Chrome 94's Idle Detection API can be abused according to Mozilla and Apple
Google Chrome 94 is out and with the browser comes a new controversial feature: the Idle Detection API. As the name suggests, it can be implemented by sites to find out if a user is idle. Idle meaning that the user has not interacted with the device or specific hardware, such as the keyboard or the mouse, or through certain system events, such as the launching of a screensaver or locked status.
Example use cases include using the API to know if contacts in chat or on social networking sites are reachable at the time, automatic restarting of kiosk applications if no user interaction is noticed for a period, or "apps that require expensive calculations" that limit these to moments with user interaction. The latest iteration of the API requires explicit permission from the user before sites can utilize it.
Google implemented the functionality in Chrome 94, which the company released this week. Mozilla and Apple object to the integration of the Idle Detection API, and won't implement it in Firefox and Safari.
Mozilla has "user-surveillance and user-control concerns" about the API, as it "can be used for monitoring a user's usage patterns, and manipulating them accordingly".
As it is currently specified, I consider the Idle Detection API too tempting of an opportunity for surveillance capitalism motivated websites to invade an aspect of the user’s physical privacy, keep longterm records of physical user behaviors, discerning daily rhythms (e.g. lunchtime), and using that for proactive psychological manipulation (e.g. hunger, emotion, choice [1][2][3]). In addition, such coarse patterns could be used by websites to surreptiously max-out local compute resources for proof-of-work computations, wasting electricity (cost to user, increasing carbon footprint) without the user’s consent or perhaps even awareness.
Mozilla published a formal rejection to the proposal. In it, the organization proposes to drop requests that only one implementer has shown interest in, stating that the situation could risk evolving into a "single-implementation spec".
We request that specs be dropped that have shown interest from only one implementer, otherwise we are at risk of a single-implementation spec, which will only ever serve as documentation (i.e. not an actual open standard), as we know that monoculture based standards end-up becoming de facto, based on the one specific implementation’s details, bugs, interpretations, and not what is written in a specification.
Apple published its official response on the Webkit mailing list. The company's WebKit team does not see "strong enough" use cases for implementing the API.
I'm going to stop responding to this thread at this point because none of the use cases presented either here or elsewhere are compelling, and none of the privacy or security mitigations you've presented here and I found elsewhere are adequate. However, not responding to this thread or future thread about this topic does not mean we'd reconsider our position. Unless a significant new development is being made in either one of the issues we've raised, our position will remain to object to the addition of this API unless otherwise stated regardless of whether we continue to say so in public or not.
Chromium-based browsers will support the new API eventually, unless it is removed manually by the development team or disabled.
Remember when a browser was just a browser? Well, in today’s time, it has taken the form of a mini OS that can completely control your device; files writing, access to USB, Camera, microphone, Seriel devices, motion sensors, your presence, startup boost and God knows what. ?
I want my good old IE back, when browser was just a browser.
Let’s all rally to capitol hill to bring back Netscape; dunno where it escaped. ? Now, everyone wants to be chromium. Soon, you’ll be able to drop ur blood or sperm drop on the monitor, and device will unlock. Chrome will greet you with ur STDs report, sugar intake, blood pressure, and whether you got laid. ?
Computer Technology is a beautiful thing, but wasn’t meant for just every Tom, Dick and Harry. ?
So that’s why nothing was working and I had to relaunch it today morning when I woke my pc up from sleep. Great feature. People worrying that it gives Google more ways to spy on you, that’s just the tip of the iceberg. Most people already tell Google everything about themselves. On the other hand, just imagine the amount of juicy bugs it’ll be causing.
Can be disabled globally, load: chrome://settings/content/idleDetection
First thing I do after every major Chromium release is to check chrome://settings/content and disable whatever I don’t need, which is most of the stuff found on that page.
Firefox users are going to be really upset when Mozilla gives up and turns Firefox into a Chrome fork.
More reason NOT to use Chrome!
As a Chrome 94 user, you can simply allow or disallow the use of this API in your Chrome settings page.
Under “Privacy and Security”, open “Site Settings”. There, under “Permissions”, expand “Additional Permissions”, and in that list, find and open “Your device use”. For a simpler shortcut to this section, use: chrome://settings/content/idleDetection
The default behavior here is “Sites can ask to know when you’re actively using your device” but with a simple click you can change this to “Don’t allow sites to know when you’re actively using your device”.
You can also specify yes-or-no idle detection for specific websites here (so, a blacklist or whitelist).
In short, because as a user you can simply enable or disable this API, it’s really not a big deal. For myself, I just disabled it.
Seek and ye shall find.
@Henk
“Your device use” can not be found (is not visible) in my Chrome. Why?
With chrome://settings/content/idleDetection I found it.
Thanks for the tip.
Similar APIs already exist, even if their scope is far less intrusive. I have in mind the Page Visibility API for instance which can be disabled with a script (no about;config pref as far as I know) or with a dedicated extension. I use the ‘Disable Page Visibility API’ Firefox extension for this purpose :
“Firefox add-on to disable the Page Visibility API. This prevents e.g. video conferencing systems from tracking whether you are currently in another window.”
Page Visibility Tester : https://www.acme.com/webapis/visibility.html
As always, or most often, pros and cons. For instance pausing a video when switching to another tab won’t work.
Concerning Google’s ‘Idle Detection API’ : a logical step for an ad company, perpetually brain-storming to find whatever may contribute to a better knowlege of our lives and therefor increase the holy ROI.
Google can do whatever it wants, as it controls the internet, IT IS the internet.
I have to laugh at Mozilla’s ‘user-surveillance and user-control concerns’ as they were the ones who forcefully put an addon which records users telemetry and monitors what they do.
As for Apple, they talk privacy, but that is all PR talk.
These browsers are irrelevant, and Chrome rip-offs are even much so, none can match up to the mighty Chrome.
What Google says and implements other browsers (Chrome rip-offs) will of
course implement them. What are they going to do? Use a different engine? Hahaha.
Everyone crying about a non-issue. Only the 1% (I’m being generous, probably even less) won’t like this. They like to moan about everything (lol).
IT IS THE S-K-Y-N-E-T.
You’re as bad as the Apple fanboys.
“All bow, a cargo plane approaches.”
@ULBoom: Thanks for making me chuckle!
Aha, the maestro’s of espionage, surveillance and advertising strikes again! No thanks.
there’s no fixing chromium, it is dictated to by google. even brave can’t do anything but stick on some lipstick
@Ironmectin
Zero arguments to support this assertion, as always, you sad, sad troll.
I second your opinion. Question: Could this be a Google shareholders requested function?
Actually, I get the feeling it was man NSA requested function.
@microfix
And as always, the maestros of fixing Chromium have already fixed the issue a long time ago:
“Disable Idle Detection”
sources:
https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)#what-chromium-features-are-removed-for-privacysecurity-reasons
https://github.com/brave/brave-core/blob/master/app/brave_main_delegate.cc
If you stick with Chrome and Edge, when better builds of Chromium exist, then that is your fault. Just saying.
I dislike this API, why other sites should know when I am idle? :[
Why should companies like Google, Microsoft and Apple have access to your data, contacts, passwords, financial info, personal photos and videos, political affiliation, religion, purchases, travel info, etc, etc, etc???
These companies are directly linked with intelligence agencies, have been funded by intelligence agencies from the beginning, run by known intel agents (Eric Schmidt, Bill Gates, Jeff Bezos, etc.), besides selling you out to practically anyone (yes, even Google, they do it by selling their profile of you, rather than the data directly). Then people wonder why all these mass hacks are happening, because your passwords and personal info is getting leaked all over the planet by these surveillance organizations.