Considering first the Self-Review Questionnaire, although "it is not meant as a 'security checklist'", I found it useful to go through the list of questions:
Does this specification deal with personally-identifiable information?
I don't think so, but I'm not an expert on what constitutes PII.
Does this specification introduce new state for an origin that persists across browsing sessions?
No.
Does this specification expose persistent, cross-origin state to the web?
Yes:
TVManager provides access (via the TVTuner and TVSource objects) to the list of channels available on the device, which exposes the type of service the user has access to (or has subscribed to, which may include encrypted services). Although the spec doesn't explicitly say so, the expectation is that the channel list is persisted on the device.
TVManager provides CI card information, including the CA System ID, which exposes which encryption schemes are available in the device.
TVManager provides access to the list of TV recordings the user has made.
TVManager also has several attributes that can be used for fingerprinting: isParentalControlled, totalRecordingSize, and availableRecordingSize.
Does this specification expose any other data to an origin that it doesn't currently have access to?
Other than the data mentioned above, no.
Does this specification enable new script execution/loading mechanisms?
No.
Does this specification allow an origin access to a user's location?
Not with a great degree of precision. A broad geographic location (country or region) could be inferred from the list of channels available.
Does this specification allow an origin access to sensors on a user's device?
Yes, if we regard tuners as being sensors.
Does this specification allow an origin access to aspects of a user's local computing environment?
No.
Does this specification allow an origin access to other devices?
No.
Does this specification allow an origin some measure of control over a user agent's native UI?
No.
Does this specification expose temporary identifiers to the web?
Yes, the TVChannel, TVProgram and TVRecording objects all include identifiers.
Does this specification distinguish between behavior in first-party and third-party contexts?
No.
How should this specification work in the context of a user agent's "incognito" mode?
This is to be determined.
Does this specification persist data to a user's local device?
Yes. The channel list, parental control flag, PIN code to unlock parental control are all persisted on the device.
Does this specification have a "Security Considerations" and "Privacy Considerations" section?
Not yet, but this is something we should do.
Does this specification allow downgrading default security characteristics?
No.
The Fingerprinting Guidance document describes a number of best practices that should be applied to the TV Control API spec:
Best Practice 1: Avoid unnecessary increases to the surface for passive fingerprinting.
Best Practice 2: Prefer functionally-comparable designs that don't increase the surface for active fingerprinting.
Best Practice 3: Mark features that contribute to fingerprintability.
Best Practice 4: Specify orderings and non-functional differences.
Best Practice 5: Design APIs to access only the entropy necessary.
Best Practice 6: Enable graceful degradation for privacy-conscious users or implementers.
Best Practice 7: Avoid unnecessary new cookie-like local state mechanisms.
Best Practice 8: Highlight any local state mechanisms to enable simultaneous clearing.
All of this suggests to me that we should carefully consider the data that the API exposes, and consider alternatives that reduce the fingerprinting surface.
The following documents provide guidance regarding user privacy:
Considering first the Self-Review Questionnaire, although "it is not meant as a 'security checklist'", I found it useful to go through the list of questions:
I don't think so, but I'm not an expert on what constitutes PII.
No.
Yes:
TVManager
provides access (via theTVTuner
andTVSource
objects) to the list of channels available on the device, which exposes the type of service the user has access to (or has subscribed to, which may include encrypted services). Although the spec doesn't explicitly say so, the expectation is that the channel list is persisted on the device.TVManager
provides CI card information, including the CA System ID, which exposes which encryption schemes are available in the device.TVManager
provides access to the list of TV recordings the user has made.TVManager
also has several attributes that can be used for fingerprinting:isParentalControlled
,totalRecordingSize
, andavailableRecordingSize
.Other than the data mentioned above, no.
No.
Not with a great degree of precision. A broad geographic location (country or region) could be inferred from the list of channels available.
Yes, if we regard tuners as being sensors.
No.
No.
No.
Yes, the
TVChannel
,TVProgram
andTVRecording
objects all include identifiers.No.
This is to be determined.
Yes. The channel list, parental control flag, PIN code to unlock parental control are all persisted on the device.
Not yet, but this is something we should do.
No.
The Fingerprinting Guidance document describes a number of best practices that should be applied to the TV Control API spec:
All of this suggests to me that we should carefully consider the data that the API exposes, and consider alternatives that reduce the fingerprinting surface.