undefined | Better HN

0 pointsTekMol9y ago0 comments

I did not expect that WebRTC would allow a website to make the browser deliver content to a 3rd party without the users consent. This has some strange privacy and copyright implications.

0 comments

6 comments · 1 top-level

shacharz9y ago· 5 in thread

That's a very much talked about subject in the standardization groups. They've concluded that WebRTC doesn't add any additional privacy or security exposure than what exists in the browsers previous to it. Can you please explain more why you think there are copyright implications?

nolok9y ago

I'm not sure about the US, but in the EU and in particular in my country of France, anti-piracy lawsuits have seen a very clearly drawn line between a mere downloader, and an uploader. That's what lead emule and bittorrent to be "dangerous" legally while direct downloading (newsgroup, rapidshare, ...) and streaming almost never led to conviction (even symbolic). That the user didn't realize his bittorrent was re-uploading content to others didn't matter.

So, if I visit a website to get, say, direct copyrighted content (let's say photo, comics, music, whatever) and that website uses webrtc to make me reshare it to other users, my legal status just went from a almost never convicted downloader to a very much punished (even though it stayed symbolic, it was still a legal loss) uploader.

shacharz9y ago

What's different in the CDN use-case is that the content that reached a 3rd user through the uploading user would've reached the 3rd anyway, just from the original server.

2 more replies

detaro9y ago

> They've concluded that WebRTC doesn't add any additional privacy or security exposure than what exists in the browsers previous to it.

Even the WebRTC standard talks quite a bit about it in the Privacy and Security Considerations section, some quotes:

Revealing IP addresses can leak location and means of connection; this can be sensitive. Depending on the network environment, it can also increase the fingerprinting surface and create persistent cross-origin state that cannot easily be cleared by the user.

[...]

These choices can for instance be made by the application based on whether the user has indicated consent to start a media connection with the other party.

https://w3c.github.io/webrtc-pc/#privacy-and-security-consid...

On standards without additional exposure, this section normally says so and is otherwise empty.

Exposing other visitors IPs is a pretty massive leak (at least some jurisdictions consider them PII, with the consequences to match), presenting that as "no additional privacy exposure" is just negligent (or more likely intentionally misleading).

TekMolOP9y ago

Privacy: The users IP and more is sent to other users of the website.

Copyright: Content gets distributed by the users computer without his consent. He cannot know if he has been turned into part of a piracy network.

mrbar429y ago

That's not true because you send or receive data from other peers only if you are already watching a video. In other words - p2p is used only in places where the data would have gotten from the server anyways (e.g. p2p didn't add any new users to the equation)

1 more reply

j / k navigate · click thread line to collapse