I think this is an accurate summary of the discussion on IRC: 1. There should be a run-time prompt the first time an app tries to use the microphone, just as there is for other sensitive properties. In future there should be a similar prompt for the camera (bug 1230366).
2. In addition, there should be a reminder whenever a background app is using the mic, e.g. a Voip client when you've switched to your calendar to discuss an event, so that you don't forget the mic is live. Again, the same is true for the camera. (Trusted screencast utilities might be granted exceptions.) 3. Because both of these apply to just as much to the camera as the mic, and they will often happen together, they should share UI. In the prompt case, that means the prompts for both should be aggregated. In the reminder case, it means the sound indicator isn't an appropriate home for it. 4. Much the same issue is already faced by the phone app: when you switch to another app during a call, you need both a reminder that you're on a call, and a way of switching back to it. Other apps using the mic (and/or camera) should use the same UI mechanism as the phone app does, not least because they will often be Voip clients doing the same job as the phone app. Unfortunately the design for that reminder is not yet finalized. The current draft is a temporary separate indicator. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1224756 Title: pulseaudio should integrate with trust-store Status in “pulseaudio” package in Ubuntu: Invalid Status in “pulseaudio” source package in Saucy: Won't Fix Status in “pulseaudio” source package in t-series: New Bug description: Currently the 'audio' policy group allows access to pulseaudio which allows apps to use the microphone and eavesdrop on the user. Pulseaudio needs to be modified to use trust-store, like location- service does. Integrating with trust-store means that when an app tries use the microphone via pulseaudio, pulseaudio will contact trust-store, the trust-store will prompt the user ("Foo wants to use the microphone. Is this ok? Yes|No"), optionally cache the result and return the result to pulseaudio. In this manner the user is given a contextual prompt at the time of access by the app. Using caching this decision can be remembered the next time. If caching is used, there should be a method to change the decision in settings. Targeting to T-Series for now, since the trust-store is not in a reusable form yet. Original description: David and the security team (inspired by an observation from Rick) discussed that when recording, pulseaudio should somehow unobtrusively show the user that it is recording. The easiest thing to do would be for pulseaudio to alert indicator-sound which would then turn its icon red (similar to indicator-message turning blue with new messages). Marking 'high' because apps with access to pulseaudio can currently eavedrop on users. If the app is allowed to do networking (the default for apps), then it can ship that information off to a server somewhere. Note 1, the alert to indicator-sound must happen via the out of process pulseaudio server and not the confined app itself to be effective. Note 2, we should consider how to enforce this for foreground apps only. Application lifecycle should probably handle this for 13.10 (apps are suspended if not in foreground or if the screensaver is on), but we don't want an app on the converged device to record in the background when the user isn't paying attention. Example eavesdropping attack: start recording only when the screensaver is on (perhaps inhibiting the screensaver during recording would be enough). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
