[HN Gopher] Mozilla says Chrome's latest feature enables surveil...
___________________________________________________________________
Mozilla says Chrome's latest feature enables surveillance
Author : good8675309
Score : 175 points
Date : 2021-09-23 18:15 UTC (4 hours ago)
(HTM) web link (www.howtogeek.com)
(TXT) w3m dump (www.howtogeek.com)
| vxNsr wrote:
| I think the real story here is that the browser has really become
| the OS. But whereas before we left all decisions up to the users
| about what they could install and trust, and they trusted the dev
| to not do anything nefarious, the browser makers realized that
| users are a bad judge of character and devs cannot be trusted to
| be honest. So the browsers created a complex api access process
| to protect users from bad actors.
|
| To move this sort of paradigm back into OS would require a
| wholesale re-write of APIs and how they're accessed.
|
| Surprise! Both Apple and Microsoft did that, but neither of their
| new APIs caught on, because the benefit of being a native app was
| outshined by losing the easy access to the user data. So from the
| dev's stand point they may as well get the benefits of cross
| platform that web-apps afford if they're gonna have to deal with
| the gate-keeping anyways; native performance be damned.
| afavour wrote:
| I am a privacy-conscious person but I really wish these debates
| could be a little more nuanced.
|
| This API is behind a permission prompt that can only be triggered
| in response to a user gesture, so the bar to entry is high. The
| example on web.dev is a chat app that would automatically set an
| active/away status: seems useful! IMO I ought to have the ability
| to cash in some of my privacy chips (so to speak) on a site that
| I know and trust and that I want extra functionality from.
|
| Relatedly, I feel like Safari is heavy-handed in the opposite
| direction. For example, it removes all locally stored data from a
| site if it isn't used within 7 days. There are sites I use less
| frequently than that where I'd still appreciate the ability to
| save information, but I don't have a choice. It all but
| guarantees sites need logins, backend storage etc. just to store
| simple data, which ends up being just as big a privacy danger!
| takeda wrote:
| > The example on web.dev is a chat app that would automatically
| set an active/away status: seems useful!
|
| That's exactly how Google uses it. They will make an
| interesting feature, that absolutely require this to be
| enabled.
|
| It's similar to how to get list of recently watched YouTube
| video on your phone you need to give permission to Google to
| log your history, because it's impossible, of course, to store
| that locally on your phone.
| [deleted]
| atatatat wrote:
| Right, but if I use none of their stack, it doesn't affect
| me.
|
| There is a bifurcation of people who want to learn about the
| tech they use every day, and those that don't.
|
| Those that don't can't be saved if they won't grab around for
| the life raft.
|
| Rest of us still want to build PWAs.
| dmitriid wrote:
| > This API is behind a permission prompt that can only be
| triggered in response to a user gesture, so the bar to entry is
| high.
|
| It really isn't. Some time look at the permissions controls in
| Chrome.
| https://twitter.com/dmitriid/status/1434086651362430976?s=20
|
| Most of these toggles will pop up a permissions dialog. Trigger
| enough of those, and the user will either dismiss them
| automatically or accept automatically.
| afavour wrote:
| I don't understand what you're saying. It absolutely is
| behind a permission prompt. If you go to the demo site:
|
| https://idle-detection.glitch.me/
|
| and click "ephemeral", it shows a prompt next to the address
| bar saying "idle-detection.glitch.me wants to know when
| you're actively using this device" and has buttons for
| "block" and "allow". So I don't know how "it really isn't"
| could be true in this case.
| foxfluff wrote:
| > The example on web.dev is a chat app that would automatically
| set an active/away status: seems useful!
|
| Every single feature on the web that gets misused has some
| useful applications too. For me, the useful applications hardly
| ever outweigh the downsides. The web has been getting
| progressively worse and worse.
| afavour wrote:
| > Every single feature on the web that gets misused has some
| useful applications too.
|
| That's why you have the permission prompt.
| mikojan wrote:
| > The example on web.dev is a chat app that would automatically
| set an active/away status: seems useful!
|
| Okay, but you can already do that.
| occamrazor wrote:
| How? You need a native app gor that. A web app can only know
| whether a user is actiwe _on the webpage_
| dheera wrote:
| > active/away status
|
| This can easily be abused for stalkerish behavior. Even read
| receipts in chat apps like Facebook should be able to be
| disabled by the user. (You can, with some JS injection, but
| basically that means programmers' privacy is respected and non-
| programmers' privacy is violated.)
|
| Also micromanagement.
|
| I once had a coworker who would "pounce" on me when my Slack
| status became active, instead of respecting the time I needed
| to code. I had to set my Slack status to always away.
| afavour wrote:
| > This can easily be abused for stalkerish behavior
|
| Well, sure. Any away/active status can be used for bad
| things. Pretty much any form of text communication can, too.
