Chrome 94's Idle Detection API can be abused according to Mozilla and Apple

Martin Brinkmann
Sep 22, 2021
Google Chrome
|
22

Google Chrome 94 is out and with the browser comes a new controversial feature: the Idle Detection API. As the name suggests, it can be implemented by sites to find out if a user is idle. Idle meaning that the user has not interacted with the device or specific hardware, such as the keyboard or the mouse, or through certain system events, such as the launching of a screensaver or locked status.

Example use cases include using the API to know if contacts in chat or on social networking sites are reachable at the time, automatic restarting of kiosk applications if no user interaction is noticed for a period, or "apps that require expensive calculations" that limit these to moments with user interaction. The latest iteration of the API requires explicit permission from the user before sites can utilize it.

google chrome 94

Google implemented the functionality in Chrome 94, which the company released this week. Mozilla and Apple object to the integration of the Idle Detection API, and won't implement it in Firefox and Safari.

Mozilla has "user-surveillance and user-control concerns" about the API, as it "can be used for monitoring a user's usage patterns, and manipulating them accordingly".

As it is currently specified, I consider the Idle Detection API too tempting of an opportunity for surveillance capitalism motivated websites to invade an aspect of the user’s physical privacy, keep longterm records of physical user behaviors, discerning daily rhythms (e.g. lunchtime), and using that for proactive psychological manipulation (e.g. hunger, emotion, choice [1][2][3]). In addition, such coarse patterns could be used by websites to surreptiously max-out local compute resources for proof-of-work computations, wasting electricity (cost to user, increasing carbon footprint) without the user’s consent or perhaps even awareness.

Mozilla published a formal rejection to the proposal. In it, the organization proposes to drop requests that only one implementer has shown interest in, stating that the situation could risk evolving into a "single-implementation spec".

We request that specs be dropped that have shown interest from only one implementer, otherwise we are at risk of a single-implementation spec, which will only ever serve as documentation (i.e. not an actual open standard), as we know that monoculture based standards end-up becoming de facto, based on the one specific implementation’s details, bugs, interpretations, and not what is written in a specification.

Apple published its official response on the Webkit mailing list. The company's WebKit team does not see "strong enough" use cases for implementing the API.

I'm going to stop responding to this thread at this point because none  of the use cases presented either here or elsewhere are compelling, and none of the privacy or security mitigations you've presented here and I found elsewhere are adequate. However, not responding to this thread or future thread about this topic does not mean we'd reconsider our position. Unless a significant new development is being made in either one of the issues we've raised, our position will remain to object to the addition of this API unless otherwise stated regardless of whether we continue to say so in public or not.

Chromium-based browsers will support the new API eventually, unless it is removed manually by the development team or disabled.

Summary
Chrome 94's Idle Detection API can be abused according to Mozilla and Apple
Article Name
Chrome 94's Idle Detection API can be abused according to Mozilla and Apple
Description
Google Chrome 94 is out and with the browser comes a new controversial feature: the Idle Detection API, which can be abused according to Mozilla and Apple.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Asif said on September 23, 2021 at 5:46 pm
    Reply

    Remember when a browser was just a browser? Well, in today’s time, it has taken the form of a mini OS that can completely control your device; files writing, access to USB, Camera, microphone, Seriel devices, motion sensors, your presence, startup boost and God knows what. ?
    I want my good old IE back, when browser was just a browser.
    Let’s all rally to capitol hill to bring back Netscape; dunno where it escaped. ? Now, everyone wants to be chromium. Soon, you’ll be able to drop ur blood or sperm drop on the monitor, and device will unlock. Chrome will greet you with ur STDs report, sugar intake, blood pressure, and whether you got laid. ?

    Computer Technology is a beautiful thing, but wasn’t meant for just every Tom, Dick and Harry. ?

  2. lxst said on September 23, 2021 at 3:06 pm
    Reply

    So that’s why nothing was working and I had to relaunch it today morning when I woke my pc up from sleep. Great feature. People worrying that it gives Google more ways to spy on you, that’s just the tip of the iceberg. Most people already tell Google everything about themselves. On the other hand, just imagine the amount of juicy bugs it’ll be causing.

  3. Yuliya said on September 23, 2021 at 11:21 am
    Reply

    Can be disabled globally, load: chrome://settings/content/idleDetection
    First thing I do after every major Chromium release is to check chrome://settings/content and disable whatever I don’t need, which is most of the stuff found on that page.

  4. common sense computing said on September 22, 2021 at 5:01 pm
    Reply

    Firefox users are going to be really upset when Mozilla gives up and turns Firefox into a Chrome fork.

  5. Mo said on September 22, 2021 at 3:27 pm
    Reply

    More reason NOT to use Chrome!

  6. Henk said on September 22, 2021 at 1:42 pm
    Reply

    As a Chrome 94 user, you can simply allow or disallow the use of this API in your Chrome settings page.

