RTC Accessibility User Requirements

[pes10k]

Spec - https://w3c.github.io/apa/raur/

[NalaGinrut]

This privacy review is a little different since it's not a specific issue review. The RTC Accessibility User Requirements document not a specific API description. So the plan is to check specific features of the API which is described in this document.

It may not be a fast review. I'll update each time I finish a review.

[pes10k]

understood, thanks!

[NalaGinrut]

Here're the related review and the result. Nothing means no notable things need to be reviewed.

• [x] WebRTC DSCP Control API -- Nothing

• [x] Identifiers for WebRTC's Statistics API -- See results

[NalaGinrut]

Identifiers for WebRTC's Statistics API

1. The statistics may contain privacy-sensitive information. The good part is that the result of getStats() is recommended not to be reused after deleted. However, it's better to suggest clean the cache after it's deleted explicitly. Although the current description is to prevent getStats() return status from deleted monitored object, I don't think it's enough since the cache (iff the implementation does it) must be cleaned immediately after the deletion.

2. The media source was defined in Media Capture and Streams : local video or audio file from the user's hard drive, network resource, or static image. I think it's fine for the definition, and the implementation details of media source depends on the browser (may or may not contain filename or URL name in the object), but the implementation of getStats() shouldn't return the URL or filename of the media source. At least it should be opt-in.

3. For RTCMediaSourceStats, its id is a implementation-defined DOMString. To protect privacy, I think it's better to suggest that the id generator algorithm should generate irreversible string of the URL or filename. This sounds out of the statistics API, but the exposure risk is in getStats().

4. The label of media source indicates the type of the source, for example, the USB camera. I'm not sure if it's worth to protect this information as a privacy concern. To myself, I think it's fine.

5. For the address of RTCIceCandidateStats, it indicates the IP address of the remote candidate. I think it's a privacy concern. It shouldn't appear in the statistics, and most users don't care about it at al.

6. For the url of RTCIceCandidateStats. For the local candidates, it's the server URL, and it's not present for the server. So I think it's just fine.

[pes10k]

hi @NalaGinrut thank you very much for all this! I think you've gone above and beyond! But the only item that needs to be reviewed here is the "Accessibility User Requirements" document; the entire WebRTC spec (which is enormous!) doesn't need another review. Just to save you some time :)

[NalaGinrut]

@pes10k OK, thanks for mention. Is rtc statistics API reviewed before?

[pes10k]

It has been, but not in a while I believe. I expect we'll / PING will be asked to review again soon, as the WebRTC folks want to transition soon. So, that work here is terrific, just ahead of the curve :)

[NalaGinrut]

RAUR is fine for privacy concerns since it's only requirements definition. I've reviewed some specific APIs related to it. Now I think it's OK to close as passed.

[sandandsnow]

Closing issue as the review has been undertaken.

(Note: there may still be outstanding privacy considerations identified in the review that have not yet been resolved. See https://github.com/w3cping/tracking-issues/issues)