New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Privacy & Security self review #99
Comments
Hello! I'm sure this will come up in your self-review, but I'd be interested in hearing your thoughts on if/how you think this feature might expand the fingerprinting surface area for identifying a browser/user. (Whenever you're ready to address this. No rush here!) |
There's a few words in https://w3c.github.io/webrtc-stats/#security-considerations (calling out IP addresses as a consideration). There are other attributes that will expand fingerprinting surface (such as codec implementation strings). I don't see how much mitigation we can do here, either - these stats are all needed for operation of services. |
Thanks for the quick response, @alvestrand! We will look forward to seeing more detail in your response to the privacy and security questionnaire. We are interested in things like whether the latency exposed by We do understand that mitigations can be tricky. It might be helpful to have different levels of statistics based on the privacy invasiveness... for example, the media-layers stats might be different to the transport-layer stats? Where mitigation isn't possible, exposing all the unmitigated threats in the spec will help implementers make informed decisions about how to present them to users. |
Hi all — we are meeting again and checking on the progress of things. How is this going? Can we help at all? |
@dontcallmedom Hello! We're just looking at this in our TAG review. It seems that no one is assigned to it... should there be someone? We're not sure who to work with. Thanks for any help. :) |
the chairs, editors and I plan on getting a first stab at the self review in the upcoming few weeks |
That's great, @dontcallmedom. Thanks for the quick reply! We'll check in with you after that then. |
Here is a first stab at reviewing the spec through the questionnaire for discussion tomorrow with @vr000m and @aboba. I think the relevant questions in the questionnaire for this spec are:
(from my review the others are orthogonal to WebRTC stats). In analyzing which data might expose new state, and in particular potential new cross-origin state, we should distinguish:
One way also to think of the overall question is to look at 2 questions:
Some more random notes on possible specific concerns:
|
here is my stab at filling the questionnaire and completing the security section based on it: #251 |
Closed by #251 |
It would be good to review the document through the privacy & security questionnaire - this would in particular help for the wide review of the document pre-CR.
The text was updated successfully, but these errors were encountered: