
Ask HN: Why don't browsers extend “This site wants your location” to all data? - rapht
Time and again, users on the Internet are shown to be uniquely identifiable through new and old data leakage from their browser.<p>And I&#x27;m wondering: just like browsers already display &quot;do you want to share your location&quot; when websites try to access this info, why don&#x27;t they have this kind of security mechanism for every information that could make the user uniquely identifiable such as &quot;This site wants to know [the list of installed [fonts|plugins] | the battery status of your device | ...] ?&quot;<p>Are there some technicalities that make this a particularly hard problem?
======
AshleysBrain
I've been developing and releasing consumer software for a few years now, and
the key rule about popup messages is: Nobody reads them.

A significant number of users will, upon seeing any kind of message that does
not mean something totally obvious to them (as a non-techie), just click
cancel. Either they panic or they don't understand or they don't care. For
example our software used to have a particular kind of error that as clearly
as possible stated that it could be solved by visiting a URL and installing
some update. Cue lots of support messages: "I see some error, what do I do?"

Browsers are consumer software. If it asks "this webpage wants to use your
camera", that's just about obvious enough. However if it asks "this webpage
wants to run plugins", user thinks "WTF are plugins" and presses cancel, then
wonders why their video is not playing. (Reasonable question from the user's
perspective: why didn't the browser say "this webpage wants to play video"?)
If it asks "this webpage wants to access your WebGL renderer string" or "this
webpage wants to know your hardware information" or something, the user thinks
"WTF" and presses cancel, then Google Maps can't work around a graphics driver
bug on their system and the map glitches up.

So as far as is possible, consumer software should not prompt the user for
anything, and if it does, it should be totally obvious to someone with little
to no technical knowledge.

~~~
amelius
You are generalizing. Perhaps some users _do_ care about what a popup says?

~~~
Throwaway23412
I think you missed the point of his comment. It's not merely that users don't
care. It's that most users don't even understand what a popup is saying. The
average user doesn't know what a cookie or a plugin is.

~~~
pdkl95
That kind of misunderstanding is the fault of the _speaker_ , not the
listener.

The current paternalistic trend of removing agency from the user and making
choices for them is lazy and perpetuates ignorance. Write better popups that
do a better job explaining the problem, educating the user, and expressing the
necessary information so the user can make an informed choice.

~~~
Jemmeh
A good explanation doesn't matter-- users frequently don't even read the
message. They just hit the button, because they just want to get on to
whatever it is they want to be doing.

------
OMGWTF
This website wants to know your screen resolution. [allow] [deny]

This website wants to know the list of fonts installed on your system [allow]
[deny]

This website wants to access your location. [allow] [deny]

This website wants to use the css attribute a:visited [allow] [deny]

This website wants to record more than 1 mouse event per second. [allow]
[deny]

This website wants to read your battery status. [allow] [deny]

This website wants to disable your ad blocker. [allow] [deny]

This website wants to know your timezone. [allow] [deny]

This website wants to know your device temperature. [allow] [deny]

This website wants to open more permission requests. [allow] [deny]

~~~
Jordrok
You're exactly right that this would be incredibly annoying, but I think that
should be the point. 99% of sites have no business accessing a lot of that
stuff and popping up warnings every time they try to would make it a whole lot
more obvious when a site is taking advantage of your personal data.

Popups like this act kind of like side effect disclaimers in pharmaceutical
advertisements. The ad tries to gloss over them as quickly as possible because
they're confusing and scary to the potential customers - for good reason! It's
annoying to have to hear that list of crazy side effects in every commercial,
but it serves a purpose and it would be a mistake to remove it in the name of
"convenience".

~~~
OMGWTF
> 99% of sites have no business accessing a lot of that stuff and popping up
> warnings every time they try to would make it a whole lot more obvious when
> a site is taking advantage of your personal data.

I agree, sites should not have access to that data. I would prefer if those
features would be removed again instead of introducing more popups.

------
panic
How do you explain what "this site wants to know the list of installed
fonts/plugins" means to the person using the browser? How would they make the
decision to allow or disallow this?

If you show too many confusing popups like this, people will get in the habit
of clicking "ok" without reading at all.

~~~
crdoconnor
>How do you explain what "this site wants to know the list of installed
fonts/plugins" means to the person using the browser?

Do the fonts on the site look wrong? Click here to correct (warning: <a
href='explanation'>showing correct fonts may have privacy implications</a>).

