Privacy issue: is it a good idea to let webapps lie about camera/mic ON/OFF on a user's lock screen? #279
Comments
|
Original discussion in #264. I agree with the concerns here. This may be a naive question, but why does the page need to handle these actions, rather than the UA handling them and notifying the page of the new camera / microphone state? |
|
@chrisn an excellent question. To simplify, let's look only at the microphone dimension (camera is symmetrical): Only Safari implements user agent mic-mute atm, and web apps can listen to mute and unmute events to react. But a generalized solution requires solving the double-mute problem w3c/mediacapture-extensions#39 with better integration. If we solve that, then yes, we could have lock screen cam/mic toggles that worked that way instead (with teeth). But it would require better integration with video conferencing apps, because:
IOW if you're on a call, these apps would need to integrate their current "don't send audio" state to match the UA mic state, so that participants immediately hear you when you turn on mic from the lock screen, and not have a separate state for that. |
|
This came again when discussing w3c/mediacapture-extensions#39. |
|
The intended use is for the app to maintain state and update it in response to UA "toggle"s. An abbreviated example 6: let isMicrophoneActive = false;
navigator.mediaSession.setActionHandler("togglemicrophone", () => {
navigator.mediaSession.setMicrophoneActive(isMicrophoneActive = !isMicrophoneActive);
// Hope the app actually mutes or unmutes the microphone.
});The privacy issue is
Or is that an implementation detail? (e.g. if it has user attention and transient activation, maybe it just works, raises a toast message, or a prompt?) |
How do you know what the initial state is? |
|
Would the note from #312 be sufficient:
|
Quiz:
If a browser implements this spec verbatim, they can.
togglecamera and togglemicrophone are misnomers: they don't limit camera or microphone access to the webapp at all. Instead they let any webapp control what the lock screen says about the user's microphone and camera, whether true or not.
This seems concerning from a privacy perspective.
It's useful: it lets well-behaved video conferencing apps show on your lock screen that you're on a call right now and whether participants can hear and see you or not (hopefully not if you've arrived in this situation).
But the spec needs to call this out in its Privacy and Security Considerations which doesn't mention this.
Also, some of these risks were hard to make out in the current rosy prose:
"The setMicrophoneActive(active) and setCameraActive(active) methods indicate to the user agent whether the microphone and camera are currently considered by the page to be active (e.g. if the microphone is considered "muted" by the page since it is no longer sending audio through to a call, then the page can invoke setMicrophoneActive(false))."
This "e.g." suggests the page is no longer sending audio through a call, and "then" can invoke setMicrophoneActive(false)). As normative language, this is confusing. It should be a note. Also, the fact that the page can invoke setMicrophoneActive(false) at any time with any value it wants, also seems worth mentioning.
"The user agent MAY display UI which invoke the handlers for the togglemicrophone and togglecamera media session actions, and it is RECOMMENDED that the user agent respect the microphone and camera states indicated by the page in this UI."
It might be better to RECOMMEND the user agent not overstate the significance of these web application states and their correspondence to reality.
The text was updated successfully, but these errors were encountered: