- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Thu, 3 Aug 2017 08:29:11 +0100
- To: Guilherme Hermeto <gui.hermeto@gmail.com>
- Cc: ietf-http-wg@w3.org
- Message-ID: <52b58869-f2cb-239f-b426-0f8eb5facd18@cs.tcd.ie>
On 03/08/17 08:11, Guilherme Hermeto wrote: > On Thu, Aug 3, 2017 at 12:02 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: > >> >> >> On 03/08/17 07:34, Guilherme Hermeto wrote: >>> Browsers ask for the user permission to use the Gelolocation API and even >>> though the user gives the consent once, some clients keep tracking the >> user >>> for long after. So the potential for abuse already exists in the client. >> It >>> isn't being introduced on this proposal. >> >> I don't see that as a good argument for increasing the >> potential for abuse. That seems like making an attack >> surface bigger, which'd normally be regarded as a bad >> plan. >> >> Separately, as a happy NoScript user, I'd also prefer >> to not have yet another attack vector to have to worry >> about. >> >> S. >> >> >> > First, I really admire that you can live these days NoScript... Well, I find it faster and more privacy friendly so I'm fine with missing out on all those lovely active menus and dancing images:-) I'm even more fine with it vastly reducing the number of times I send packets to advertising networks. And it can also whitelist when I need it to, so I'd encourage people to try it. > > But going back to the issue in hand, as your client gives you the option to > block script, and to block cookies, it must also give you the option block > Geolocation. As I mentioned in my previous message, like a SetCookie that > is initiated by the server, the client must make the final decision if the > data is sent to server or not. I find that the level of control offered by browsers to me as a user seems to decrease over time. I can understand why that's the case, esp. on mobiles, but am not keen on that. And while I don't agree that clients "must also give" a chance to turn this off, I would hope they'd treat it the same as the JS API so it'd hopefully not be too awful. That said, ISTM a lot of these things are such that if sites keep asking, then the user will eventually fold and give up their privacy. So having a browser ask when before it wouldn't also seems like a disimprovement. > > Btw, when I mentioned abuse, I meant it as privacy issue. And there are > clearly privacy issues, just like it does with cookies. But can you really > call it an attack? Personally, I do consider web sites wanting to know my location as an attack on my privacy in almost all cases. I realise that's uncommon and that some people say they like being tracked. I don't know what the general population think about this, as I suspect they just take whatever defaults browsers choose and click ok, if not the first time, then eventually. S. >
Received on Thursday, 3 August 2017 07:29:43 UTC