~~~
ryandrake
What privacy implications? Your dialog has either annoyed me or gotten me
vaguely scared of something, but I still don't know whether I should click yes
or no.

~~~
crdoconnor
Message appears at the top of the screen where it can be safely ignored. Click
on the link to see what the privacy implications are.

Not difficult at all... unless you're being intentionally obtuse.

------
return0
In Europe we have "This site uses cookies" popups. Not browser based, not
asking for permission, but, universally they are annoying. It depends on your
definition of 'sensitive data' i guess.

I mean, i have noticed the HN crowd to be trigger happy against paywall
popups, imagine if you prevent them from getting to their favorite site every
time.

~~~
captainmuon
The worst is not that they are annoying, it is that I have to give explicit
permission to use cookies. I am OK with them using cookies, but I don't want
to give them permission. I'd like to leave it a grey area.

They can use cookies all day long. If I don't grant them permission, then I
can accept it, but complain about it. But if I click "allow", I feel that they
take away my moral right to complain about it.

It's like being pat down / searched by the police. It is annoying, but I'd let
it happen, because they probably have good reasons to do it - but I'd still be
grumpy about it, and if it happens too often, I'd protest. But if I had to
sign a waiver that gave them _explicit permission_ to do so, then I'd have a
much worse standing if I wanted to complain.

Does anyone understand what I mean?

~~~
Sylos
I do the same. It's definitely irrational, but I often even leave a site, if
it wants me to click "Agree" on some (Cookie-)dialog, before I can use the
site.

I've also come to hate "truste", whatever company/CDN/thing that is, solely
because their Cookie-dialog is one of those offenders that I see the most.

------
makecheck
I think the solution is not to ask the user for permission but to
automatically create an anonymous sandbox that does what the site requests —
except that sensitive information is faked or reduced.

And if a web application is complex and has weird dependencies, it should be
necessary to “install” a sandbox ONCE with those dependencies (e.g. needs
plug-ins X and Y), and at _that_ time the user can see everything that is
being exposed and essentially only has to approve once.

It will not work to constantly ask the user. They will just opt-out, or worse
opt-in without really knowing or caring what they have done. And usually, they
will not know where to go to change their mind later (probably buried in
preferences somewhere).

------
huehehue
It doesn't seem technically difficult. Many browsers are native applications
and can request hardware information the same way that tools like speccy can.

This isn't exactly what you're asking, but I'd say a lot of sites don't or
shouldn't need that information anyway. If you're building a web app that
requires battery status or processor architecture or what have you, is a web
app really the best format for your program?

------
BinaryIdiot
> Are there some technicalities that make this a particularly hard problem?

No but there are major user experience problems with it. Today the web "just
works". You go to a site, you read and do stuff with it, you leave. Now
imagine going to one of your favorite sites that tracks this after changing
the security model. You're going to get multiple pop ups. Pop ups that regular
users are not going to understand. It's easy to understand if it's asking for
your location but have you ever tried explaining what plugins are to non
techies? Absolutely painful.

There is usefulness to this data and there are abuses. Gotta take the good
with the bad. Yeah this data can make them _mostly_ identifiable but it's not
perfect and unlikely good enough to be admissable in the court system.

If you really wanted to protect this data then in my opinion access would need
to be removed completely. But this could break many things.

------
captainmuon
I think the solution would not be fine-grained permissions, but very coarse
grained. There would be two HTML6 profiles: Document and Application.

Application can do everything a JS app can do now. Examples include Gmail,
Dropbox etc.. The browser would clearly show that it is an application, and to
access platform APIs it would have to be "activated" / "run" (just click OK).
The browser might ask for additional permissions if it tries to do something
egregious (access camera, or, what's not possible today, open sockets etc.).

Documents can only use very limited javascript (if at all) for presentation
purposes (like DHTML of the 2000s, or Google AMP). A lot of stuff will not be
possible, like advanced tracking, silly stuff like access to light sensor /
vibration, etc.. Examples of this would be newspapers, blogs, etc..

~~~
softawre
I'm sure the ad companies (and therefore the online news networks) will have
no problem with this.

~~~
Sylos
No need to ask all ad companies. The biggest ad company in the world owns the
most widely used browser. They can single-handedly prevent something like this
from being standardized.

~~~
hrjet
There's no need to standardize here? This could be implemented purely on
client side.

------
jerf
In addition to the many replies observing that it would just confuse the user,
I would also add that it wouldn't do anything.

I don't worry about the battery API that you are probably posting in response
to, because there are already a crapton of ways to track users. Here's a list
of ways to "tag" a user with something cookie-like:
[http://arctic.org/~dean/tracking-without-
cookies.html](http://arctic.org/~dean/tracking-without-cookies.html) There's
also a lot of ways to statistically analyze users even without tagging them,
if you put your mind to it.

