Chrome 94 is coming today with support for controversial idle detection API

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,256
Chrome 93 rolled out to the Stable channel last month with support for WebOTP on desktop, and deprecation of the 3DES cipher suite in Transport Layer Security (TLS). Today, Chrome 94 will be released to the general public. Since Google is shifting to a four-week release cycle instead of its previous six-week cadence, and the fact that this build comes just three weeks after Chrome 93, the feature-set this time around is relatively smaller. However, it is certainly more controversial due to the introduction of support for an idle detection API.

Chrome 94 will offer more signals to developers to understand when a user is idle. The developer-facing notification will now be triggered for global signals such as interaction with other apps instead of only the current browser window. While the reaction from web developers has obviously been positive, Mozilla has shot down the API as harmful, citing "opportunity for surveillance capitalism" and the fact that a malicious site could utilize the API to maximize the device's compute resources without the user consenting or knowing about it. In the same vein, the development team behind WebKit - which is the browser engine for Apple's Safari - has provided a negative stance, stating that:

That doesn't seem like a strong enough use case for this API. For starters, there is no guarantee that the user won't immediately come back to the device. Also, who is such a service supposed to know what other device user might be using at any given point? We're definitely not going to let a website know all the devices a given user might be using at any given point. That's a very serious breach of the said user's privacy. It seems to me that such a suppression / distribution mechanism is best left for the underlying operating systems / web browsers to handle.

I'm going to stop responding to this thread at this point because none of the use cases presented either here or elsewhere are compelling, and none of the privacy or security mitigations you've presented here and I found elsewhere are adequate. However, not responding to this thread or future thread about this topic does not mean we'd reconsider our position. Unless a significant new development is being made in either one of the issues we've raised, our position will remain to object to the addition of this API unless otherwise stated regardless of whether we continue to say so in public or not.

Regardless, this API will be available for developers to utilize in Chrome 94 and will be enabled by default.

Another new developer interface included in Chrome 94 is the VirtualKeyboard API. The motivation is to give more control to web developers in terms of how they want the virtual keyboard to be placed and its shape. Currently, this is handled completely by User Agent behaviors. The feedback about this API from the Microsoft Edge team has been positive, which makes sense given that they participated in its development. However, Mozilla and Apple are yet to provide a stance.

Chrome 94 will also bring in support for a low-level WebCodecs API which will offer access to existing hardware and software media encoders and decoders. This will improve the performance of certain applications such as latency-sensitive game streaming.

AppCache is being removed from Chrome 94 too. Google says that this is a deprecated standard and is a security liability, so developers should use Service Workers instead. The feedback from developers has been mixed so far but Mozilla and Apple are in the process of removing it from their respective browsers too.

In terms of relatively smaller changes, Chrome 94 is getting a new display-capture feature policy, support for more color spaces in 2D canvases, cleanup of an API that was used by Flash, a CSS property to offer more control over how layouts interact with scrollbars, and improvements to an existing property to enhance interoperability of CSS 3D transforms.

Chrome 94 will also include a native scheduling API to allow developers to schedule tasks with three levels of priority: user-blocking, user-visible, and background. It also enables a TaskController which can be used to dynamically change these priorities of a task or cancel it altogether. The browser is also getting a sampling profiler to measure JavaScript execution time and debug performance issues. While the reaction from developers has been "strongly positive", Apple has offered a negative stance due to potential performance and security implications. Finally, Chrome 94 will also offer APIs to manipulate raw media output from camera, microphone, or screen capture. The idea is to facilitate machine learning applications so while developer feedback is positive, Mozilla and Apple have provided a negative stance.

Chrome 94 is expected to roll out later today. If it does not update to version 94 automatically for you throughout the course of the day, head over to Help > About Google Chrome to trigger the update once it becomes available. Next up is Chrome 95 which is currently in the Beta channel with a Stable release expected on October 19. This is in line with Google's new release cycle where Stable Chrome updates are released every four weeks.
 

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,256
My installation of Chrome just updated to: Version 94.0.4606.54 (Official Build) (64-bit)
Yes, it is released now:
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,862

Gandalf_The_Grey

Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,256

Tutman

Level 12
Verified
Top Poster
Well-known
Apr 17, 2020
542
Yes even Mozilla is screaming about :


How Chrome’s New Feature Is “Harmful”


Chrome 94 introduces a controversial idle detection API. Basically, websites can ask Chrome to report when a user with a web page open is idle on their device. It’s not just about your usage of Chrome or a particular website: If you’ve stepped away from your computer and aren’t using any applications, Chrome can tell the website you’re not actively using your computer.
 
Last edited by a moderator:

plat

Level 29
Top Poster
Sep 13, 2018
1,793
Excerpt: "Regardless, this API will be available for developers to utilize in Chrome 94 and will be enabled by default."

Oh, how lovely...NOT. Is there anything that can be done on the user's side? Only developers can opt out? Wow.

