A curious little data leak, but one I struggle to care about. Perhaps useful for a bit of fingerprinting?
Websites can access your system's camera and microphone. That's how modern video conferencing works in the browser. In an effort to retain user privacy, the browser asks the user for permission to use the camera and mics. No audio or video will be sent until the user agrees.
But some metadata gets shared before you agree!
Visit the WebRTC Detection Experiment site. You'll notice that without you agreeing, the site is able to determine how many microphones you have:
And how many cameras you have:
Having two cameras is perhaps a reasonable proxy for being a mobile phone / tablet. One main cam, one selfie cam.
Multiple microphones could be an indicator that the user is on a laptop. Built in microphone and an external USB microphone. Although some phones also present multiple microphones.
The names of the devices aren't sent until after you agree to the permission prompt.
There are inconsistencies between browsers:
|Laptop||3 mics, 1 camera||1 mic, 1 camera|
|Android||1 mic, 2 cameras||3 mics, 2 cameras|
It is useful to present to the user a selection of input devices. But does the site need to know how many devices are attached before permission has been granted?
The way the iPhone does it, is to present a fake set of data - one mic and one camera - until permission has been granted. Then it shows the real information.
Personally, I think the browser should only indicate a boolean to the site that AV inputs are available. Once permission is granted, then the site can request the number of devices and their names.
What do you reckon?