W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: HTML extension for system idle detection.

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Thu, 17 Sep 2009 16:13:09 -0400
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, Arve Bersvendsen <arveb@opera.com>, David Bennett <ddt@google.com>, "public-webapps@w3c.org" <public-webapps@w3c.org>
Message-Id: <7564C6A7-937E-42D9-B73E-6071D6C3DBBA@nokia.com>
To: ext Jeremy Orlow <jorlow@chromium.org>
isn't the mere knowledge of the level of activity on a device a  
possible privacy concern, and couldn't the pattern of activity offer a  
traffic analysis type opportunity?

regards, Frederick

Frederick Hirsch
Nokia



On Sep 17, 2009, at 1:35 PM, ext Jeremy Orlow wrote:

> On Thu, Sep 17, 2009 at 12:50 AM, Arve Bersvendsen <arveb@opera.com>  
> wrote:
> On Thu, 17 Sep 2009 00:05:58 +0200, David Bennett <ddt@google.com>  
> wrote:
>
> I have a proposal for an extension to javascript to enable browsers to
> access system idle information.  Please give me feedback and  
> suggestions on the proposal.
>
>
> What exactly are the security and privacy implications of detecting  
> system
> idle activity in the browser?
>
> As far as I know, there really aren't any.  This was discussed on  
> WhatWG (before being directed here) and IIRC there were no serious  
> security or privacy concerns.  The minimum resolution of the event  
> makes attacks based on keystroke timing impossible.  Some people  
> suggested that web apps could do something "bad" while the user is  
> away, but I don't think anyone could come up with a good example of  
> something "bad".  Can you think of any specific concerns?
>
>
> On Thu, Sep 17, 2009 at 2:43 AM, Robin Berjon <robin@berjon.com>  
> wrote:
> Hi David,
>
>
> On Sep 17, 2009, at 00:05 , David Bennett wrote:
> I have a proposal for an extension to javascript to enable browsers  
> to access system idle information.  Please give me feedback and  
> suggestions on the proposal.
>
> Thanks!
>
> SUMMARY
>
> There currently is no way to detect the system idle state in the  
> browser.  For example this makes it difficult to deal with any sort  
> of chat room or instant messaging client inside the browser since  
> the idle will always be incorrect; or allow for apps to control  
> their speed or network resources when a user is idle.
>
> This sounds like it /could/ (not sure and no promises) be an area of  
> work for DAP, given that it is about device/system information, and  
> given that I would expect the user to be in very solid control of  
> the security policy granting access to such information. I guess it  
> could perhaps be exposed as a system property, part of the System  
> Information work.
>
> I'm not sure this is the type of API we need to ask the user about.   
> Web apps can already detect when you're on their page, so I'm not  
> sure how valuable the additional information you would be leaking  
> is.  I'd assume browsers could have a big hammer like "disable idle  
> reporting" for any users who are particularly concerned.
>
>
> In case it's not clear, I think this is a good proposal and all my  
> concerns were addressed in previous threads: http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-August/022443.html
Received on Thursday, 17 September 2009 20:14:20 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:33 GMT