Anyone remember Google and its FLOC-thing? Whatever became of that? It seems this is just another grey development of Google's,. Grey-ware.. Is that where Google Chrome is headed?

Edited to clarify about "enabled by default."
 
Last edited:

Nightwater

Level 2
Jan 26, 2021
69
The point is that Chrome will always dominate the market, nobody can do anything about it, Google is almost the owner of the internet and does what it wants, counting on a lot of money and strong companies supporting it from behind with their advertising and marketing , becomes unbeatable.

Mozila is practically dead, his privacy speech doesn't convince anyone to use it, it's still slow and without many interesting options. Opera is super fast but privacy creates discomfort. The only way out, at least for me, is Brave or Edge, as much as it is from Microsoft, it is complete, fast and has the advantage of being always optimized to go hand in hand with Windows.
 

Deletedmessiah

Level 25
Verified
Top Poster
Content Creator
Well-known
Jan 16, 2017
1,469
Firefox is as fast as Chrome/Edge for me. Has been since Quantum. And I'm using mediocre laptop from 2017 with mediocre at best internet so its not because of strong hardware I'm not noticing any difference. :unsure:
Is it working slow for rest of you people?
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,108

Chrome 94's Idle Detection API can be abused according to Mozilla and Apple​

Google implemented the functionality in Chrome 94, which the company released this week. Mozilla and Apple object to the integration of the Idle Detection API, and won't implement it in Firefox and Safari.

Mozilla has "user-surveillance and user-control concerns" about the API, as it "can be used for monitoring a user's usage patterns, and manipulating them accordingly".
As it is currently specified, I consider the Idle Detection API too tempting of an opportunity for surveillance capitalism motivated websites to invade an aspect of the user’s physical privacy, keep longterm records of physical user behaviors, discerning daily rhythms (e.g. lunchtime), and using that for proactive psychological manipulation (e.g. hunger, emotion, choice [1][2][3]). In addition, such coarse patterns could be used by websites to surreptiously max-out local compute resources for proof-of-work computations, wasting electricity (cost to user, increasing carbon footprint) without the user’s consent or perhaps even awareness.

Mozilla published a formal rejection to the proposal. In it, the organization proposes to drop requests that only one implementer has shown interest in, stating that the situation could risk evolving into a "single-implementation spec".
We request that specs be dropped that have shown interest from only one implementer, otherwise we are at risk of a single-implementation spec, which will only ever serve as documentation (i.e. not an actual open standard), as we know that monoculture based standards end-up becoming de facto, based on the one specific implementation’s details, bugs, interpretations, and not what is written in a specification.

Apple published its official response on the Webkit mailing list. The company's WebKit team does not see "strong enough" use cases for implementing the API.
I'm going to stop responding to this thread at this point because none of the use cases presented either here or elsewhere are compelling, and none of the privacy or security mitigations you've presented here and I found elsewhere are adequate. However, not responding to this thread or future thread about this topic does not mean we'd reconsider our position. Unless a significant new development is being made in either one of the issues we've raised, our position will remain to object to the addition of this API unless otherwise stated regardless of whether we continue to say so in public or not.

Chromium-based browsers will support the new API eventually, unless it is removed manually by the development team or disabled.
 

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,108

How to disable Idle Detection in Chrome 94 or higher​

  1. Launch Chrome
  2. Visit chrome://settings/content/idleDetection in address bar
  3. Under Default behavior, select “Don’t allow sites to know when you’re actively using your device
Chrome setting to disable idle detection
 

plat

Level 29
Top Poster
Sep 13, 2018
1,793
So the end-user CAN disable Idle Detection. Very good to know. (y) A potential spying tool otherwise, right? Sadly, many mainstream users may not even know of its existance, much less how to easily disable it. Things like this with such a big market share should get wider media coverage--but then, many find it boring and tune out.
 

SpiderWeb

Level 13
Verified
Top Poster
Well-known
Aug 21, 2020
608
So the end-user CAN disable Idle Detection. Very good to know. (y) A potential spying tool otherwise, right? Sadly, many mainstream users may not even know of its existance, much less how to easily disable it. Things like this with such a big market share should get wider media coverage--but then, many find it boring and tune out.
Sites can track you based on the fact that you are one of the few people who disabled it. That's a unique metric too. It's like wearing a mask at Times Square. Yes, nobody knows who you are, but everyone knows you are that stranger wearing a mask in the middle of Times Square lol
 
  • Applause
Reactions: plat

silversurfer

Super Moderator
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,108

How to block sites from requesting Idle Detection API permissions in Chrome​

Here is what needs to be done:
  1. Load chrome://settings/content/idleDetection in the web browser's address bar.
  2. Switch the Default behavior state from "Sites can ask to know when you're actively using your device" to "Don't allow sites to know when you're actively using your device".
Chrome won't display permission request prompts anymore once the change has been made. Just flip the preference again if you need to reset it. Another option that you have is to add sites to the allow list, as these may then use the API without request prompt.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top