isn't the mere knowledge of the level of activity on a device a
possible privacy concern, and couldn't the pattern of activity offer a
traffic analysis type opportunity?
regards, Frederick
Frederick Hirsch
Nokia
On Sep 17, 2009, at 1:35 PM, ext Jeremy Orlow wrote:
On Thu, Sep 17, 2009 at 12:50 AM, Arve Bersvendsen <ar...@opera.com>
wrote:
On Thu, 17 Sep 2009 00:05:58 +0200, David Bennett <d...@google.com>
wrote:
I have a proposal for an extension to javascript to enable browsers to
access system idle information. Please give me feedback and
suggestions on the proposal.
What exactly are the security and privacy implications of detecting
system
idle activity in the browser?
As far as I know, there really aren't any. This was discussed on
WhatWG (before being directed here) and IIRC there were no serious
security or privacy concerns. The minimum resolution of the event
makes attacks based on keystroke timing impossible. Some people
suggested that web apps could do something "bad" while the user is
away, but I don't think anyone could come up with a good example of
something "bad". Can you think of any specific concerns?
On Thu, Sep 17, 2009 at 2:43 AM, Robin Berjon <ro...@berjon.com>
wrote:
Hi David,
On Sep 17, 2009, at 00:05 , David Bennett wrote:
I have a proposal for an extension to javascript to enable browsers
to access system idle information. Please give me feedback and
suggestions on the proposal.
Thanks!
SUMMARY
There currently is no way to detect the system idle state in the
browser. For example this makes it difficult to deal with any sort
of chat room or instant messaging client inside the browser since
the idle will always be incorrect; or allow for apps to control
their speed or network resources when a user is idle.
This sounds like it /could/ (not sure and no promises) be an area of
work for DAP, given that it is about device/system information, and
given that I would expect the user to be in very solid control of
the security policy granting access to such information. I guess it
could perhaps be exposed as a system property, part of the System
Information work.
I'm not sure this is the type of API we need to ask the user about.
Web apps can already detect when you're on their page, so I'm not
sure how valuable the additional information you would be leaking
is. I'd assume browsers could have a big hammer like "disable idle
reporting" for any users who are particularly concerned.
In case it's not clear, I think this is a good proposal and all my
concerns were addressed in previous threads: http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-August/022443.html