Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DASWG: Drop Battery API for privacy and lack of implementer support #98

Closed
tantek opened this issue Jul 7, 2020 · 32 comments
Closed

DASWG: Drop Battery API for privacy and lack of implementer support #98

tantek opened this issue Jul 7, 2020 · 32 comments

Comments

@tantek
Copy link
Member

tantek commented Jul 7, 2020

Per DAS charter feedback: On the the grounds of privacy, and given a lack of implementer support, we would like the Devices and Sensors Working Group to cease work on the Battery API and see it published as a Working Group Note instead.

cc: @dwsinger @pes10k @marcoscaceres

(Originally published at: https://tantek.com/2020/188/b1/das-drop-battery-api)

@anssiko
Copy link
Member

anssiko commented Jul 7, 2020

All privacy issues brought up to the group's attention have been documented [1] and reviewed with privacy experts [2] with mitigations specified [1].

The latest version of the Battery Status API has wide implementer support [3].

The DAS WG is commitment to security and privacy focused and use case-driven specification development and believes ceasing this work would be considered harmful.

[1] https://w3c.github.io/battery/#security-and-privacy-considerations
[2] w3c/battery#5
[3] https://caniuse.com/#feat=battery-status

@pes10k
Copy link

pes10k commented Jul 7, 2020

has wide implementer support [3].

This is a question that came up several times during the discussion of the PrivacyCG charter, on how to distinguish "Google developed something up stream and downstream chromium folks haven't [yet?] pulled it out" vs "the down stream chromium folks support and think its good for the web." In other words, does "its in chromium" count as one implementor, or many?

privacycg/privacycg.github.io#9

I dont think there was a clear answer to the above, but I think its fair to say that the general tenor of the conversation (including from the Google rep into the convo privacycg/privacycg.github.io#9 (comment)) was the former (if Google implements, thats one implementation, not many, unless someone downstream affirmatively says otherwise).

@pes10k
Copy link

pes10k commented Jul 7, 2020

Looks like there may just be a bug in caniuse's data, since it seems removed in gecko and Moz's docs.

@anssiko is there a second, non blink implementation (or interest)?

@anssiko
Copy link
Member

anssiko commented Jul 7, 2020

Yes, for example QQ Browser.

@pes10k
Copy link

pes10k commented Jul 7, 2020

@anssiko i am extremely not familiar with QQ browser, and couldn't easily find which engine it uses, but according to wikipedia at least, its also chromium, no?

@anssiko
Copy link
Member

anssiko commented Jul 7, 2020

QQ Browser is interesting in a sense it supports multiple engines in some of its versions.

see also UC Browser and KaiOS Browser that support the API.

@pes10k
Copy link

pes10k commented Jul 7, 2020

according to wikipeida at least, UC browser is also blink.

KaiOS seems to use the Moz implementation that Moz no longer supports. Thats an interesting "implementor interest" situation i haven't seen considered anywhere 🤔

@anssiko
Copy link
Member

anssiko commented Jul 7, 2020

Some versions of UC Browser in the wild are based on “U3” which is a WebKit fork.

All these browsers and their versions add up to global browser support in the ballpark of ~73% for this API per caniuse.com.

Notably, the API is used in ~11% of page loads in Chrome per Chrome usage metrics.

DAS WG is a global community that encourages implementations also by browsers not known to the Western world.

@marcoscaceres
Copy link
Member

It seems pretty unlikely those we would count those as implementations for the purpose of progressing the specification along the recommendation track, right? At least, without subverting the W3C process. [3] clearly shows that this doesn't have "wide support" in the same way we would consider other platform features (implemented in Gecko and WebKit) - only really single engine support, so it's pretty unlikey to reach REC status.

Notably, the API is used in ~11% of page loads in Chrome per Chrome usage metrics.

This should ring alarm bells. Do we know what possible reason a web page have to accessing this API? such high usage points to it being used by one or more trackers.

DAS WG is a global community that encourages implementations also by browsers not known to the Western world.

That's great! And all browsers engines are open sources so people from all over the world contribute to them, but there only 3 of them - so we can't really count chromium wrappers are independent implementations.

@marcoscaceres
Copy link
Member

Ok, yes, it's used as part of a tracking script: YouTube Widget. That would explain the wide distribution and not actual real usage.

@marcoscaceres
Copy link
Member

I think we should do some digging via GitHub search to see if we can find some legitimate uses of the API... I did a quick search, and didn't find much, but we should dig deeper.

@anssiko
Copy link
Member

anssiko commented Jul 9, 2020

It seems pretty unlikely those we would count those as implementations for the purpose of progressing the specification along the recommendation track, right?

We’re not discussing a transition request in this issue.

On topic, for consideration:

I think we should do some digging via GitHub search to see if we can find some legitimate uses of the API...

I did a search in this repo, and found these comments interesting:
w3c/battery#10 (comment)
w3c/battery#10 (comment)

There are probably more, and in the spirit of use case-driven specification development, I suggest we document these in the specifications directly. Please add your findings to w3c/battery#25

@marcoscaceres
Copy link
Member

Sure, the above are interesting, but they need to be balanced out with the actual risk that this is being used to track users. And we should see if there is anyone actually using in the way that Mounir and Rick suggest, otherwise it's just speculative and hypothetical (which is not a great reason to make something a Rec).