    Under “Privacy and Security”, open “Site Settings”. There, under “Permissions”, expand “Additional Permissions”, and in that list, find and open “Your device use”. For a simpler shortcut to this section, use: chrome://settings/content/idleDetection

    The default behavior here is “Sites can ask to know when you’re actively using your device” but with a simple click you can change this to “Don’t allow sites to know when you’re actively using your device”.

    You can also specify yes-or-no idle detection for specific websites here (so, a blacklist or whitelist).

    In short, because as a user you can simply enable or disable this API, it’s really not a big deal. For myself, I just disabled it.

    1. ULBoom said on September 22, 2021 at 2:59 pm
      Reply

      Seek and ye shall find.

    2. Anonymous said on September 22, 2021 at 2:58 pm
      Reply

      @Henk

      “Your device use” can not be found (is not visible) in my Chrome. Why?

      With chrome://settings/content/idleDetection I found it.

      Thanks for the tip.

  7. Tom Hawack said on September 22, 2021 at 1:32 pm
    Reply

    Similar APIs already exist, even if their scope is far less intrusive. I have in mind the Page Visibility API for instance which can be disabled with a script (no about;config pref as far as I know) or with a dedicated extension. I use the ‘Disable Page Visibility API’ Firefox extension for this purpose :

    “Firefox add-on to disable the Page Visibility API. This prevents e.g. video conferencing systems from tracking whether you are currently in another window.”

    Page Visibility Tester : https://www.acme.com/webapis/visibility.html

    As always, or most often, pros and cons. For instance pausing a video when switching to another tab won’t work.

    Concerning Google’s ‘Idle Detection API’ : a logical step for an ad company, perpetually brain-storming to find whatever may contribute to a better knowlege of our lives and therefor increase the holy ROI.

  8. ChromeFan said on September 22, 2021 at 12:56 pm
    Reply

    Google can do whatever it wants, as it controls the internet, IT IS the internet.

    I have to laugh at Mozilla’s ‘user-surveillance and user-control concerns’ as they were the ones who forcefully put an addon which records users telemetry and monitors what they do.

    As for Apple, they talk privacy, but that is all PR talk.

    These browsers are irrelevant, and Chrome rip-offs are even much so, none can match up to the mighty Chrome.

    What Google says and implements other browsers (Chrome rip-offs) will of
    course implement them. What are they going to do? Use a different engine? Hahaha.

    Everyone crying about a non-issue. Only the 1% (I’m being generous, probably even less) won’t like this. They like to moan about everything (lol).

    1. hoho said on September 24, 2021 at 5:17 am
      Reply

      IT IS THE S-K-Y-N-E-T.

    2. Anonymous said on September 22, 2021 at 8:32 pm
      Reply

      You’re as bad as the Apple fanboys.

    3. ULBoom said on September 22, 2021 at 2:56 pm
      Reply

      “All bow, a cargo plane approaches.”

      1. Peterc said on September 22, 2021 at 4:59 pm
        Reply

        @ULBoom: Thanks for making me chuckle!

  9. microfix said on September 22, 2021 at 11:25 am
    Reply

    Aha, the maestro’s of espionage, surveillance and advertising strikes again! No thanks.

    1. Ironmectin said on September 25, 2021 at 2:33 am
      Reply

      there’s no fixing chromium, it is dictated to by google. even brave can’t do anything but stick on some lipstick

      1. Iron Heart said on September 26, 2021 at 8:39 am
        Reply

        @Ironmectin

        Zero arguments to support this assertion, as always, you sad, sad troll.

    2. Paul(us) said on September 22, 2021 at 11:47 am
      Reply

      I second your opinion. Question: Could this be a Google shareholders requested function?

      1. just an ed said on September 22, 2021 at 12:26 pm
        Reply

        Actually, I get the feeling it was man NSA requested function.

    3. Iron Heart said on September 22, 2021 at 11:38 am
      Reply

      @microfix

      And as always, the maestros of fixing Chromium have already fixed the issue a long time ago:

      “Disable Idle Detection”

      sources:

      https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)#what-chromium-features-are-removed-for-privacysecurity-reasons

      https://github.com/brave/brave-core/blob/master/app/brave_main_delegate.cc

      If you stick with Chrome and Edge, when better builds of Chromium exist, then that is your fault. Just saying.

  10. John G. said on September 22, 2021 at 9:55 am
    Reply

    I dislike this API, why other sites should know when I am idle? :[

    1. No Thanks, Five Eyes said on September 22, 2021 at 8:31 pm
      Reply

      Why should companies like Google, Microsoft and Apple have access to your data, contacts, passwords, financial info, personal photos and videos, political affiliation, religion, purchases, travel info, etc, etc, etc???

      These companies are directly linked with intelligence agencies, have been funded by intelligence agencies from the beginning, run by known intel agents (Eric Schmidt, Bill Gates, Jeff Bezos, etc.), besides selling you out to practically anyone (yes, even Google, they do it by selling their profile of you, rather than the data directly). Then people wonder why all these mass hacks are happening, because your passwords and personal info is getting leaked all over the planet by these surveillance organizations.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.