W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: HTML extension for system idle detection.

From: David Bennett <ddt@google.com>
Date: Thu, 17 Sep 2009 14:08:42 -0700
Message-ID: <bfeaf0180909171408p6f7d570ap343ad0f0f7c25ee9@mail.gmail.com>
To: Frederick Hirsch <frederick.hirsch@nokia.com>
Cc: ext Jeremy Orlow <jorlow@chromium.org>, Arve Bersvendsen <arveb@opera.com>, "public-webapps@w3c.org" <public-webapps@w3c.org>
This is why we changed the resolution to be a second, it is a lot harder to
figure out traffic analysis and user analysis patterns with the lower
resolution idle information.
We discussed adding some fuzzing into the data returned, for example
rounding all results to be on a 15 second boundary, or on a minute boundary,
this sounds reasonable to me too if it will reduce privacy issues and
traffic analysis problems.

Thanks,
David.

On Thu, Sep 17, 2009 at 1:13 PM, Frederick Hirsch <
frederick.hirsch@nokia.com> wrote:

> isn't the mere knowledge of the level of activity on a device a possible
> privacy concern, and couldn't the pattern of activity offer a traffic
> analysis type opportunity?
>
> regards, Frederick
>
> Frederick Hirsch
> Nokia
>
>
>
>
> On Sep 17, 2009, at 1:35 PM, ext Jeremy Orlow wrote:
>
>  On Thu, Sep 17, 2009 at 12:50 AM, Arve Bersvendsen <arveb@opera.com>
>> wrote:
>> On Thu, 17 Sep 2009 00:05:58 +0200, David Bennett <ddt@google.com> wrote:
>>
>> I have a proposal for an extension to javascript to enable browsers to
>> access system idle information.  Please give me feedback and suggestions
>> on the proposal.
>>
>>
>> What exactly are the security and privacy implications of detecting system
>> idle activity in the browser?
>>
>> As far as I know, there really aren't any.  This was discussed on WhatWG
>> (before being directed here) and IIRC there were no serious security or
>> privacy concerns.  The minimum resolution of the event makes attacks based
>> on keystroke timing impossible.  Some people suggested that web apps could
>> do something "bad" while the user is away, but I don't think anyone could
>> come up with a good example of something "bad".  Can you think of any
>> specific concerns?
>>
>>
>> On Thu, Sep 17, 2009 at 2:43 AM, Robin Berjon <robin@berjon.com> wrote:
>> Hi David,
>>
>>
>> On Sep 17, 2009, at 00:05 , David Bennett wrote:
>> I have a proposal for an extension to javascript to enable browsers to
>> access system idle information.  Please give me feedback and suggestions on
>> the proposal.
>>
>> Thanks!
>>
>> SUMMARY
>>
>> There currently is no way to detect the system idle state in the browser.
>>  For example this makes it difficult to deal with any sort of chat room or
>> instant messaging client inside the browser since the idle will always be
>> incorrect; or allow for apps to control their speed or network resources
>> when a user is idle.
>>
>> This sounds like it /could/ (not sure and no promises) be an area of work
>> for DAP, given that it is about device/system information, and given that I
>> would expect the user to be in very solid control of the security policy
>> granting access to such information. I guess it could perhaps be exposed as
>> a system property, part of the System Information work.
>>
>> I'm not sure this is the type of API we need to ask the user about.  Web
>> apps can already detect when you're on their page, so I'm not sure how
>> valuable the additional information you would be leaking is.  I'd assume
>> browsers could have a big hammer like "disable idle reporting" for any users
>> who are particularly concerned.
>>
>>
>> In case it's not clear, I think this is a good proposal and all my
>> concerns were addressed in previous threads:
>> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-August/022443.html
>>
>
>
Received on Thursday, 17 September 2009 21:09:23 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:33 GMT