Ask HN: Why don't browsers extend “This site wants your location” to all data?
Time and again, users on the Internet are shown to be uniquely identifiable through new and old data leakage from their browser.
And I'm wondering: just like browsers already display "do you want to share your location" when websites try to access this info, why don't they have this kind of security mechanism for every information that could make the user uniquely identifiable such as "This site wants to know [the list of installed [fonts|plugins] | the battery status of your device | ...] ?"
Are there some technicalities that make this a particularly hard problem?
70 comments
[ 2.6 ms ] story [ 136 ms ] threadIf you show too many confusing popups like this, people will get in the habit of clicking "ok" without reading at all.
If there were an API call I think any browser shouldn't implement it, but how to block any possible font sniffing method?
There is an API to enumerate plugins: navigator.plugins returns them into an array. I'd like to be warned about sites asking that and I'd like to return an empty array and see if something breaks. Better: tell me which plugin you need and why and I'll decide which one to let you know I have.
Do the fonts on the site look wrong? Click here to correct (warning: <a href='explanation'>showing correct fonts may have privacy implications</a>).
Not difficult at all... unless you're being intentionally obtuse.
Blend into the crowd: https://addons.mozilla.org/en-US/firefox/addon/blender-1/
Whilst it has good intentions if you think back to UAC in Windows Vista. People just clicked allow for everything without reading after getting tired of the number of requests.
I think there may be demand for a web browser plugin to have this functionality similar to how Ghostery, NoScript etc. have keen users.
There are so many pieces of data like those that you don't even think about which combine to make you uniquely identifiable. Many of them the site is going to have to know for the page to even render properly. Do you really want to have to give permissions for all of them for every host name your browser contacts?
Even if your answer is yes, for the vast majority of people the answer is no.
For example I don't think such a popup for battery level would be a problem. Very few websites legitimately need it, and for those who don't requesting it is a red flag.
Which illustrates that something has gone very wrong in the logical division between "the site" and "the user agent".
Technically, the site has no business asking about screen resolution, cache status or installed fonts etc That is information which should be relevant only to the user agent in constructing the view for the user.
But browsers do not make a distinction between rendering-domain data and those data which do validly dictate what functionality the site provides to the user agent. Except for location, which is somehow perceived as sacred.
Which brings us back to the original question; why are all the data elements thrown into the general Javascript bucket and made fair game for grabbing, except location data? Why not draw the boundary around data that should be private to the user agent? The user should never be interrupted by a prompt to share a list install fonts because, frankly, that information should never be divulged.
No but there are major user experience problems with it. Today the web "just works". You go to a site, you read and do stuff with it, you leave. Now imagine going to one of your favorite sites that tracks this after changing the security model. You're going to get multiple pop ups. Pop ups that regular users are not going to understand. It's easy to understand if it's asking for your location but have you ever tried explaining what plugins are to non techies? Absolutely painful.
There is usefulness to this data and there are abuses. Gotta take the good with the bad. Yeah this data can make them mostly identifiable but it's not perfect and unlikely good enough to be admissable in the court system.
If you really wanted to protect this data then in my opinion access would need to be removed completely. But this could break many things.
But yeah, you don't want to overwhelm the user with popups, that will just make them click ok whenever one appears
A significant number of users will, upon seeing any kind of message that does not mean something totally obvious to them (as a non-techie), just click cancel. Either they panic or they don't understand or they don't care. For example our software used to have a particular kind of error that as clearly as possible stated that it could be solved by visiting a URL and installing some update. Cue lots of support messages: "I see some error, what do I do?"
Browsers are consumer software. If it asks "this webpage wants to use your camera", that's just about obvious enough. However if it asks "this webpage wants to run plugins", user thinks "WTF are plugins" and presses cancel, then wonders why their video is not playing. (Reasonable question from the user's perspective: why didn't the browser say "this webpage wants to play video"?) If it asks "this webpage wants to access your WebGL renderer string" or "this webpage wants to know your hardware information" or something, the user thinks "WTF" and presses cancel, then Google Maps can't work around a graphics driver bug on their system and the map glitches up.
So as far as is possible, consumer software should not prompt the user for anything, and if it does, it should be totally obvious to someone with little to no technical knowledge.
If you're writing an application where your users care about what a popup says, then you should use them.
The current paternalistic trend of removing agency from the user and making choices for them is lazy and perpetuates ignorance. Write better popups that do a better job explaining the problem, educating the user, and expressing the necessary information so the user can make an informed choice.