| We all opt in and out of things according to our level of
| comfort, like with the permission prompt this API provides.
| _jal wrote:
| Why not add an API to allow servers to request your contact
| information and creditworthiness?
|
| You can just opt out if you're not comfortable with it.
| themacguffinman wrote:
| Seems fine to me if it's opt-in just like the idle-
| detection API.
| afavour wrote:
| Why not debate the API that's in front of us rather than
| make up excessive imaginary ones?
|
| (besides, payment APIs are already able to request your
| contact information in order to bill you and ship things
| to you. And guess what: pretty useful!)
| jrockway wrote:
| Yeah, nobody wants presence features. I think it's especially
| annoying on Discord, because nobody cares which anonymous
| subset of 1000 users is currently sleeping or awake or has
| their screensaver going. Most of my friends type at me while
| they're "offline". Uh huh. (The reason is "I'm avoiding
| someone", which indicates that the feature is only for evil.)
|
| Slack isn't as bothersome (it doesn't seem to try to detect
| "stepped away from the computer for 5 minutes", it's just
| "closed the app for the day" or "has the app open", which is
| better than Discord), but it's a feature that should totally
| go away.
|
| Slack's "z" indicator for "outside of work hours" is fine. I
| will note the irony behind switching to Slack only to have
| Slackbot send them a "electronic mail" when they get back
| online ;) If only there was some other system that could send
| messages to users and have them read them when they feel like
| it.
| godelski wrote:
| > The example on web.dev is a chat app that would automatically
| set an active/away status: seems useful!
|
| I have an alternative way to do this. Check if a user hasn't
| interacted with your text box in x period of time. If they
| haven't, set them to away.
|
| I'm sure people can come up with other methods too. It just
| seems like there's a thousand ways to skin this cat that don't
| have the same potential for privacy issues.
| darren_ wrote:
| But this isn't adequate for the IM use case at all? I spend
| the bulk of my time not focused on my chat app tab(s) but I
| definitely want to be reported as 'available' by those chat
| apps, because I am if someone messages me.
| Lev1a wrote:
| That usecase could just as easily be solved through this
| novel concept called "manual override".
| code_duck wrote:
| Couldn't this information already be discerned fairly easily by
| user interaction such as mouse movements, requests or scrolling?
| mdoms wrote:
| Imagine if Mozilla spent even one tenth the amount of effort on
| their own crappy product as they do hand-wringing about Chrome.
| We might have another viable web browser.
| mccr8 wrote:
| The quote the article is based around is discussing a new web
| API in the context of deciding what Mozilla thinks about it. If
| Mozilla isn't going to have any opinions on new web APIs, then
| what is even the point of Firefox? (Disclaimer, I work on
| Firefox but I know anything about specs.)
|
| https://github.com/mozilla/standards-positions/issues/453
| nyanpasu64 wrote:
| I already don't really like how websites can detect whether a tab
| is active or not (perhaps because callbacks/timers get delayed
| when a tab is inactive?). For example, dslreports's speedtest
| fails your measurement if you switch tabs, and Duo's web 2FA
| interface fails to approve a device which you've set to remember
| for 30 days if you're in a different tab.
| krono wrote:
| FYI Access to device sensor data is enabled by default on
| Chrome and Edge.
| AdmiralAsshat wrote:
| You know who loves to use this feature? Recaptcha!
|
| When browsing Firefox in Incognito mode with uBlock Origin and
| uMatrix fully active, the Recaptcha challenges load _painfully_
| slowly. Like each picture might take upwards of five seconds to
| refresh.
|
| And to my delight, I have noticed that if I flip away from that
| tab while the panels are refreshing, they pause until I bring
| the tab back into active focus.
|
| It's a slap in the face that this kind of user-hostile design
| is allowed.
| bityard wrote:
| I see the same thing on the chase.com web site.
|
| When I log into my account, it starts up some react or
| angular type bullcrap that takes literally 5-10 seconds to
| fully load no matter what computer I'm on or what browser I'm
| in. If I switch away to another tab to do something else
| while it's doing that, _it will never fully load_. The only
| option is to sit there with the tab open and stare at it
| until my account information appears.
|
| In 2021, I guess I should just be happy that they're not
| showing me ad while wasting my time.
| Isthatablackgsd wrote:
| Do you have a clue of how to prevent or disable the
| active/focus/blur tab events as an end-user? Like going to
| uBlock Origin route or something? There is one portal that
| heavily used this event calls and I don't mind. The issue if I
| want to generate a report or sending queries/message, I have to
| be on that tab for them to process it. They often take 10
| seconds to 1 min to process it. If I leave the tab, I have to
| restart the process again. It is disruptive to my workflow
| since I have to be on that tab for it to do something. I wonder
| if there is a way to generate a fake/mock event to fool the
| portal that the tab is active while I am looking in another
| tab?
