Use Case (website visitor): View your current location on the map, without sharing with the website

[prushforth]

This issue is for discussion of the use case “View the current location on a map, without disclosing to the website”, its examples & list of required capabilities.

---

Re: https://www.w3.org/blog/2019/06/privacy-anti-patterns-in-standards/

The use case might be something like (for discussion): allow the user to enable "private" geolocation on the browser and so discover her location on a map, without disclosing that location to the web site. Such a feature would / should not require script to be enabled in order to function.

[AmeliaBR]

Whoops. I missed that you had opened this & created another one with the same reference: #91

That's specifically about adding the reference & some points it makes to the principles used for assessing/tagging different capabilities.

Talking specifically about the use case you brought up: would you consider this a distinct use case ("incognito map browsing mode"), or would you consider the use case to be geolocation & privacy to be a requirement of doing it properly?

[prushforth]

I think sometimes the user will want to share their location with a Web site, in the belief that the Web site is trustworthy. However sometimes, the user just wants to see where they are on a map, and they shouldn't have to disclose their precise location to anybody including a tile provider. I'm sure there are limits to how well you can cloak where you are when you zoom in on a particular map tile, but there could be techniques (at the expense of more bandwidth consumption, perhaps) that obfuscate where you actually are by loading random tiles away from your actual location. I'm sure I haven't considered everything, it was just the idea of script being the main vector for exfiltrating stuff about you, being the only way to trigger geolocation that seemed wrong to me.

[prushforth]

Of course if JavaScript is enabled, and there is a real live map in the page, its trivial to get the location of the map centre.

[AmeliaBR]

OK, updated the issue title to describe this as a use case.

[zcorpan]

I don't understand how this could possibly work.

[prushforth]

What's implausible? The idea is that the UA could supply a button for turning on gps location that wasn't tied to a scripted use of navigator.geolocation.getCurrentPosition. The map could track the location returned as if the user was using a mouse or keyboard to use the map.

[zcorpan]

Not sharing the location with the website means that the user must disable JS, there has to be a built-in map widget in the browser that does not fetch any layers or any other data as you pan the map, CSS is not allowed to "know" (though selectors) which part of the map is currently visible (since it could fetch something i.e. notify the website)...

[prushforth]

the user must disable JS

Let's say JS is on. The map widget would provide a native control that turns the map into "location sync mode", but what about that mode would look different to the server than the user moving the map with a keyboard or mouse pointer?

I realize that the center of the map is somewhat deducible by the resources that are requested, but the center doesn't have to be the user's location, to the knowledge of the web site. Further, the resources could all be fetched from cache for such a mode (perhaps).

[Malvoz]

There's a somewhat related WICG topic: https://discourse.wicg.io/t/fuzzy-geolocation-improve-privacy-and-security/4822. There's of course a difference between "without sharing location" and obfuscating the part which the user is viewing by e.g. fetching out of view tiles.