Fingerprinting section could be improved #238
Description
The specification has a privacy section which mentions issues like fingerprinting based on capabilities and identifying underlying codecs. The specification does not provide much guidelines for mitigations except to piggy-back on a 'privacy budget' which is not really specified. It seems additional efforts and thoughts could be put on fingerprinting removal/mitigation strategies.
Also the spec says that: 'Much of this profile is already exposed by existing APIs'.
This is not really true. For instance we are trying to remove leaks from WebRTC specs (see w3c/webrtc-stats#550 for instance) and some implementations do not expose values for that very reason.
WebCodec is also currently exposing hardware/software which is not exposed in Media Capabilities (powerEfficient != hardware acceleration).
There are other potential fingerprinting issues that should probably be described and discussed:
- Timing information might further allow identify user behavior (side channel information, especially with SW codecs)
- A web page in the background might be able from time to time to try encoding/decoding video and see whether it can get access to hardware codecs. If it is not able to get hardware capabilities, it might mean the user is in a call.
- If encoders/decoders use buffer pools with a max size, retaining video samples might allow getting that information which might be hardware/OS specific
It would be desirable for the spec to exhaustively list fingerprinting issues and potential mitigations.
It would be desirable to set some goals on what to achieve in terms of fingerprinting. Neutral would be great.
It would for instance be desirable to be able to implement this API with the necessary mitigations so that this API does not help differentiating devices like Mac mini vs. MacPro vs. MacBookPro.