Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use Case (website visitor): View your current location on the map, without sharing with the website #75

Open
prushforth opened this issue Jun 14, 2019 · 12 comments
Labels
discussion: use case a possible use case: should it be included? what should it say? status: placeholder there's a matching section heading / some text in the report, but it's far from complete

Comments

@prushforth
Copy link
Member

prushforth commented Jun 14, 2019

This issue is for discussion of the use case “View the current location on a map, without disclosing to the website”, its examples & list of required capabilities.


Re: https://www.w3.org/blog/2019/06/privacy-anti-patterns-in-standards/

The use case might be something like (for discussion): allow the user to enable "private" geolocation on the browser and so discover her location on a map, without disclosing that location to the web site. Such a feature would / should not require script to be enabled in order to function.

@AmeliaBR
Copy link
Member

AmeliaBR commented Jul 5, 2019

Whoops. I missed that you had opened this & created another one with the same reference: #91

That's specifically about adding the reference & some points it makes to the principles used for assessing/tagging different capabilities.

Talking specifically about the use case you brought up: would you consider this a distinct use case ("incognito map browsing mode"), or would you consider the use case to be geolocation & privacy to be a requirement of doing it properly?

@prushforth
Copy link
Member Author

I think sometimes the user will want to share their location with a Web site, in the belief that the Web site is trustworthy. However sometimes, the user just wants to see where they are on a map, and they shouldn't have to disclose their precise location to anybody including a tile provider. I'm sure there are limits to how well you can cloak where you are when you zoom in on a particular map tile, but there could be techniques (at the expense of more bandwidth consumption, perhaps) that obfuscate where you actually are by loading random tiles away from your actual location. I'm sure I haven't considered everything, it was just the idea of script being the main vector for exfiltrating stuff about you, being the only way to trigger geolocation that seemed wrong to me.

@prushforth
Copy link
Member Author

Of course if JavaScript is enabled, and there is a real live map in the page, its trivial to get the location of the map centre.

@AmeliaBR AmeliaBR added discussion: use case a possible use case: should it be included? what should it say? status: suggestion this issue discusses a suggested addition to the report, that is not yet in the draft labels Sep 27, 2019
@AmeliaBR AmeliaBR changed the title Privacy Use Case (website visitor): View your current location on the map, without sharing with the website Sep 27, 2019
@AmeliaBR
Copy link
Member

OK, updated the issue title to describe this as a use case.

@Malvoz Malvoz added status: placeholder there's a matching section heading / some text in the report, but it's far from complete and removed status: suggestion this issue discusses a suggested addition to the report, that is not yet in the draft labels Jan 25, 2020
@zcorpan
Copy link

zcorpan commented Nov 23, 2021

I don't understand how this could possibly work.

@prushforth
Copy link
Member Author

What's implausible? The idea is that the UA could supply a button for turning on gps location that wasn't tied to a scripted use of navigator.geolocation.getCurrentPosition. The map could track the location returned as if the user was using a mouse or keyboard to use the map.

@zcorpan
Copy link

zcorpan commented Nov 25, 2021

Not sharing the location with the website means that the user must disable JS, there has to be a built-in map widget in the browser that does not fetch any layers or any other data as you pan the map, CSS is not allowed to "know" (though selectors) which part of the map is currently visible (since it could fetch something i.e. notify the website)...

@prushforth
Copy link
Member Author

the user must disable JS

Let's say JS is on. The map widget would provide a native control that turns the map into "location sync mode", but what about that mode would look different to the server than the user moving the map with a keyboard or mouse pointer?

I realize that the center of the map is somewhat deducible by the resources that are requested, but the center doesn't have to be the user's location, to the knowledge of the web site. Further, the resources could all be fetched from cache for such a mode (perhaps).

@Malvoz
Copy link
Member

Malvoz commented Nov 25, 2021

There's a somewhat related WICG topic: https://discourse.wicg.io/t/fuzzy-geolocation-improve-privacy-and-security/4822. There's of course a difference between "without sharing location" and obfuscating the part which the user is viewing by e.g. fetching out of view tiles.

@zcorpan
Copy link

zcorpan commented Nov 25, 2021

@prushforth ok, then it's not without sharing the user's location with the website, it's more the website may not be able to tell if it's the user's location or the user is navigating the map.

If JS is on, then the website can absolutely tell if the map is moving because of keyboard or mouse pointer actions, because of events. Further, I assume a web map element would have some API to expose to the page what is currently shown on the map, since many use cases need that (e.g. Display custom web content describing map features), therefore the page knows what's on the map even if no tiles or all tiles are fetched.

@prushforth
Copy link
Member Author

prushforth commented Nov 26, 2021

the website can absolutely tell if the map is moving because of keyboard or mouse pointer actions, because of events.

Sure

a web map element would have some API to expose to the page what is currently shown on the map,

Yes, the DOM would provide ample location and content information about what's in the map.

I will just hold out a sliver of hope for a user agent behaviour that could help the user avoid being tracked, as opposed to knowing what they are looking at. It's like the difference between knowing what the user is reading, vs knowing what they are thinking or doing while they are reading it

@prushforth
Copy link
Member Author

Just to note that a WebKit proposal mentions a similar consideration for viewing 3D models:

A solution to this would be to allow the web page, in particular the WebGL showing the 3D model, to render from the perspective of the user. This would involve granting too much private information to the page, possibly including the camera feed, some scene understanding, and very accurate position data on the user. It should not be a requirement that every web page has to request permission to show a 3D model in this manner. The user should not have to provide access to this sensitive information to have the experience.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
discussion: use case a possible use case: should it be included? what should it say? status: placeholder there's a matching section heading / some text in the report, but it's far from complete
Projects
None yet
Development

No branches or pull requests

4 participants