The point is that if the browser asks for permissions and the majority (or even just a significant minority really) say no because they don't understand the question then it has a tremendously negative impact on every application that could be built using that browser feature. It's better for progress if browser vendors make an intelligent call when and where browser's let applications access things.
Personally I'd rather browsers did ask permission, but in a way that affords application developers a way to explain why they need access. The difficulty would be how to stop rogue apps trying to scare users in to accepting things.
I think this just won't work. Most developers will end up with "need this to work correctly" excuse and proceed in all-or-nothing manner. Maybe with a small room for compromise, but not much. Heck, we already have this quite common with OAuth, when many sites ask you for your name, your contact/friends list, permission to post on your behalf and your first newborn's soul - in "grant all of this or go away" manner.
This will only continue the unnerving trend to train common users to mindlessly agree to whatever they're asked (already happened to license agreements, didn't it?) for because they'll be continuously told that it's "necessary".
https://news.ycombinator.com/item?id=12026876
Let the app think it gets access to all it wants. E.g. fake battery stats, never ringing buzzer, empty or fake contact list, throwaway email address, geolocation in random place (around the world or city of user's choice), random per-installation device IDs, etc.
Really? For mobile applications, users are very wary of them. Granted, they can't do anything until they either accept or deny location (or whatever other thing the app is asking for) data.
It'd take getting used to but, I think it'd be something users would appreciate long term.
Taking this philosophy to the extreme, however, has led to problems. At its most draconian, the implementation of "simpler is always better" results in features being removed or never implemented, walled gardens being created, and the gradual erosion of the general purpose computer.
No it's probably not the right mass market UX, but I am TOTALLY down for a browser which asks me, "This site wants to access (insert some data about me like my browsing habits, Facebook account ID, or stuff that contributes to a unique browser footprint). Allow or disallow?" and then lets me say NO.
So I don't want to dismiss the idea that simpler is better: for mass market UX designed to reach as many users as possible, this is a key principle. But at the same time I believe we need to start considering the fact that in UX one size might not fit all, even when it may not maximize corporate profits.
Maybe shipping your software with a 'developer mode' toggle is the right way to do it!
Well, Firefox's incognito mode goes in the right direction. It's nice to be able to put the browser in a mode where it does the right thing without prompting (where right = respects the user's privacy by default). It would be even better if incognito mode was the default and instead users had to go out of their way to put their browser into "unsafe mode" in order to expose all these nasty bits to web sites.
In my perfect world, developers wouldn't prioritize the amoral business needs so much and would take into account whether or not the product actually does something worthwhile. In our imperfect world, I could settle for the "advanced/developer mode" toggle. But those too are going away, since pro users aren't usually a large part of the group of paying customers...
* Obviously what's "best" is the tricky part
I mean, i have noticed the HN crowd to be trigger happy against paywall popups, imagine if you prevent them from getting to their favorite site every time.
Cookies are the wrong target, and the EU knows it. It's a matter of wanting to be seen doing something, rather than actually doing something useful. Their grasp on technology is ridiculously poor.
They can use cookies all day long. If I don't grant them permission, then I can accept it, but complain about it. But if I click "allow", I feel that they take away my moral right to complain about it.
It's like being pat down / searched by the police. It is annoying, but I'd let it happen, because they probably have good reasons to do it - but I'd still be grumpy about it, and if it happens too often, I'd protest. But if I had to sign a waiver that gave them explicit permission to do so, then I'd have a much worse standing if I wanted to complain.
Does anyone understand what I mean?
I've also come to hate "truste", whatever company/CDN/thing that is, solely because their Cookie-dialog is one of those offenders that I see the most.
And if a web application is complex and has weird dependencies, it should be necessary to “install” a sandbox ONCE with those dependencies (e.g. needs plug-ins X and Y), and at that time the user can see everything that is being exposed and essentially only has to approve once.
It will not work to constantly ask the user. They will just opt-out, or worse opt-in without really knowing or caring what they have done. And usually, they will not know where to go to change their mind later (probably buried in preferences somewhere).
This isn't exactly what you're asking, but I'd say a lot of sites don't or shouldn't need that information anyway. If you're building a web app that requires battery status or processor architecture or what have you, is a web app really the best format for your program?
In firefox, you can disable this nasty behaviour by editing the "dom.battery.enabled" setting in about:config. IMO this should be a MUCH more obvious setting in the settings menu, along with any other information that can be accessed without concent.
This website wants to know the list of fonts installed on your system [allow] [deny]
This website wants to access your location. [allow] [deny]
This website wants to use the css attribute a:visited [allow] [deny]
This website wants to record more than 1 mouse event per second. [allow] [deny]
This website wants to read your battery status. [allow] [deny]
This website wants to disable your ad blocker. [allow] [deny]
This website wants to know your timezone. [allow] [deny]
This website wants to know your device temperature. [allow] [deny]
This website wants to open more permission requests. [allow] [deny]
I would find it weird if a random blog or ecommerce website wanted to know my battery level or device temperature, but frequently I can only block them finding out by blocking JavaScript entirely, and that often means the site doesn't work at all. So I'm caught between giving them access to all sorts of stuff which they can use to identify for me (and I have no idea whether they're doing that or not), or not using the site at all.
It would be nice to be able to say "let the site execute JavaScript, but don't give access to my machine or OS data".
I'm using it (along with uBlock Origin, EFF Privacy Badger and custom Tampermonkey scripts), and while I like the sense of control, I also think it's obvious that fine grained control for such details or further details like battery status is not what most users want or even could handle.
Sometimes it becomes really annoying and I give up on figuring out what minimal set of features a site needs, and I open it in an incognito tab where only uBlock Origin is active.
I'm also thinking about another kind of plugin - one that simply monitors access to browser API calls required to get information like resolution, mouse pointer position, battery level, etc. and that would display you only the "spying level" of a site as an icon. Like the padlock icon, changing colors from green to yellow to red or something, and that would expand when clicked to show something like this:
I'm not sure if current plugin infrastructure has enough power to hook JS APIs like that though.Popups like this act kind of like side effect disclaimers in pharmaceutical advertisements. The ad tries to gloss over them as quickly as possible because they're confusing and scary to the potential customers - for good reason! It's annoying to have to hear that list of crazy side effects in every commercial, but it serves a purpose and it would be a mistake to remove it in the name of "convenience".
I agree, sites should not have access to that data. I would prefer if those features would be removed again instead of introducing more popups.
I don't worry about the battery API that you are probably posting in response to, because there are already a crapton of ways to track users. Here's a list of ways to "tag" a user with something cookie-like: http://arctic.org/~dean/tracking-without-cookies.html There's also a lot of ways to statistically analyze users even without tagging them, if you put your mind to it.
The horses have left the barn, had lots of horse babies together, and grown into a stampeding herd. Bit late to try to close the door.
Application can do everything a JS app can do now. Examples include Gmail, Dropbox etc.. The browser would clearly show that it is an application, and to access platform APIs it would have to be "activated" / "run" (just click OK). The browser might ask for additional permissions if it tries to do something egregious (access camera, or, what's not possible today, open sockets etc.).
Documents can only use very limited javascript (if at all) for presentation purposes (like DHTML of the 2000s, or Google AMP). A lot of stuff will not be possible, like advanced tracking, silly stuff like access to light sensor / vibration, etc.. Examples of this would be newspapers, blogs, etc..
For example, you could include a unique identifying user ID with each request (for either profile) - this would actually make it easier and more explicit to track users, instead of trying to create an identifier out of 10 sources (cookies, fonts, localstorage, ...) in JS. You would probably also allow HTTP cookies in such a profile.
Incidentally, the push towards fast HTML subsets (Google AMP and Facebook Instant Articles) comes exactly from these big advertising / content companies! I think it is because it allows them more control over how ads are included in pages, and it allows them to keep users in their apps for longer.
I don't have an answer, short of a plugin that sends bland global top 5 answers to any such request instead of legit data. I can forsee that breaking some sites though.
I would really like to see a decent solution to this though, but I think it is far too late.
Increasingly, while I use it, it feels like it is the latter.
As my friend is fond of saying, "No bueno."
Welcome to the War on General Purpose Computing.
http://boingboing.net/2012/08/23/civilwar.html
I think the hard problem (probably unsolvable) is that the browser is allowed to exfiltrate the collected data.
But your question is about even more finer control. Some thoughts:
* I believe some of these APIs shouldn't be implemented at all, or should have very limited precision. Eg, Battery Status need not be implemented at all, or if implemented, should return just two values: [high, low].
* In our Request Manager, we could add an extra column for advanced APIs. This would include, for example, Canvas, WebRTC, etc.
* @captainmuon's idea of having two different profiles (document/app) is interesting. Though the choice of profile should be on client side. The default should be conservative (document) and the user should get to choose if a site should be promoted to app or not.
[1] : https://github.com/uprootlabs/gngr