- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Thu, 17 Sep 2009 16:13:09 -0400
- To: ext Jeremy Orlow <jorlow@chromium.org>
- Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, Arve Bersvendsen <arveb@opera.com>, David Bennett <ddt@google.com>, "public-webapps@w3c.org" <public-webapps@w3c.org>
isn't the mere knowledge of the level of activity on a device a possible privacy concern, and couldn't the pattern of activity offer a traffic analysis type opportunity? regards, Frederick Frederick Hirsch Nokia On Sep 17, 2009, at 1:35 PM, ext Jeremy Orlow wrote: > On Thu, Sep 17, 2009 at 12:50 AM, Arve Bersvendsen <arveb@opera.com> > wrote: > On Thu, 17 Sep 2009 00:05:58 +0200, David Bennett <ddt@google.com> > wrote: > > I have a proposal for an extension to javascript to enable browsers to > access system idle information. Please give me feedback and > suggestions on the proposal. > > > What exactly are the security and privacy implications of detecting > system > idle activity in the browser? > > As far as I know, there really aren't any. This was discussed on > WhatWG (before being directed here) and IIRC there were no serious > security or privacy concerns. The minimum resolution of the event > makes attacks based on keystroke timing impossible. Some people > suggested that web apps could do something "bad" while the user is > away, but I don't think anyone could come up with a good example of > something "bad". Can you think of any specific concerns? > > > On Thu, Sep 17, 2009 at 2:43 AM, Robin Berjon <robin@berjon.com> > wrote: > Hi David, > > > On Sep 17, 2009, at 00:05 , David Bennett wrote: > I have a proposal for an extension to javascript to enable browsers > to access system idle information. Please give me feedback and > suggestions on the proposal. > > Thanks! > > SUMMARY > > There currently is no way to detect the system idle state in the > browser. For example this makes it difficult to deal with any sort > of chat room or instant messaging client inside the browser since > the idle will always be incorrect; or allow for apps to control > their speed or network resources when a user is idle. > > This sounds like it /could/ (not sure and no promises) be an area of > work for DAP, given that it is about device/system information, and > given that I would expect the user to be in very solid control of > the security policy granting access to such information. I guess it > could perhaps be exposed as a system property, part of the System > Information work. > > I'm not sure this is the type of API we need to ask the user about. > Web apps can already detect when you're on their page, so I'm not > sure how valuable the additional information you would be leaking > is. I'd assume browsers could have a big hammer like "disable idle > reporting" for any users who are particularly concerned. > > > In case it's not clear, I think this is a good proposal and all my > concerns were addressed in previous threads: http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-August/022443.html
Received on Thursday, 17 September 2009 20:14:20 UTC