Re: Geolocation header

On 03/08/17 08:11, Guilherme Hermeto wrote:
> On Thu, Aug 3, 2017 at 12:02 AM, Stephen Farrell <>
> wrote:
>> On 03/08/17 07:34, Guilherme Hermeto wrote:
>>> Browsers ask for the user permission to use the Gelolocation API and even
>>> though the user gives the consent once, some clients keep tracking the
>> user
>>> for long after. So the potential for abuse already exists in the client.
>> It
>>> isn't being introduced on this proposal.
>> I don't see that as a good argument for increasing the
>> potential for abuse. That seems like making an attack
>> surface bigger, which'd normally be regarded as a bad
>> plan.
>> Separately, as a happy NoScript user, I'd also prefer
>> to not have yet another attack vector to have to worry
>> about.
>> S.
> First, I really admire that you can live these days NoScript...

Well, I find it faster and more privacy friendly so I'm
fine with missing out on all those lovely active menus
and dancing images:-) I'm even more fine with it vastly
reducing the number of times I send packets to advertising
networks. And it can also whitelist when I need it to,
so I'd encourage people to try it.

> But going back to the issue in hand, as your client gives you the option to
> block script, and to block cookies, it must also give you the option block
> Geolocation. As I mentioned in my previous message, like a SetCookie that
> is initiated by the server, the client must make the final decision if the
> data is sent to server or not.

I find that the level of control offered by browsers to me
as a user seems to decrease over time. I can understand why
that's the case, esp. on mobiles, but am not keen on that.

And while I don't agree that clients "must also give" a chance
to turn this off, I would hope they'd treat it the same as
the JS API so it'd hopefully not be too awful. That said,
ISTM a lot of these things are such that if sites keep asking,
then the user will eventually fold and give up their privacy.
So having a browser ask when before it wouldn't also seems
like a disimprovement.

> Btw, when I mentioned abuse, I meant it as privacy issue. And there are
> clearly privacy issues, just like it does with cookies. But can you really
> call it an attack?

Personally, I do consider web sites wanting to know my location
as an attack on my privacy in almost all cases. I realise that's
uncommon and that some people say they like being tracked. I don't
know what the general population think about this, as I suspect
they just take whatever defaults browsers choose and click ok,
if not the first time, then eventually.



Received on Thursday, 3 August 2017 07:29:43 UTC