Google Chrome 94 arrives with controversial Idle Detection API

Chrome 94 has arrived for Android, iOS, Mac, and Windows, bringing several new features to the world’s most popular browser, but not all of them are being warmly received. The new Idle Detection API that detects user inactivity has raised privacy concerns from some big tech companies.

In the latest version of Chrome—the first to use the new four-week release cycle instead of the old six-week schedule—Google has introduced the Idle Detection API. It works by notifying web applications when users are idle, recognized by a lack of keyboard or mouse use, activation of a screensaver, locking of the screen, or moving to a different screen.

Designed for multi-user applications such as chat apps and online games, the Idle Detection API is enabled by default in Chrome 94. “Applications which facilitate collaboration require more global signals about whether the user is idle than are provided by existing mechanisms that only consider a user’s interaction with the application’s own tab,” states the release notes.

Mozilla is one company that isn’t a fan of the feature, calling it an “opportunity for surveillance capitalism.”

“As it is currently specified, I consider the Idle Detection API too tempting of an opportunity for surveillance capitalism motivated websites to invade an aspect of the user’s physical privacy, keep longterm records of physical user behaviors, discerning daily rhythms (e.g. lunchtime), and using that for proactive psychological manipulation (e.g. hunger, emotion, choice). In addition, such coarse patterns could be used by websites to surreptiously max-out local compute resources for proof-of-work computations, wasting electricity (cost to user, increasing carbon footprint) without the user’s consent or perhaps even awareness,” wrote Mozilla web standards lead Tantek Çelik, on GitHub.

“Thus I propose labeling this API harmful, and encourage further incubation, perhaps reconsidering simpler, less-invasive alternative approaches to solve the motivating use-cases.”

Apple also has reservations. Ryosuke Niwa, a software engineer in the company’s WebKit Architecture team (Safari uses WebKit) said, “Our concerns are not limited to fingerprinting. There is an obvious privacy concern that this API lets a website observe whether a person is near the device or not. This could be used, for example, to start mining bitcoins when the user is not around or start deploying security exploits, etc.”

Elsewhere in Chrome 94, Google is continuing its embracing of HTTPS with HTTPS-First Mode, a feature that was originally planned for Chrome 92. This ensures all page loads are automatically upgraded from HTTP to HTTPS when possible. If it isn’t, a full-screen warning will appear before the older HTTP standard is loaded.

There’s also a new WebGPU API that should improve in-browser games by utilizing modern graphics capabilities, specifically Direct3D 12, Metal, and Vulkan; a sharing menu on desktop, which is currently behind a Chrome flag, filled with sharing shortcuts; the ability for Android tablets to host desktop websites; and several other bug fixes and changes.

Written by