Removed label from multimedia devices when fingerprinting protection is on

[tsjnachos117]

Test Plan

#7871 (comment)

1. automated bravery panel tests should pass
2. go to https://browserleaks.com/webrtc with fingerprinting protection enabled
3. media device information should not be available

Original issue description

Multimedia devices have labels, which could be used to distinguish browsers, and therefore users. This could put people's privacy at risk. Let me tell you what I mean:

On web pages like this BrowserLeaks page and this JSFiddle page, multimedia device information can be displayed. In my case, I'm running Ubuntu with a non-default PulseAudio output device, and because of this, I have one device labeled "LADSPA Plugin Multiband EQ on Built-in Audio Analog Stereo", and another labeled "Built-in Audio Analog Stereo". The DeviceID changes when I close my browser (I have my browser set to delete all info on closing), but the label (e.g. "LADSPA Plugin Multiband EQ on Built-in Audio Analog Stereo") does not change (why would it?).

This could make it easy to track my activities, as it (semi-)uniquely distinguishes me. This is especially bad because I semi-frequently change IP addresses. Because I mostly use this browser on a laptop, I sometimes use public WiFi to connect to the internet. I also frequently use VPN services, proxies, and TOR, to protect my anonymity, especially on public WiFi. That said, I don't want to be de-anonymized by my web browser's MultiMedia label leaks. The worst part is the fact that I'm probably not the only one who could be identified this way, since other users might have (semi-)unique device labels as well.

So, if these labels could be removed, that would be absolutely great.

It's worth noting that in Chromium my devices are just called "N/A" on BrowserLeaks and ":" on JSFiddle, which leads me to assume that what I'm asking is more-or-less possible.

PS: I'm running version 0.12.15, if that makes any difference.

[cndouglas]

Pinging @diracdeltas for thoughts.

[diracdeltas]

@tsjnachos117 0.12.15 is really out of date, btw. please update to 0.13.x!

As you said, since #4157 was fixed, the Device ID is randomized on every restart and when 'Clear data' is clicked. I agree it seems like a good idea to block device ID and labels completely when 'fingerprinting protection' is on. I don't think we should do it in general because the device label can be used legitimately.

[tsjnachos117]

@tsjnachos117 0.12.15 is really out of date, btw. please update to 0.13.x!

Interesting, when I click "check update" in the help menu, Brave tells me that there are no updates. Is this because the new version is a dev version? Or is this because I am using Ubuntu, which of course uses it's own package manager to update Brave?

As you said, since #4157 was fixed, the Device ID is randomized on every restart and when 'Clear data' is clicked.

I honestly didn't know an issue was ever filed for this. I guess you learn something new everyday!

I agree it seems like a good idea to block device ID and labels completely when 'fingerprinting protection' is on. I don't think we should do it in general because the device label can be used legitimately.

My instinct would be to do this for all users, since privacy is more important (in my mind, at least) than having extra features. But I do see your logic, some people might need features like this, especially people who don't think like me ("people who don't think like me" would include most people, as far as I can tell). So I guess hiding device IDs makes more sense when fingerprinting protection is turned on.

[diracdeltas]

Interesting, when I click "check update" in the help menu, Brave tells me that there are no updates. Is this because the new version is a dev version?

Yup, this is a known Linux bug we are working on. Please install Brave through apt and then it will update through the usual apt-get update. https://github.com/brave/browser-laptop/blob/master/docs/linuxInstall.md

[tsjnachos117]

Speaking of new things you learn everyday, I didn't know Brave had an apt repository. I've been downloading directly from Brave's website.

IDK if I'll be adding the official apt repo, however. I don't want Amazon knowing too much about me, so having my computer talk to Amazon everytime I run apt(-get) update doesn't sit well with me. If I'm going to be talking to Amazon, I'd like to do so on my own terms. I would assume that, if nothing else, this will allow Amazon to triangulate where I am.

[diracdeltas]

IDK if I'll be adding the official apt repo, however. I don't want Amazon knowing too much about me

Not sure what you mean. Our apt repo is self-hosted, it doesn't use Amazon.

[tsjnachos117]

That's not what the instructions you posted say. To add the PGP key, the instructions say to get it (with curl) from https://s3-us-west-2.amazonaws.com/brave-apt/keys.asc. That is clearly amazonaws.com, which is obvisouly Amazon.

Directly beneath that, is the instruction to add what is clearly an Amazon repo: echo "deb [arch=amd64] https://s3-us-west-2.amazonaws.com/brave-apt `lsb_release -sc` main" | sudo tee -a /etc/apt/sources.list.d/brave-`lsb_release -sc`.list. AmazonAWS.com abounds!

This also appears to be the case with other GNU/Linux distros.

However, if I download packages directly from brave.com, I do not get any links to Amazon. So, Amazon is clearly used for package management, but direct downloads are self-hosted.

[diracdeltas]

@tsjnachos117 my bad, i assumed you meant Amazon the retailer/appstore not all Amazon infrastructure.