As Rick suggests, we could start by clamping down the API by turning off by default and only enabling it via Permissions Policy. That would at least restrict third-party trackers.

@marcoscaceres
Copy link
Member

Ah, just saw that the Editor's draft has permissions policy, but /TR/ hasn't been updated (shakes first at /TR/ again).

@xfq
Copy link
Member

xfq commented Jul 20, 2020

I just had a look at some common tracking/fingerprinting libraries, but didn't find any one that uses Battery Status API. (See fingerprintjs/fingerprintjs#55 for an issue in a popular fingerprinting library.)


FWIW:

Electron can monitor power state changes, but uses a different API.

Some (but not all) MiniApp implementations support getting battery information. (See Baidu Smart Programs for an example.)

@marcoscaceres
Copy link
Member

fingerprintjs/fingerprintjs#55

That issue was closed in 2016, so might warrant new investigation. Again, the fact that 11% of sites are reporting using this API rings alarm bells.

Some (but not all) MiniApp implementations support getting battery information.

Like in this case, that doesn't equate to legitimate uses of the API (i.e., non-tracking ones, inline with the use cases). Exposing the API doesn't really mean much.

@pes10k, as someone who works with the Chromium community, could you check if anyone has sent a patch to plug the Permissions Policy hole as well as the SecureContext hole?

The spec claiming to be private to be private by just adding Permission Policy and SecureContext but then not having engines follow through on that is really frustrating.

Can we change this group's working mode so that things don't land in specs before they implemented or have real implementation commitment? Otherwise, we are just pretending to make the web better and again misusing the W3C process.

All specs in this group should be using: https://github.com/w3c/web-share/blob/master/.github/PULL_REQUEST_TEMPLATE.md to avoid us getting into this situation going forward.

@xfq
Copy link
Member

xfq commented Jul 27, 2020

Again, the fact that 11% of sites are reporting using this API rings alarm bells.

It would be useful if we have concrete examples of this. Can I get a pointer to a website (or a few websites, preferably well-known ones) that uses the Battery Status API for tracking?

@marcoscaceres
Copy link
Member

The Chrome usage stats point to websites. All those websites embed YouTube videos, and those videos embed the script:
https://www.youtube.com/s/player/0bb3b162/player_ias.vflset/en_US/base.js

Search for getBattery() there. YouTube is a tracking widget.

preferably well-known ones) that uses the Battery Status API for tracking?

Any website that embeds YouTube embeds a tracker. So basically pick any website you like, if it has a YouTube video, it has a reference to the API. Now, deciphering what the base.js script does is a different story, because that code is obfuscated... but I bet ya if Chrome turns on Permissions Policy the usage of this API drops to 0.

Now, as a counter, would be nice to see one popular site using this in a legitimate (non-tracking) fashion - and in a way that benefits users at all.

@pes10k
Copy link

pes10k commented Jul 31, 2020

(trying to summarize conversations that have happened across email and slack and other similar GH issues)

RE implementor threshold:

I take @cwilso's point that something not-yet-being-implemented shouldn't be a blocking concern to include something a WG's charter / scope . But I think the concern here is different. Its not that there isn't enough implementation; its more that there has been implementation experience, and we learned that the majority use of these APIs are user-harmful.

Thats not in-and-of-itself a reason to oppose trying again, things could go better the second time around. But its equally reasonable to conclude from previous implementation experience that these kinds of features might just be broadly on the wrong side of a risk / benefit trade off. (Thats at least what motivated my complaint / vote).

In other words, "there aren't enough implementors for the WG to take it on" is a silly complaint, but "based on previous experience, we don't think this should be part of the web platform" seems like a totally valid (procedurally and on the substance) reason to remove items from the group's charter / scope of work.

@marcoscaceres
Copy link
Member

In other words, "there aren't enough implementors for the WG to take it on" is a silly complaint,

It's not. It's completely valid. A single implementer spec is not a standard.

but "based on previous experience, we don't think this should be part of the web platform" seems like a totally valid (procedurally and on the substance) reason to remove items from the group's charter / scope of work.

I disagree. And this one provable. @pes10k, stop avoiding my direct question: is Brave going to do the work to actually enable SecureContext and Permission Policy for Battery or not? It's a yes or no question. Intel and Google are not going to do it, so will you or Brave step up and actually do the work?

Additionally, if Intel and Google are not going to do the actual work. They we should remove SecureContext and Permission Policy from the spec. Having fictitious privacy claims in the spec discredits the work on this working group and w3c.

@pes10k
Copy link

pes10k commented Jul 31, 2020

It's not. It's completely valid. A single implementer spec is not a standard.

Sure, but we're not discussing whether this should be a spec, this discussion is about whether a WG should take on work for something that might eventually become a spec. I think we're agreeing on the broad point, but "there aren't currently enough implementations" is not in and of itself a reason to ask a WG to stop working on an item; it just means its not ready to move to rec.

