Re: [w3ctag/design-reviews] Managed Device Web API (#606)

Hi @Ananubis just following up @cynthia's comment: I think we'd really like to see a lot more detail on the use cases / full use scenarios that this spec is intended to support. As you note in the explainer, this has been something that has previously been possible using a Chrome-specific API. However now you're proposing to bake this more fully into the web platform, which is raising some concerns both about how this could be misused in the wild by bad actors *and* how it could be harmful if used *as intended*. In particular, I'm concerned about how this could be used to make surveillance of employees easier to accomplish. That (possibly unintended) outcome would strongly echo the concerns laid about about pervasive monitoring in [RFC7285: Pervasive Monitoring Is an Attack](https://tools.ietf.org/html/rfc7258):

> In particular, the term "attack", used technically, implies nothing
> about the motivation of the actor mounting the attack.  The
> motivation for PM can range from non-targeted nation-state
> surveillance, to legal but privacy-unfriendly purposes by commercial
> enterprises, to illegal actions by criminals.  The same techniques to
> achieve PM can be used regardless of motivation.  Thus, we cannot
> defend against the most nefarious actors while allowing monitoring by
> other actors no matter how benevolent some might consider them to be,
> since the actions required of the attacker are indistinguishable from
> other attacks.  The motivation for PM is, therefore, not relevant for
> how PM is mitigated in IETF protocols.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/606#issuecomment-829999488