| dillondoyle wrote:
| There are a few ways to do it. First is document.hidden but
| that's the simplest monkey patch ever. Pass through iframe can
| detect some monkey patches though. visibilitychange too.
|
| you're right! at least before it was somewhat mitigated I
| think?, you can measure timing Chrome used to slow down
| inactive tabs with rounded ms I believe I'd have to check the
| fingerprinting JS i wrote a few years ago.
|
| Mouse movement is a good one too.
|
| I'm sure there are other hacks maybe onfocus the entire window
| and poll it.
|
| IntersectionObserver sounds like a good thread, there is a good
| polyfill library too.
| orthecreedence wrote:
| A closed-source browser built by an ad company _enables
| surveillance???_ Do go on...
| judge2020 wrote:
| For reference, it requires a permission dialog and the demo is
| here: https://reillyeon.github.io/scraps/idle.html
| SquareWheel wrote:
| Interesting that the minimum threshold is one minute. That
| might be too long for features like auto-saving documents, but
| lower-precision probably avoids a lot of nasty use cases too.
| WallyFunk wrote:
| Think about it: if a device's gyroscope is left idle, it presumes
| the behavior of a virtual machine. I imagine trust scores use
| this as a metric when deciding if the user is human or a machine:
| `device was left in the same geo-coords for a long period of
| time`: then it is a bot.
| Forge36 wrote:
| Or a desktop. Or my laptop on a table. This is tangential to
| the articles topic
| TedDoesntTalk wrote:
| You're assuming mobile only. Laptops don't have gyroscopes.
| EGreg wrote:
| How does Chrome find out?
|
| Is it watching my camera?
|
| Or just no mouse or keyboard activity for a while -- because if
| the latter, my website could already know that.
|
| We built an app for distance learning which put something a lot
| more invasive (but with permission)... namely eye tracking and
| facial recognition to see whether the kids are paying attention.
| It's actually LESS invasive than the current alternative --
| requiring the kid to keep their camera on. Now the teacher jusy
| knows when the kid is present and when not.
|
| Frankly, USA public schooling is about as invasive and
| controlling for kids as schooling can get. Every minute of their
| lives inside the school is regimented. So distance learning can
| be a respite.
| vxNsr wrote:
| Likely it's using keyboard and mouse tracking. I'm not a fan of
| this at all.
| oblib wrote:
| "As you might expect, developers love this new feature--anything
| that can provide them with more information regarding how users
| are interacting with their apps is a positive."
|
| Here I am deliberately designing apps that track no user
| interaction data at all. Maybe that's why Google doesn't even
| list my app even though it's one of the longest running "web
| apps" alive and used to be listed #1 when it first came out. Now
| they have more ads for similar apps than search results on a
| search results page.
| [deleted]
| halflings wrote:
| > Maybe that's why Google doesn't even list my app even though
| it's one of the longest running "web apps" alive
|
| Is your hypothesis that Google would have some incentive that
| you collect user interaction data? Why would that be?
|
| > used to be listed #1 when it first came out
|
| Back in 2002. A lot has happened since then. Your app [1] is
| not comparable to what competitors like Zoho offer. There's
| plenty of potential reasons for not being ranked higher: from
| the landing page, to the increase in SaaS competition, to not
| keeping up with UX trends etc.
|
| [1] https://ezinvoice.com/
| Narretz wrote:
| This API isn't equivalent with tracking. You can use this state
| entirely in the browser, without sending / storing the user
| behavior anywhere.
| JohnFen wrote:
| You are working on the side of good. I hope that you have great
| success!
| deeblering4 wrote:
| "We'll have to wait and see how developers use this new API in
| Chrome. It could end being an absolute privacy nightmare--or it
| could be no big deal."
|
| Gee whiz! I guess we'll just have to wait and see if G ends up
| being evil or not
| ghuin wrote:
| As long as you're asked for permission I don't see the problem
| birthdaydog wrote:
| "Sorry! Looks like something went wrong. In order to use our
| site you'll have to enable idle tracking. This helps us improve
| our software for customers like you!"
| ghuin wrote:
| That won't happen as long as Safari doesn't implement the
| API. For example: notifications
| tclancy wrote:
| What situations would you ever want to let a site know this?
| x0x0 wrote:
| chat, video conferencing, maybe forums, spotify when it has
| conflicting play instructions between a browser and a
| different device
| ghuin wrote:
| Marking you as away on discord/teams
| kube-system wrote:
| There's two reasons why I think it's a bad idea, along with a
| number of other Chrome APIs:
|
| 1. Most people aren't engineers and don't understand the
| privacy implications of this, and these types of metadata
| collections. Browsers aren't just developer tools, they are
| made for the general public.
|
| 2. I already get spammed by too many permission popups; rarely
| are they for purposes that benefit the user. It would be
| interested to see some stats on how many users simply accept
| these popups to dismiss them without regard for the
| consequences.
| vorticalbox wrote:
| This is what I was just thinking. It asks for permission just
| like microphone or location.
|
| Both of which you could argue 'allow for surveillance'
| josteink wrote:
| Those permissions have pretty clear use-cases which benefits
| the user itself and enables things which otherwise wouldn't
| be possible.
|
| What user-oriented use-cases does this enable which couldn't
| have been done otherwise?
|
| I really thinks this is apples vs oranges.
| Ajedi32 wrote:
| Usually the W3C spec for new features like this will
| contain a few paragraphs outlining intended use cases.
|
| In this case:
|
| > Making these distinctions is important for applications
| which have the option of delivering notifications across
| multiple devices, such as a desktop and smartphone. Users
| may find it frustrating when notifications are delivered to
| the wrong device or are disruptive. For example, if they
| switch from a tab containing a messaging application to one
| for a document they are editing, the messaging application,
| not being able to observe that the user is still
| interacting with their device, may assume that they have
| left to grab a coffee and start delivering notifications to
| their phone, causing it to buzz distractingly, instead of
| displaying notifications on their desktop or incrementing a
| badge count.
|
| Source: https://wicg.github.io/idle-detection/#introduction
| cdirkx wrote:
| > the messaging application, not being able to observe
| that the user is still interacting with their device, may
| assume that they have left to grab a coffee and start
| delivering notifications to their phone, causing it to
| buzz distractingly, instead of displaying notifications
| on their desktop or incrementing a badge count.
|
| Is any webapp doing this? To me it sounds like multiple
| steps into the future:
|
| - First a webapp has to have the capability to notify
| just one device, so in this case your browser and not
| also your phone. I cant think of an app where you dont
| receive double notifications on web+mobile (or triple
| with a smartwatch).
|
| - The webapp then needs to be smart enough to dynamically
| select the "most active" device to send the notification
| to.
|
| - The new feature can then be used as a workaround for
| "incorrectly" classifying your computer as an inactive
| device, because you are not interacting with the webpage
| anymore.
| fsckboy wrote:
| giving the users explicit control over where their
| messages are sent is a good idea.
|
| being spied on supposedly so the system can decide where
| to send you messages is a bad idea.
| phnofive wrote:
| Absolutely - and I think the typical user has long since
| been conditioned to click 'Yes' without reading.
| throwawaynew23 wrote:
| Students last year were complaining about Respondus, and it's
| privacy invasive nature, now chrome supports features similar
| to it. In response to this my school allowed teachers to give
| easier tests to students using Respondus since they could be
| sure they weren't cheating and allowed more complicated tests
| to be made for those refusing to use Respondus. Maybe with
| this they'll recommend chrome and allow a medium difficultly
| test to be provided to those students.
| detaro wrote:
| That's... not a good thing.
| BystanderX wrote:
| Because if there's a facility that grants out-of-browser data
| to the remote, the remote can deny service unless it is
| enabled.
|
| Unless the feature is designed to fake data and make permission
| status opaque to the remote, it's a privacy reduction that will
| happen, the only question is when.
| vfclists wrote:
| Says the company which has no intent whatsoever of providing a
| half decent alternative to Chrome.
|
| Instead of designing a system that allows third parties to offer
| alternative browsers they decided to be selfish and do everything
| by themselves for themselves, and wonder why their market share
| continues to plummet.
|
| Where is the GeckoView alernative for desktops that would allow
| their technology further reach?
| [deleted]
| CountDrewku wrote:
| I've used Firefox for over a decade and a half and haven't ever
| had a use breaking issue where I felt the need to switch. Where
| are you getting this idea it's not a viable alternative?
|
| More likely their share is smaller because they're competing
| against one of the largest companies in the world.
| passivate wrote:
| Yeah, I'm genuinely puzzled as to where these commenters are
| coming from. FF is a fantastic product and I have it
| installed all my devices after moving away from Chrome and
| Google products. I also managed to convince our IT to ship it
| as default on all of our company PCs.
| sumtechguy wrote:
| I use both. As an end user the difference is fairly
| minimal. As dev maybe the debugger is a bit nicer in
| chrome, but that is just opinion. Also for me in some cases
| chrome is becoming the new 'IE'. The site will only work in
| chrome. For my wife if I switched out firefox for chrome I
| doubt she would even notice.
| CountDrewku wrote:
| I push both out to my users. Most people don't us FF but
| they're getting whether they like it or not ha ha.
| JohnFen wrote:
| Another example of why I avoid Chrome like the plague.
___________________________________________________________________
(page generated 2021-09-23 23:01 UTC)