I disagree.

Sorry, im not following, what are you disagreeing with? I / Brave voted the same way as Moz / @tantek here.

And this one provable. @pes10k, stop avoiding my direct question: is Brave going to do the work to actually enable SecureContext and Permission Policy for Battery or not? It's a yes or no question

Please take the temperature down a bit here @marcoscaceres! I'm not avoiding a question, it looks like I missed a single GH message.

But no, Brave has no intention to do any work at all implementing anything relating to the battery API. We don't support it.

@marcoscaceres
Copy link
Member

But no, Brave has no intention to do any work at all implementing anything relating to the battery API. We don't support it.

Really, then what's this?

Screen Shot 2020-07-31 at 12 08 32 pm

Please understand why I'm getting really pissed off here: Brave is part of the Chromium project and you ship the API (I guess you didn't know that, surprise! 🎉 ), but you seem unwilling to go an actually fix stuff in the Chromium project you depend on.

Anyway, seems like the only solution here is remove SecureContext and Permissions Policy integration from the spec until someone has the actual guts step up and actually implement/ship secure contexts and Permission Policy.

@pes10k
Copy link

pes10k commented Jul 31, 2020

Those are the fake values we return to avoid breaking websites:

https://github.com/brave/brave-core/blob/2da676522390bb2134d490c468155ab86d6c6ec4/chromium_src/third_party/blink/renderer/modules/battery/battery_manager.cc

Please understand why I'm getting really pissed off here: Brave is part of the Chromium project and you ship the API (I guess you didn't know that, surprise! 🎉 ), but you seem unwilling to go an actually fix stuff in the Chromium project you depend on.

I don't know where this is coming from, but there has to be a better place for us to discuss than in this issue thread

@marcoscaceres
Copy link
Member

It relates directly to the discussion we are having here: It's hard to make a case that the spec should be killed when even well meaning implementers, like Brave, are unwilling to follow the spec with regard to SecureContext and Permissions Policy even when returning bogus values.

See what I mean?

@reillyeon
Copy link
Member

There is an active Intent to Ship thread for implementing the specified Permissions Policy (and perhaps SecureContext) integrations in Blink:

https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/sUs1KsQaXjA

@marcoscaceres
Copy link
Member

Oh, that's great to see @reillyeon. Thank you! Looks like Blink folks are coming to the same conclusions. If the mitigations get shipped, I'm still betting on usage going down to 0.00n% usage (and this becoming non-harmful). At the same time, I'm hopeful we can see some legit breakage, so to allow us to deal with those legitimate cases better (e.g., if YouTube is actually using it for some codec selection, then that's probably better done in the <video> element or whatever).

At the same time, it seems Dev Tools is in a way better position to provide accurate battery consumption information on a per tab basis (see "about:performance" in Firefox), which provides a real time view of energy impact of a tab.

Screen Shot 2020-08-03 at 1 47 05 pm

@tomayac
Copy link

tomayac commented Aug 3, 2020

Most sites that want to use this API for good™ arguably just need to know if the battery level is below a certain limit (where commonly the OS's battery saver mode would kick in). Another way to convey this data could be to expose this info similar to how prefers-reduced-data is exposed (or as a header similar to Save-Data). It could be a Save-Energy header or a prefers-reduced-energy CSS media feature (not tying the preference to just battery, but energy consumption in general).

@marcoscaceres
Copy link
Member

Those are good suggestions @tomayac. I'm still hopeful we can see actual cases where something like "prefers-reduced-energy" would help... like what would added/removed/changed. We talked about video above, so we would need to figure out if it could help there.... like, if <video>'s element could be used with <source media="(prefers-reduced-energy: yep)" src="video">.

@tomayac
Copy link

tomayac commented Aug 4, 2020

We do have an example of battery-considerate loading. Check out the live demo.

@lknik
Copy link

lknik commented Aug 21, 2020

Sorry for dropping in, but in summary, are there any conclusions reached here? ;-)

@reillyeon
Copy link
Member

My feeling on this discussion is that there is evidence that there are legitimate reasons for sites to react to the amount of power available in a device and the amount of power they are consuming. There are a number of proposals in this area, of which the current Battery Status API is one. There is also general agreement that the current design of that API is not the one we want to have in the platform.

I would prefer that we were able to get this level of interest and engagement in developing better proposals during normal working group meetings, rather than in response to a unilateral request to cease working in this area entirely.

@xfq
Copy link
Member

xfq commented Dec 2, 2020

The Director has approved the Devices and Sensors Working Group charter, and took into consideration the input from an experiment conducted by the Advisory Board and the TAG and decided that a chartered Working Group was best suited to address these concerns. These concerns will not be ignored but the discussion should be moved into the individual specification issue tracker where the concerns can be addressed.

Moreover, the Director recommended this document be republished as a Working Draft, with a Changes section.

See https://lists.w3.org/Archives/Member/w3c-ac-members/2020OctDec/0034.html (member-only link) for the Director's decision.

@xfq xfq closed this as completed Dec 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants