- From: Amy Guy <notifications@github.com>
- Date: Wed, 01 Sep 2021 08:42:31 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/606/910408688@github.com>
Thanks for the update. We discussed this again in our meetings this week. > NOTE: [RFC7258] treats pervasive monitoring as an attack, but it doesn’t apply to managed devices. We don't think this is adequate. Given the power dynamics at play in an employer-employee relationship, the UA should still be working in the best interests of the end-user (the employee) even if the device being used is managed by an administrator. That is to say, pervasive monitoring is never a feature. Especially given this in the spec: > [device administrators] may not necessarily have the device user’s best interests Further, we haven't seen an indication of implementation support from browsers other than Chrome. As all of the attributes besides serial number are set by the administrator or some internal company system, we have yet to be convinced that the use cases can't be met by the device administrator keeping their own database of these attributes. They already know the serial numbers of the devices they issue to uniquely identify them. Also, the administrator explicitly decides which sites have access to the data. So why is the UA on the managed devices needed to communicate this data to sites? The administrator can do this directly. We can't endorse adding this as a general mechanism to the Web platform. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/606#issuecomment-910408688
Received on Wednesday, 1 September 2021 15:42:44 UTC