Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)
- Original Message - From: Karl Dubost ka...@opera.com it doesn't mean they are unhappy about it. Or more exactly that a fraction of them can even look for such a feature. In most cases ordinary users (not geeks) can not think of a feature, before software developers provide it to them. Second, user accounts are based on e-mails as a rule, which is not unique at all, every user can have multiple e-mails and multiple registrations. which is a feature, not a bug. Professional account, personal account, cooking-club account, etc. Who should decide this for a specific web-service? Apparently web-service knows better is it possible to have multiplicate accounts or not. Many web-services struggle against users' reputation spoofing made via such fake accounts. That's a different issue. No. This is related issue. Multiple browser profiles on the same device do not matter, because the same device ID will be returned. In some countries, in Asia and Africa, a single device can be used by multiple people. Internet cafes are another use cases. And shiny tablets can be also for one family. I know. In some cases a single e-mail is used by several persons, so what? Basically device != user != web service This is true, but this is not a reason for not providing a device ID. The main point, if device ID could be available it would provide more great possibilities for users and web-services. And it would create big challenges in usability and privacy. These problem are already here. Device ID will add a new (optional) tool to help in solving them. Karl Dubost - http://dev.opera.com/ Developer Relations, Opera Software Best wishes, Stan
Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)
Stan stas...@orc.ru schrieb am Fri, 14 Dec 2012 11:51:57 +0300: […] The main point, if device ID could be available it would provide more great possibilities for users and web-services. From the top of my head, I can imagine the following possibilities: - persistant device tracking - permanently banning devices for services - mapping devices to users when possible, leaking information Apple iDevices already have unique device IDs, which were described as a tempting opportunity for use as a tracking agent or to correlate with other personally-identifiable information in unintended ways. I suggest you read the following analysis critical of Apple's approach: http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf -- Nils Dagsson Moskopp // erlehmann http://dieweltistgarnichtso.net
Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)
Last thing to remember: the device ID is not something secret and forbidden for native applications. For example, Android provides Android ID and iOS ASIdentifierManager, which can be read by any installed application. Taking into consideration that many web-services do provide native clients, they already know device IDs (if they want to). Moving this property into browser will just simplify developing web-applications and make them more competitive compared to native apps. Best wishes, Stan
Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)
Hi Stan, From: stas...@orc.ru ... Subject: Re: [whatwg] API for unique identification of devices (mobile/tablet/pc) ... First, I don't think it's convenient for users to register themselves on many sites, which they visit occasionally. If most of the users do this right now, it does not mean they are happy with this, this is bacause there is no other, more simple way (as simple as just clicking on remember me). Second, user accounts are based on e-mails as a rule, which is not unique at all, every user can have multiple e-mails and multiple registrations. Many web-services struggle against users' reputation spoofing made via such fake accounts. A Device ID would not in general be unique either because it would be managed by the users browser software which could have features to change the ID, or open a window with a new ID, or export the ID, etc. It's not your computer so not your choice. Third, I think it's up to a certain web-service design and requirements, if it needs to identify user accounts or user devices. For example, usage of the same profile on multiple devices can be a violation of a web-service license agreement, or a web-service may bind several devices to the same profile. Multiple browser profiles on the same device do not matter, because the same device ID will be returned. Moving from one device to another, or virtual devices - is just the same thing as having multiple devices considered above. You could issue users with a controlled device that you own and under restrictive contractual terms and proxy authorization through this. Or perhaps limit service to devices with an ID that is not trivial for users to change. cheers Fred
Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)
Stan stas...@orc.ru schrieb am Fri, 14 Dec 2012 11:51:57 +0300: First, I don't think it's convenient for users to register themselves on many sites, which they visit occasionally. If most of the users do this right now, it does not mean they are happy with this, this is bacause there is no other, more simple way (as simple as just clicking on remember me). There is an even simpler way: Not doing registration at all when you do not absolutely, positively need identity. In my experience, that works quite well on blogs and imageboards. [Full disclosure: I have a blog and am a moderator on an imageboard I shall not name.] Second, user accounts are based on e-mails as a rule, which is not unique at all, every user can have multiple e-mails and multiple registrations. Many web-services struggle against users' reputation spoofing made via such fake accounts. I do not understand what is “fake” about such accounts. Third, I think it's up to a certain web-service design and requirements, if it needs to identify user accounts or user devices. For example, usage of the same profile on multiple devices can be a violation of a web-service license agreement, or a web-service may bind several devices to the same profile. I prefer working towards a world where such licensing schemes do not exist. Artificial scarcity introduced by licensing restrictions governing the use of software burdens many so few can profit. -- Nils Dagsson Moskopp // erlehmann http://dieweltistgarnichtso.net
Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)
On 13 December 2012 20:20, Stan stas...@orc.ru wrote: Hi, I'd like to proprose an API to get a unique device's ID in HTML5. What is a unique device ID? Do all devices have a unique ID? Which bit of hardware is responsible for storing such a thing? Who guarantees it's uniqueness, and how? In fact, a single method/property seems sufficient so far, say: window.navigator.deviceID. I don't know if that's sufficient, I would presume it would also be required by a web application as a request header? The property should return a string, either obtained directly from OS (as provided by manufacturer, for example, Android ID), or mangled with some salt. Then it's not a device ID. You can have multiple OS on a device. Is there an existing hardware-based, unique ID that every OS can provide so user agents can use that? Is there a specification or standard for operating systems so that this information can be guaranteed unique? (No) Due to security and privacy considerations, the API should ask user confirmation to access the ID by current site, much like geolocation API does. It's only a privacy consideration if you're associating the ID with personal details. So if you're requesting personal details, then just use them, and not the device ID. What's the reason to know the device ID in this situation? The reasoning for this API is the need to uniquely identify every device in many web-applications. OK. The only real-world use case I've encountered where a web application attempts to uniquely identify a device, was to detect whether a session had been hijacked. Each user of a web application has a unique session, the assumption was therefore that the capabilities of the user's device would not drastically change mid-session (as determined by periodically fingerprinting a wide range of the user agent's characteristics/capabilities). Currently the only option is to use some user registration scheme with cookies, local storage, etc. That doesn't tell you anything about the device. That's how a web application remembers a user, but the web application decides the unique session ID, and therefore the maximum length of the session, and whether or not a user is allowed to have multiple concurrent sessions, etc. In other words, quite a lot depends on the context of the web application. It leads to overheads in development (user table support, authorization implementation), and inconveniences to end users which must register themselves on many sites. I don't see how a device ID solves or assists. Where will the user information come from? Are you interested in the user, or the device? Which? A user is not a device. Seamless and unobtrusive, yet authorized identification of device would improve users' experience, imho. It would?!? How? No client information received by any web application should be trusted outright, that would be a gaping hole in security. Let's suppose a device is replaced, destroyed, cloned or stolen. What happens then? Perhaps you're really looking for an identity assurance provider, or a mechanism for a public user profile to be stored in the browser? -- Lee www.webdeavour.co.uk
Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)
On 14 December 2012 08:51, Stan stas...@orc.ru wrote: First, I don't think it's convenient for users to register themselves on many sites, which they visit occasionally. A device ID won't register a user. Where will the profile information come from? If it comes from a web-based service (like Gravatar), then a device ID is not required to address the inconvenience, because users will use multiple devices over time. I don't think making users register each device would be convenient, either. Second, user accounts are based on e-mails as a rule, which is not unique at all, If an email address cannot uniquely identify a user's account, that's a problem with the web application. every user can have multiple e-mails and multiple registrations. A human can have multiple devices. Many web-services struggle against users' reputation spoofing made via such fake accounts. The information sent to a web service can be spoofed/rewritten on the fly. Are web services struggling against humans manually creating fake accounts or against automated systems creating fake accounts? A human can own a several devices, a determined human can control thousands more. A device ID isn't going to be a foolproof countermeasure. An automated account spoofing system isn't going to have any trouble automatically generating random device IDs to send to your web service. Third, I think it's up to a certain web-service design and requirements, if it needs to identify user accounts or user devices. For example, usage of the same profile on multiple devices can be a violation of a web-service license agreement Can you tell me of such a service? I would be so extremely disappointed if a web service locked me into the first device I used to accessed it. I would not continue to use it, there would be absolutely no point in committing myself to use it, too risky. Only allowing a user to use 1 device at a time is more likely, but that is trivial already, you don't need a device ID to enable that. The web application just needs to store session IDs against