Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Re-evaluate security & privacy text assumptions about HW connections #229

Closed
noamr opened this issue Feb 2, 2022 · 7 comments · Fixed by #268
Closed

Re-evaluate security & privacy text assumptions about HW connections #229

noamr opened this issue Feb 2, 2022 · 7 comments · Fixed by #268
Labels
category: editorial https://www.w3.org/policies/process/#class-2 Needs Edits https://speced.github.io/spec-maintenance/about/
Milestone

Comments

@noamr
Copy link

noamr commented Feb 2, 2022

https://webaudio.github.io/web-midi-api/#security-and-privacy-considerations-of-midi:

"Few systems will have significant numbers of MIDI devices attached; those systems that do will typically use hardware MIDI interfaces, not fanning out a dozen USB-MIDI connections through USB hubs."

In my personal experience as someone who uses MIDI a lot, this is an incorrect statement and the privacy considerations are based on it. Today's MIDI devices come with a USB connection, sometimes with their own USB-based software plugin, and often without a hardware MIDI interface at all. I personally have 5 MIDI devices connected via USB. Note that the text doesn't specify what "significant number" is but I believe a significant portion of MIDI users today would be uniquely identifiable based on their USB-connected MIDI interfaces.

I believe the text should be made more accurate and present a link to the data it's based off, or the privacy considerations based on it should be re-examined or reworded.

@cwilso cwilso added this to the V1 milestone Feb 2, 2022
@cwilso
Copy link
Contributor

cwilso commented Feb 2, 2022

This assumption should definitely be removed - it was written over a decade ago, and I expect the "usual" setup has changed as well. (My own personal studio has certainly changed to a blend of MIDI interfaces and direct
USB-MIDI interfaces in that time.). This text should definitely be updated.

I will say, however, that the net conclusion is likely very much the same - "The vast majority of systems have relatively few MIDI interfaces attached" - but this text should be examined again. Thanks for filing.

@noamr
Copy link
Author

noamr commented Feb 2, 2022

This assumption should definitely be removed - it was written over a decade ago, and I expect the "usual" setup has changed as well. (My own personal studio has certainly changed to a blend of MIDI interfaces and direct USB-MIDI interfaces in that time.). This text should definitely be updated.

Great! Thanks for the quick response.

I will say, however, that the net conclusion is likely very much the same - "The vast majority of systems have relatively few MIDI interfaces attached" - but this text should be examined again. Thanks for filing.

"Relatively few": Relatively to what and based off what statistics? I concede that relatively to the users of the internet few would have MIDI devices at all and would visit WebMIDI sites... but I believe that (arguably) most people who will actively use WebMIDI sites would have slightly different USB-connected MIDI-device setups which would make them uniquely identifiable.

@cwilso
Copy link
Contributor

cwilso commented Feb 2, 2022

The wording is a bit off, yes. It should really say something like "The vast majority of sites will have no MIDI devices attached at all." Of those that do, the probability will decrease in inverse proportion to the number of devices (identifiers). (I looked at data on this a long, long time ago, and fresh data should be examined before defining an answer here.) I doubt most systems will be unique - unless you've got lots of devices connected (like I do) - but that's based on a feeling, and someone needs to look at data before relying on that.

At any rate, we have been moving quickly to a user permission requirement for ANY access to MIDI devices (even enumeration), which should help mitigate any fingerprinting concerns.

@noamr
Copy link
Author

noamr commented Feb 3, 2022

The wording is a bit off, yes. It should really say something like "The vast majority of sites will have no MIDI devices attached at all." Of those that do, the probability will decrease in inverse proportion to the number of devices (identifiers). (I looked at data on this a long, long time ago, and fresh data should be examined before defining an answer here.) I doubt most systems will be unique - unless you've got lots of devices connected (like I do) - but that's based on a feeling, and someone needs to look at data before relying on that.

At any rate, we have been moving quickly to a user permission requirement for ANY access to MIDI devices (even enumeration), which should help mitigate any fingerprinting concerns.

Even with two devices you can quickly get to close-to-unique identifiers... For example my sound-card has a MIDI interface and I have a limited edition synth. I'm sure just having these two together somewhat uniquely identifies me, or puts me in a very small group.

Not sure if "more permission prompts" is the solution but I'd love to see it when it comes.

@hoch
Copy link
Member

hoch commented Apr 6, 2023

Teleconference 4/6:
Replace

Few systems will have significant numbers of MIDI devices attached; those systems that do will typically use hardware MIDI interfaces, not fanning out a dozen USB-MIDI connections through USB hubs.

with

The vast majority of systems have relatively few MIDI interfaces attached.

@mjwilson-google mjwilson-google added Needs Edits https://speced.github.io/spec-maintenance/about/ category: editorial https://www.w3.org/policies/process/#class-2 and removed Needs Edits https://speced.github.io/spec-maintenance/about/ labels Sep 11, 2023
@mjwilson-google
Copy link
Contributor

The text "The vast majority of systems have relatively few MIDI interfaces attached." currently exists at the end of this paragraph. The main point seems to be drawing a similarity with the Gamepad API. We could remove most of the text about hardware interfaces now, but I think I would like to come back to this after splitting the privacy and security sections as part of work in #185

@mjwilson-google mjwilson-google self-assigned this Sep 14, 2023
@cwilso
Copy link
Contributor

cwilso commented Sep 15, 2023

That sounds good.

For reference, the point of stating this ("those systems that do [have lots of MIDI devices attached] will typically use hardware MIDI interfaces, not fanning out a dozen USB-MIDI connections through USB hubs.") was that a single 8x8 MIDI interface attached to USB will only show up as one device-with-an-identifying name (with multiple MIDI synths connected, of course, but you can't query them to see what's attached in any uniform way, or at all without sysex). If, on the other hand, you had 8 different USB-MIDI devices attached, you're getting 8x as much unique fingerprint surface area.

I'm not sure at all that it's true that multiport DIN-MIDI interfaces are more common that USB hubs anymore, anyway, so it's fine to drop this.

@mjwilson-google mjwilson-google added the Needs Edits https://speced.github.io/spec-maintenance/about/ label Sep 30, 2023
@mjwilson-google mjwilson-google removed their assignment Oct 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
category: editorial https://www.w3.org/policies/process/#class-2 Needs Edits https://speced.github.io/spec-maintenance/about/
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants