device serial number exposes a fixed, global ID

[pes10k]

The spec exposes (and seems to require) each device's serial number, which will be fixed and (likely) globally unique. Using a device through WebUSB then means that the user can be tracked both across site (any two sites can have access to the same usb device can link the user), across sessions (the same site can re-identify me when i return with the same USB device, even if ive cleared storage) and even across browsers.

It also seems unlikely that sites need the serial number in the vast majority of WebUSB use cases.

[reillyeon]

The USB serial number is required as part of the internal permission management algorithms but could be hidden from most sites if an alternative were provided.

We've gained some experience with developer needs from the WebHID and Web Serial APIs, where we chose not to initially launch with the USB serial number exposed and the inability to differentiate between different devices is a significant impediment which we intend to fix. However, for most use cases we could take the approach from the Web Bluetooth API and generate a random site-specific device identifier which is cleared when permission is revoked. This is tracked in WICG/webhid#7 and WICG/serial#128 for those other specs. I thought I'd filed a similar specification issue for WebUSB but apparently I haven't so I will use this issue to track this work.

For the majority of sites this will be sufficient however we have heard from some developers that important device model identification information is sometimes included in strings such as the USB product name or serial number and that the inability to read the exact value of these strings makes device detection (and thus protocol selection) significantly more difficult, e.g. requiring the site to ask the user to select the right option, when they may not be aware of the exact difference between similar device models.

I can't find where I've written about this publicly before but part of the reason why directly exposing the USB serial number was not considered a privacy risk when reviewed by the Chromium team was based on the assumption that accessing a USB device's intended functionality provides so much entropy that blocking access to the serial number would provide a marginal privacy benefit. For example, if the device provides any kind of persistent storage. The reason more effort was made to hide Bluetooth MAC addresses in the Web Bluetooth API is that these identifiers are transmitted over the air and so constitute a tracking risk not only to the user with the device connected directly to their computer but also any other users nearby, making it a significantly more attractive tracking vector for mass surveillance.

[pes10k]

However, for most use cases we could take the approach from the Web Bluetooth API and generate a random site-specific device identifier which is cleared when permission is revoked

I agree, i think adopting the same model here would be a significant, important privacy improvement. Brave is about to merge something similar

For the majority of sites this will be sufficient however we have heard from some developers that important device model identification information is sometimes included in strings such as the USB product name or serial number and that the inability to read the exact value of these strings makes device detection (and thus protocol selection) significantly more difficult, e.g. requiring the site to ask the user to select the right option, when they may not be aware of the exact difference between similar device models.

I dont think i follow the above. I understand how there might be cases where the product name is useful for this, but its difficult for me to imagine an example where the serial number would be useful to sites for this, since the serial number is often, intentionally, unique to each device. Could you give an example, so i could better understand?

[EtienneGameSeed]

In the tool I'm developing I use the serial number to recognize the boards, when I put the board in bootloader mode, the com port, name, etc may change but not the serial number, so it's mandatory to keep it. Although I'm not using webusb yet to access boards, as I wait for it to be a at more stable state. The tool I'm developing is Node Blue, the demo is here : http://www.nodeblue.org/gui/
Even if it won't expose boards in the demo version, maybe it will help you understand the purpose.

[pes10k]

In the tool I'm developing I use the serial number to recognize the boards

But if you had a per-storage-area stable identifier, this would satisfy this need w/o needing a global, fixed identifier, no?

[EtienneGameSeed]

Sorry I don't understand what you mean

[reillyeon]

I dont think i follow the above. I understand how there might be cases where the product name is useful for this, but its difficult for me to imagine an example where the serial number would be useful to sites for this, since the serial number is often, intentionally, unique to each device. Could you give an example, so i could better understand?

Nothing in the USB specification requires the serial number to be a number. It is a Unicode string and some devices have structured values which include model information in addition to a serial number. There are also devices which put the serial number in the product name string.