The MOQT_IMPLEMENTATION option (Section 10.3.1.5) can reveal information that contributes to fingerprinting, a set of techniques for identifying a specific endpoint over time through its unique set of characteristics.
Detailed implementation information, including specific version numbers, build identifiers, or platform details, can create a unique fingerprint that enables tracking endpoints across sessions without their awareness. When combined with other session characteristics, even minimal implementation identification can contribute to distinguishing one endpoint from another.
To mitigate fingerprinting risks:
-
Implementations SHOULD send only the minimum information necessary for interoperability debugging. A short implementation name and major version number are typically sufficient.
-
Implementations SHOULD NOT include detailed system information, build numbers, or other attributes that could uniquely identify a specific instance or user.
-
Privacy-conscious deployments MAY omit the MOQT_IMPLEMENTATION option entirely or send a generic value.
-
Implementations MAY provide users with the ability to configure or disable the MOQT_IMPLEMENTATION option.
Operators are advised that detailed implementation identification facilitates the same privacy concerns as persistent identifiers, since it enables correlation of sessions across time.