Google Chrome version 94 was recently released with a long list of patch notes, and buried among it is the announcement of the stable release of Chrome’s Idle Detection API, which has drawn criticism from privacy advocates.
As described by the Chrome Platform Status page for the Idle Detection API, it can “notify developers when a user is idle, indicating such things as lack of interaction with the keyboard, mouse, screen, activation of a screensaver, locking of the screen, or moving to a different screen.”
SEE: Security incident response policy (TechRepublic Premium)
The design behind such an API is hardly nefarious, with The Register describing it as being intended for multi-user applications like Slack, or online games. In that role it could be useful, but both Mozilla and Apple developers have expressed reservations about potential for abuse the Idle Detection API presents.
Apple WebKit developer Ryosuke Niwa pointed out that the API could be used to perform malicious actions only when a user was away from the PC, further obfuscating attempts at detecting resource-intensive malware, like the kind used to mine cryptocurrency. “Our concerns are not limited to fingerprinting. There is an obvious privacy concern that this API lets a website observe whether a person is near the device or not. This could be used, for example, to start mining bitcoins when the user is not around or start deploying security exploits, etc…,” Niwa said.
Niwa further describes the API as unnecessary, with risks far outweighting benefits. “None of the use cases presented either here or elsewhere are compelling, and none of the privacy or security mitigations you’ve presented here and I found elsewhere are adequate,” Niwa said.
Mozilla developer Tantek Çelik expressed similar reservations, particularly focused on surveillance and control concerns. The Idle Detection API, Çelik said, is too tempting of a target for surveillance-minded companies and websites. Armed with the API, such sites could “keep long-term records of physical user behaviors … and use that for proactive psychological manipulation,” Çelik said.
The Idle Detection API could be in use on your system now
With the release of Chrome 94 on September 21, the Idle Detection API is now installed and enabled by default. Those concerned about the potential for misuse may want to turn off the Idle Detection API; luckily it isn’t too hard.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
To start, look to the upper right of your Chrome window for the three dots. Clicking on those will open Chrome’s menu. Look for Settings and click on that. With the Settings tab open, look for Privacy and Security in the menu on the left (Figure A).
On the Privacy and Security screen, look for Site Settings (Figure B) and click on it.
The next item you’re looking for is Additional Permissions at the bottom of the Permissions menu (Figure C); click on that, and get ready to scroll.
Toward the bottom of the Additional Permissions items you’ll find an item labeled Your Device Use (Figure D). Click it.
We’ve finally arrived at Figure E, where you can see the option to toggle the Idle Detection API off. You’ll also find space here to add site exceptions if there are some web apps you want to use Idle Detection on.
Subscribe to the Cybersecurity Insider Newsletter
Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays