Google Chrome’s new API, Idle Detection, knows when you’ve been sleeping, it knows when you’re awake, and it knows if you’ve been bad or good.
Google’s at it again.
A few weeks ago when Google released Chrome 94 for desktop and Android, a new “feature” added by Alphabet all but slipped under the radar. The feature takes the form of a new API the company is calling Idle Detection. It’s not a feature added to benefit users, but is another way for website owners to keep tabs on you.
Google says the feature is primarily designed for collaborative multi-user applications such as online games, meetings, and chat boxes.
“The Idle Detection API notifies developers when a user is idle, indicating such things as lack of interaction with the keyboard, mouse, screen, activation of a screensaver, locking of the screen, or moving to a different screen. A developer-defined threshold triggers the notification,” the company said on a web page devoted to all of the gee-whiz stuff that’s included in its ad serving platform web browser.
The API goes outside of operations of the browser itself to look at the users keyboard, mouse, and such, and makes that information available to any website leveraging the API. Google says that’s necessary because, “Applications which facilitate collaboration require more global signals about whether the user is idle than are provided by existing mechanisms that only consider a user’s interaction with the application’s own tab.”
Privacy advocates, of course, are crying “foul!”
Tantek Çelik, the web standards lead at Firefox browser developer Mozilla, had already expressed apprehensions on his blog back in July, when Google was already including a watered-down trial version of the API in its browser.
“I have user-surveillance and user-control concerns about the Idle Detection API,” he wrote.
“As it is currently specified, I consider the Idle Detection API too tempting of an opportunity for surveillance capitalism motivated websites to invade an aspect of the user’s physical privacy, keep longterm records of physical user behaviors, discerning daily rhythms (e.g. lunchtime), and using that for proactive psychological manipulation (e.g. hunger, emotion, choice),” he said. “In addition, such coarse patterns could be used by websites to surreptitiously max-out local compute resources for proof-of-work computations [i.e. cryptomining, etc], wasting electricity (cost to user, increasing carbon footprint) without the user’s consent or perhaps even awareness.”
Chrome-based Browsers Opting Out
Even many competing Chrome-based browsers aren’t happy with the Idle Detection API.
Jon von Tetzchner, founder and CEO at privacy-focused Vivaldi, told FOSS Force that the API is blocked by default in Vivaldi’s browser, and that he shares some of the same misgivings as Çelik.
“This principle of actually monitoring that you’re not in front of the computer, we see that as a privacy problem and we see it as a security problem,” he said. “We do see that there is maybe the potential for someone to recognize, ‘Oh, you’re not on your computer, maybe we can do some damage while while you’re not there,’ by mining cryptocurrency or the like.”
“There are definitely concerns from our side with regards to any monitoring of users,” he added. “We just don’t think that should be happening, and I don’t really see the value of of this. Any value that might be there for applications like chat services is minuscule compared to the loss of privacy and security.”
Tetzchner indicated that he sees Google’s Idle Detection as just another page from the data mining playbook that is wrecking havoc on many people’s privacy expectations.
“A lot of companies will have a lot of data about us because of their services,” he said. “If you’re providing an email service then you will have people’s emails, but that doesn’t give you the right to read them; it doesn’t give you the right to scan through them to make a profile on the users. I don’t think you would like a mailman that read your mail, you wouldn’t like your telco to listen to your calls, and you wouldn’t like your carpenter to write down what furniture you have. Just because the data is easily accessible for these companies doesn’t give them the right to own it.”
Brave, another privacy-focused browser based on Chrome, is also not on the Idle Detection bandwagon.
In a discussion that broke out on Reddit and GitHub, Brave said it’s disabling the API by default, and evidently not even making it possible for users to enable the feature (we reached-out to Brave for clarification, but hadn’t heard back from them at the time of publication).
Apple also published notice that it’s not implementing the API.
An earlier version of this article said that Apple’s Safari browser is based on Chrome, which was an error.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
I don’t know where you got the idea that Apple uses Chrome as the base for Safari. That is just not even close to correct
Oops! My mistake. Fixed. Thanks for the heads up Evan.
Does this also affect chromium 94 (i.e. Linux Mint’s debian package, or Canonoical’s snap package?)?
Craig, according to ghacks, maybe. They say: “Chromium-based browsers will support the new API eventually, unless it is removed manually by the development team or disabled.”
Craig — Now might be a good time to switch to the Ungoogled Chromium project.
Good to know news people can use. Google is pure evil and smart people have nothing to do with the Google monopoly monster. I used Chromium and then discovered it was phoning-home to Google constantly like Firefox does to spy and log user data. Try Wireshark and watch the backdoor packets fly home to Google on both Chromium and Firefox!
Google is cut from the same cloth as microsoft. It is very clear now that they are not to be trusted. My friends were raving about how clean and fast chrome was. But I stood my ground and stayed with firefox. Now who has egg on their face.
An additional API is potentially another insecure API. What happens when hackers use the API to spy and they want more access and utility from it? Will they leverage it to include users in botnets or collect their keystrokes?