but that's based on a feeling, and someone needs to look at data before relying on that.

At any rate, we have been moving quickly to a user permission requirement for ANY access to MIDI devices (even enumeration), which should help mitigate any fingerprinting concerns.

[noamr]

The wording is a bit off, yes. It should really say something like "The vast majority of sites will have no MIDI devices attached at all." Of those that do, the probability will decrease in inverse proportion to the number of devices (identifiers). (I looked at data on this a long, long time ago, and fresh data should be examined before defining an answer here.) I doubt most systems will be unique - unless you've got lots of devices connected (like I do) - but that's based on a feeling, and someone needs to look at data before relying on that.

At any rate, we have been moving quickly to a user permission requirement for ANY access to MIDI devices (even enumeration), which should help mitigate any fingerprinting concerns.

Even with two devices you can quickly get to close-to-unique identifiers... For example my sound-card has a MIDI interface and I have a limited edition synth. I'm sure just having these two together somewhat uniquely identifies me, or puts me in a very small group.

Not sure if "more permission prompts" is the solution but I'd love to see it when it comes.

[hoch]

Teleconference 4/6:
Replace

Few systems will have significant numbers of MIDI devices attached; those systems that do will typically use hardware MIDI interfaces, not fanning out a dozen USB-MIDI connections through USB hubs.

with

The vast majority of systems have relatively few MIDI interfaces attached.

[mjwilson-google]

The text "The vast majority of systems have relatively few MIDI interfaces attached." currently exists at the end of this paragraph. The main point seems to be drawing a similarity with the Gamepad API. We could remove most of the text about hardware interfaces now, but I think I would like to come back to this after splitting the privacy and security sections as part of work in #185

[cwilso]

That sounds good.

For reference, the point of stating this ("those systems that do [have lots of MIDI devices attached] will typically use hardware MIDI interfaces, not fanning out a dozen USB-MIDI connections through USB hubs.") was that a single 8x8 MIDI interface attached to USB will only show up as one device-with-an-identifying name (with multiple MIDI synths connected, of course, but you can't query them to see what's attached in any uniform way, or at all without sysex). If, on the other hand, you had 8 different USB-MIDI devices attached, you're getting 8x as much unique fingerprint surface area.

I'm not sure at all that it's true that multiport DIN-MIDI interfaces are more common that USB hubs anymore, anyway, so it's fine to drop this.