The horses have left the barn, had lots of horse babies together, and grown
into a stampeding herd. Bit late to try to close the door.

------
ebbv
Because most users don't want that level of granularity. Do you really want to
have to give every single site you touch permission to know your screen
resolution, viewport, browser type, browser version, js enabled/disabled,
fonts available, whether jquery/etc. are cached, etc.

There are so many pieces of data like those that you don't even think about
which combine to make you uniquely identifiable. Many of them the site is
going to have to know for the page to even render properly. Do you really want
to have to give permissions for all of them for every host name your browser
contacts?

Even if your answer is yes, for the vast majority of people the answer is no.

~~~
dingaling
> Many of them the site is going to have to know for the page to even render
> properly

Which illustrates that something has gone very wrong in the logical division
between "the site" and "the user agent".

Technically, the site has no business asking about screen resolution, cache
status or installed fonts etc That is information which should be relevant
only to the user agent in constructing the view for the user.

But browsers do not make a distinction between rendering-domain data and those
data which _do_ validly dictate what functionality the site provides to the
user agent. Except for location, which is somehow perceived as sacred.

Which brings us back to the original question; why are all the data elements
thrown into the general Javascript bucket and made fair game for grabbing,
_except_ location data? Why not draw the boundary around data that should be
private to the user agent? The user should never be interrupted by a prompt to
share a list install fonts because, frankly, that information should never be
divulged.

------
anexprogrammer
Given the assorted methods of sniffing a fingerprint, and the tiny subset of
people who even go into options to seek privacy settings, blocking this would
probably be a good identifier in its own right. Add locale, IP, even if on
VPN, and you've probably near uniquely identified yourself.

I don't have an answer, short of a plugin that sends bland global top 5
answers to any such request instead of legit data. I can forsee that breaking
some sites though.

I would _really_ like to see a decent solution to this though, but I think it
is far too late.

~~~
syrrim
Isn't Tor a fairly good solution? They have thousands (at least) of users all
using identical user agents.

------
pasbesoin
Meta: Is the browser _my_ client, or someone else's?

Increasingly, while I use it, it feels like it is the latter.

As my friend is fond of saying, "No bueno."

~~~
TeMPOraL
That's the key issue.

Welcome to the War on General Purpose Computing.

[http://boingboing.net/2012/08/23/civilwar.html](http://boingboing.net/2012/08/23/civilwar.html)

------
hrjet
We do want to take an approach like this in gngr(1). We already have fine-
grained permission control in the Request Manager (inspired by uMatrix, nee
httpSwitchBoard).

But your question is about even more finer control. Some thoughts:

* I believe some of these APIs shouldn't be implemented at all, or should have very limited precision. Eg, Battery Status need not be implemented at all, or if implemented, should return just two values: [high, low].

* In our Request Manager, we could add an extra column for advanced APIs. This would include, for example, Canvas, WebRTC, etc.

* @captainmuon's idea of having two different profiles (document/app) is interesting. Though the choice of profile should be on client side. The default should be conservative (document) and the user should get to choose if a site should be promoted to app or not.

[1] : [https://github.com/uprootlabs/gngr](https://github.com/uprootlabs/gngr)

------
danjoc
>Are there some technicalities that make this a particularly hard problem?

I think the hard problem (probably unsolvable) is that the browser is allowed
to exfiltrate the collected data.

------
Tharkun
I assume this was prompted by the battery status information leak. That sort
of behaviour is likely illegal under EU privacy regulations without explicit
concent.

In firefox, you can disable this nasty behaviour by editing the
"dom.battery.enabled" setting in about:config. IMO this should be a MUCH more
obvious setting in the settings menu, along with any other information that
can be accessed without concent.

------
Jonnax
There's a lot of things that a site can access that can be personally
identifiable.

Whilst it has good intentions if you think back to UAC in Windows Vista.
People just clicked allow for everything without reading after getting tired
of the number of requests.

I think there may be demand for a web browser plugin to have this
functionality similar to how Ghostery, NoScript etc. have keen users.

------
Kinnard
Prepend an "Ask HN: "

------
raverbashing
They will probably start asking for more things (or just blocking or
anonymizing, like the battery level information leak)

But yeah, you don't want to overwhelm the user with popups, that will just
make them click ok whenever one appears

------
UnoriginalGuy
Popup fatigue.

------
Singletoned
Chrome is made by people who want that information. Mozilla is heavily funded
by people who want that information. Safari is made by people who want to keep
things as 'simple' as possible. Internet Explorer is made by idiots.

~~~
btashton
I don't use IE, but think the people behind it are far from idiots. Also Edge
is actually a nice browser, I just don't use Windows.

