The Web Device Manager API is allowing the user to expose their devices included in the configuration of the machine in use. The entire operation of exposing is not going to be invoked without acceptance of the user who is the owner of the local machine in use.
The following API is going to request the user to grant permission to read the machine’s configuration and list of devices and their included setting and properties. If the user didn’t grant the permissions for the web browser to read the list of devices included in the configuration of the local machine, the API will throw specific error informing the user that the operation will not be performed without acceptance to access the devices list.
For more details, please take a look at the entire document:
I’d like to know your thoughts about this proposal. I do think it might be good API for e-commerce and gamers. What do you think about it?
The following API, if implemented, will be marking the website that uses it as a trusted source of drivers update, which will not appear on the projects that mean to infects you by malware.
Malware can be served over HTTPS, too. The use of an API does not make something secure. So fake sites peddling malware will simply use it too, in order to appear authentic.
Other than that it has a minor utility (seems only to be related to identifying out of date drivers?) while having a major impact to privacy, adding a huge amount of unique information for fingerprinting/tracking. The web platform tends to avoid such features.
No. It is not related to identifying out of date drivers only. I pointed many use cases.
Test games’ requirements
Detect outdated drivers on users’ machines.
Gaming industry - Developers will be able to match performant game configuration based on the user’s hardware
E-commerce usage - create related products sliders that provide more accurate offer based on the user’s hardware configuration
Marketing usage - Ads based on the current user’s machine configuration
Detection of hardware to support World community grid organisation
Of course, it will touch and impact privacy, and it is a big issue. Everything can be explained to the users by telling them that by enabling and accepting the usage of the API, they are exposing their hardware information. As I said, there would be a notification which would give you two options - decline or accept. Additionally, it could contain a warning.
I do think that even if it has an impact on privacy, it can be an excellent tool for e-commerce and gamers around the world. I’m not a security specialist, but some people can say more in this matter.
Have you got any idea on how we can keep the functionality of the API without hurting privacy and adding information for fingerprinting and tracking?
Of course, it will touch and impact privacy, and it is a big issue. Everything can be explained to the users by telling them that by enabling and accepting the usage of the API, they are exposing their hardware information.
From experience, this can’t be clearly communicated to the user. This would also allow sites to completely fingerprint users. As you said, it would allow sites to make determination about users based on hardware. That’s quite bad, in the same way that this would violate several net neutrality principles.
Though I appreciate and I’m sympathetic to the use cases, I’d be strongly against adding anything like this to the web.