users in a 1-to-1 ratio, so if a user logs in on a different device, the other device loses its session, so only 1 device can be used at any moment. or a web-service may bind several devices to the same profile. So that would permit concurrent access, device ID would not be useful there. Multiple browser profiles on the same device do not matter, because the same device ID will be returned. That's a bold assumption. Perhaps Multiple browser profiles on the same device do not matter, IF the same device ID is returned. It wouldn't be inconceivable for one profile to have a browser plug-in installed to manipulate the device ID. Moving from one device to another, or virtual devices - is just the same thing as having multiple devices considered above. Is it? How? They would return different device IDs, so how is it just the same thing? The main point, if device ID could be available it would provide more great possibilities for users and web-services. Such as? It sounds like a device ID cannot possibly be guaranteed to be unique, at all, therefore serves no benefit. A web application needs to maintain its own user session state, there are no short cuts, improvements or simplifications such as trusting a client-provided arbitrary value, even systems based on personal digital certificates have to be verified server-side (e.g. was the certificate issued by a trusted authority?). -- Lee
Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)
On Fri, 14 Dec 2012, Stan wrote: First, I don't think it's convenient for users to register themselves on many sites, which they visit occasionally. If most of the users do this right now, it does not mean they are happy with this, this is bacause there is no other, more simple way (as simple as just clicking on remember me). There are solutions to this problem, e.g. you can authenticate to a site using your Facebook identity using one or two clicks. Second, user accounts are based on e-mails as a rule, which is not unique at all, every user can have multiple e-mails and multiple registrations. Many web-services struggle against users' reputation spoofing made via such fake accounts. Users can have multiple devices and could tell their browser to provide a unique identifier with each page access, so a device ID API wouldn't stop or change this. Third, I think it's up to a certain web-service design and requirements, if it needs to identify user accounts or user devices. For example, usage of the same profile on multiple devices can be a violation of a web-service license agreement, or a web-service may bind several devices to the same profile. Binding multiple devices to a profile is easy and done today, it doesn't require an identifier. An identifier wouldn't help stop a user from using multiple devices with one site (not that such a restriction would even make sense in the first place), because there's no guarantee that the user agent isn't providing you with fake device identifiers. Multiple browser profiles on the same device do not matter, because the same device ID will be returned. What if the different profiles are for different people? Or different identities of the same person? (e.g. a woman's professional identity and a pseudonymous identity in an assault support group; or a man's identity that he uses for this extended family, and his identity that he uses when exploring his transexuality?) The main point, if device ID could be available it would provide more great possibilities for users and web-services. I don't understand what it would provide that would be better than the existing ability to use one's identity from an identity provider. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)
On Fri, 14 Dec 2012, Stan wrote: Last thing to remember: the device ID is not something secret and forbidden for native applications. For example, Android provides Android ID and iOS ASIdentifierManager, which can be read by any installed application. Taking into consideration that many web-services do provide native clients, they already know device IDs (if they want to). Moving this property into browser will just simplify developing web-applications and make them more competitive compared to native apps. That the Web is more secure and privacy-protecting than native apps is one of the Web's biggest strengths. It's a feature, not a bug. It makes the Web more competitive, not less. -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
[whatwg] API for unique identification of devices (mobile/tablet/pc)
Hi, I'd like to proprose an API to get a unique device's ID in HTML5. If some discussions/works do already exist on it, please let me know, I didn't find this stuff. In fact, a single method/property seems sufficient so far, say: window.navigator.deviceID. The property should return a string, either obtained directly from OS (as provided by manufacturer, for example, Android ID), or mangled with some salt. Due to security and privacy considerations, the API should ask user confirmation to access the ID by current site, much like geolocation API does. The reasoning for this API is the need to uniquely identify every device in many web-applications. Currently the only option is to use some user registration scheme with cookies, local storage, etc. It leads to overheads in development (user table support, authorization implementation), and inconveniences to end users which must register themselves on many sites. Seamless and unobtrusive, yet authorized identification of device would improve users' experience, imho. Best wishes, Stan
Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)
