Re: HTML extension for system idle detection.

I don't believe that's what Frederick is talking about.  Also, fuzzing and
rounding don't apply to the proposal you just sent out since it's now just
an event (rather than a timer based API).
I think there is some merit to Jonas and Frederick's comments.  We are
leaking more information (but not a lot more) about a users habits than we
did before.  I haven't responded to them yet because I don't have a good
answer.  :-)

On Thu, Sep 17, 2009 at 2:08 PM, David Bennett <ddt@google.com> wrote:

> This is why we changed the resolution to be a second, it is a lot harder to
> figure out traffic analysis and user analysis patterns with the lower
> resolution idle information.
> We discussed adding some fuzzing into the data returned, for example
> rounding all results to be on a 15 second boundary, or on a minute boundary,
> this sounds reasonable to me too if it will reduce privacy issues and
> traffic analysis problems.
>
> Thanks,
> David.
>
>
> On Thu, Sep 17, 2009 at 1:13 PM, Frederick Hirsch <
> frederick.hirsch@nokia.com> wrote:
>
>> isn't the mere knowledge of the level of activity on a device a possible
>> privacy concern, and couldn't the pattern of activity offer a traffic
>> analysis type opportunity?
>>
>> regards, Frederick
>>
>> Frederick Hirsch
>> Nokia
>>
>>
>>
>>
>> On Sep 17, 2009, at 1:35 PM, ext Jeremy Orlow wrote:
>>
>>  On Thu, Sep 17, 2009 at 12:50 AM, Arve Bersvendsen <arveb@opera.com>
>>> wrote:
>>> On Thu, 17 Sep 2009 00:05:58 +0200, David Bennett <ddt@google.com>
>>> wrote:
>>>
>>> I have a proposal for an extension to javascript to enable browsers to
>>> access system idle information.  Please give me feedback and suggestions
>>> on the proposal.
>>>
>>>
>>> What exactly are the security and privacy implications of detecting
>>> system
>>> idle activity in the browser?
>>>
>>> As far as I know, there really aren't any.  This was discussed on WhatWG
>>> (before being directed here) and IIRC there were no serious security or
>>> privacy concerns.  The minimum resolution of the event makes attacks based
>>> on keystroke timing impossible.  Some people suggested that web apps could
>>> do something "bad" while the user is away, but I don't think anyone could
>>> come up with a good example of something "bad".  Can you think of any
>>> specific concerns?
>>>
>>>
>>> On Thu, Sep 17, 2009 at 2:43 AM, Robin Berjon <robin@berjon.com> wrote:
>>> Hi David,
>>>
>>>
>>> On Sep 17, 2009, at 00:05 , David Bennett wrote:
>>> I have a proposal for an extension to javascript to enable browsers to
>>> access system idle information.  Please give me feedback and suggestions on
>>> the proposal.
>>>
>>> Thanks!
>>>
>>> SUMMARY
>>>
>>> There currently is no way to detect the system idle state in the browser.
>>>  For example this makes it difficult to deal with any sort of chat room or
>>> instant messaging client inside the browser since the idle will always be
>>> incorrect; or allow for apps to control their speed or network resources
>>> when a user is idle.
>>>
>>> This sounds like it /could/ (not sure and no promises) be an area of work
>>> for DAP, given that it is about device/system information, and given that I
>>> would expect the user to be in very solid control of the security policy
>>> granting access to such information. I guess it could perhaps be exposed as
>>> a system property, part of the System Information work.
>>>
>>> I'm not sure this is the type of API we need to ask the user about.  Web
>>> apps can already detect when you're on their page, so I'm not sure how
>>> valuable the additional information you would be leaking is.  I'd assume
>>> browsers could have a big hammer like "disable idle reporting" for any users
>>> who are particularly concerned.
>>>
>>>
>>> In case it's not clear, I think this is a good proposal and all my
>>> concerns were addressed in previous threads:
>>> http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-August/022443.html
>>>
>>
>>
>

Received on Thursday, 17 September 2009 21:14:32 UTC