On Thu, 13 Dec 2012, Stan wrote: The reasoning for this API is the need to uniquely identify every device in many web-applications. Why do you need to identify the device? What about if the user uses the same browser profile on multiple devices? Or multiple browser profiles on the same device? Or moves their profile from one device to another? Or uses multiple virtual machines in one device? -- Ian Hickson U+1047E)\._.,--,'``.fL http://ln.hixie.ch/ U+263A/, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)
On Dec 13, 2012, at 8:42 PM, Ian Hickson i...@hixie.ch wrote: On Thu, 13 Dec 2012, Stan wrote: The reasoning for this API is the need to uniquely identify every device in many web-applications. Why do you need to identify the device? What about if the user uses the same browser profile on multiple devices? More than half of our users login with multiple user agents on a given day. Or multiple browser profiles on the same device? Perhaps surprisingly, that's a highly common scenario on mobile devices, particularly out of the US. -- tobie
Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)
Hi, There are many points. First, I don't think it's convenient for users to register themselves on many sites, which they visit occasionally. If most of the users do this right now, it does not mean they are happy with this, this is bacause there is no other, more simple way (as simple as just clicking on remember me). Second, user accounts are based on e-mails as a rule, which is not unique at all, every user can have multiple e-mails and multiple registrations. Many web-services struggle against users' reputation spoofing made via such fake accounts. Third, I think it's up to a certain web-service design and requirements, if it needs to identify user accounts or user devices. For example, usage of the same profile on multiple devices can be a violation of a web-service license agreement, or a web-service may bind several devices to the same profile. Multiple browser profiles on the same device do not matter, because the same device ID will be returned. Moving from one device to another, or virtual devices - is just the same thing as having multiple devices considered above. The main point, if device ID could be available it would provide more great possibilities for users and web-services. Best wishes, Stan - Original Message - From: Tobie Langel tobie.lan...@gmail.com To: Ian Hickson i...@hixie.ch Cc: Stan stas...@orc.ru; whatwg@lists.whatwg.org Sent: Thursday, December 13, 2012 10:54 PM Subject: Re: [whatwg] API for unique identification of devices (mobile/tablet/pc) On Dec 13, 2012, at 8:42 PM, Ian Hickson i...@hixie.ch wrote: On Thu, 13 Dec 2012, Stan wrote: The reasoning for this API is the need to uniquely identify every device in many web-applications. Why do you need to identify the device? What about if the user uses the same browser profile on multiple devices? More than half of our users login with multiple user agents on a given day. Or multiple browser profiles on the same device? Perhaps surprisingly, that's a highly common scenario on mobile devices, particularly out of the US. -- tobie
Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)
Le 14 déc. 2012 à 17:51, Stan a écrit : If most of the users do this right now, it does not mean they are happy with this, it doesn't mean they are unhappy about it. Or more exactly that a fraction of them can even look for such a feature. Second, user accounts are based on e-mails as a rule, which is not unique at all, every user can have multiple e-mails and multiple registrations. which is a feature, not a bug. Professional account, personal account, cooking-club account, etc. Many web-services struggle against users' reputation spoofing made via such fake accounts. That's a different issue. Multiple browser profiles on the same device do not matter, because the same device ID will be returned. In some countries, in Asia and Africa, a single device can be used by multiple people. Internet cafes are another use cases. And shiny tablets can be also for one family. Basically device != user != web service The main point, if device ID could be available it would provide more great possibilities for users and web-services. And it would create big challenges in usability and privacy. -- Karl Dubost - http://dev.opera.com/ Developer Relations, Opera Software
Re: [whatwg] API for unique identification of devices (mobile/tablet/pc)
On Friday, 14. December 2012 at 08:52, Karl Dubost wrote: Le 14 déc. 2012 à 17:51, Stan a écrit : If most of the users do this right now, it does not mean they are happy with this, it doesn't mean they are unhappy about it. Or more exactly that a fraction of them can even look for such a feature. Second, user accounts are based on e-mails as a rule, which is not unique at all, every user can have multiple e-mails and multiple registrations. which is a feature, not a bug. Professional account, personal account, cooking-club account, etc. You can already simplify the login and signup process by using a technique like Persona by Mozilla which makes it easy to register an account for the user. Multiple browser profiles on the same device do not matter, because the same device ID will be returned. In some countries, in Asia and Africa, a single device can be used by multiple people. Internet cafes are another use cases. And shiny tablets can be also for one family. It is just not offered on iPad. Android 4.2 introduced it and the response from the users is amazing. Many people share a tablet in family also in Europe (and I think in US, too). The main point, if device ID could be available it would provide more great possibilities for users and web-services. And it would create big challenges in usability and privacy. That would be the biggest challenge I think. Privacy would be fully exposed to the web service and that for good reason won't work (at least) in the EU. So this technique would be illegal to use in European countries regarding current privacy laws. Cheers, -Anselm