[Tip] Disable or Turn Off Idle Detection API Feature in Google Chrome to Improve Privacy
Newer versions of Google Chrome web browser (version 94 and later) come with a new privacy related feature called “Idle Detection API” or “Your Device Use“. This feature can allow websites to know whether you are using your computer system or away from it. This article will help you in learning what is this new Idle Detection feature and disabling or turning off Idle Detection feature permanently to improve your privacy.
Table of Contents
What is Idle Detection API in Google Chrome Web Browser?
As the name suggests, Idle Detection API functionality implemented in Chrome can allow websites to check whether the user is idle or using the device. If a website implements Idle Detection API, it can find out user’s activity pattern.
Following screenshot shows a test website asking for user’s permission to know when the user is actively using the device or not:
Advertisement
According to web.dev website:
The Idle Detection API notifies developers when a user is idle, indicating such things as lack of interaction with the keyboard, mouse, screen, activation of a screensaver, locking of the screen, or moving to a different screen. A developer-defined threshold triggers the notification.
Examples of sites that may use this API include:
- Chat applications or online social networking sites can use this API to let the user know if their contacts are currently reachable.
- Publicly exposed kiosk apps, for example in museums, can use this API to return to the “home” view if no one interacts with the kiosk anymore.
- Apps that require expensive calculations, for example to draw charts, can limit these calculations to moments when the user interacts with their device.
So basically a website can use Idle Detection API to check user’s activity status.
Remember the website needs to show a notification prompt to the end user asking for permission to check his/her device use. If the user allows website to use Idle Detection API to check device use, it can monitor user’s device use. If the user denies the permission, the website will be blocked and will not be able to monitor device use.
Is Idle Detection API Feature Dangerous in Chrome Browser?
Since this feature can allow websites to check and detect user’s active or idle status, it’s obvious that people will start worrying about it and that’s why the feature has become quite controversial.
Advertisement
Here is Mozilla‘s (team behind Firefox browser) stand on Idle Detection API feature:
I have user-surveillance and user-control concerns about the Idle Detection API. Even with the required 60 second mitigation, it can be used for monitoring a user’s usage patterns, and manipulating them accordingly. (Also noted in Mozilla’s formal objection to the proposed 2021 W3C DAS WG charter).
As it is currently specified, I consider the Idle Detection API too tempting of an opportunity for surveillance capitalism motivated websites to invade an aspect of the user’s physical privacy, keep long term records of physical user behaviors, discerning daily rhythms (e.g. lunchtime), and using that for proactive psychological manipulation (e.g. hunger, emotion, choice). In addition, such coarse patterns could be used by websites to surreptiously max-out local compute resources for proof-of-work computations, wasting electricity (cost to user, increasing carbon footprint) without the user’s consent or perhaps even awareness.
Thus I propose labeling this API harmful, and encourage further incubation, perhaps reconsidering simpler, less-invasive alternative approaches to solve the motivating use-cases.
So Mozilla finds the Idle Detection API harmful and considers removing or disabling the API.
Last year, “Reilly Grant” from Google Chrome team asked WebKit (the browser engine used by Apple Safari browser) engineers about their position or stand on Idle Detection API:
I would like to request an official position from the WebKit team on the emerging Idle Detection API specification. I am aware that this API was included in a list of APIs which you have decided not to implement due to fingerprinting concerns. I assume that this objection was based on the original explainer provided for this API. Since that list was posted the API has been extended to include a permission that sites must acquire before being granted access to user presence signals. I would like to start a conversation to understand the fingerprinting risks you foresee from this API.
Here is what WebKit development team responded to the request:
Our position has not changed. Our concerns are not limited to fingerprinting. There is an obvious privacy concern that this API lets a website observe whether a person is near the device or not. This could be used, for example, to start deploying security exploits when the user is not around. This kind of action-at-a-distance permission prompt is problematic because it’s unclear to the user why such a permission should be granted and for what purpose.
For starters, there is no guarantee that the user won’t immediately come back to the device. Also, who is such a service supposed to know what other device user might be using at any given point? We’re definitely not going to let a website know all the devices a given user might be using at any given point. That’s a very serious breach of the said user’s privacy. It seems to me that such a suppression / distribution mechanism is best left for the underlying operating systems / web browsers to handle.
So WebKit team also objects to the addition of the new API.
How to Disable or Turn Off Idle Detection API in Google Chrome?
Fortunately, Google Chrome allows users to completely disable Idle Detection feature and disallow websites from showing notifications and asking for permissions to monitor their device use.
If you also find Idle Detection feature a security or privacy risk, you can deactivate or disable the feature using following steps:
1. Open Google Chrome web browser, click on 3-dots menu (Main Menu) and select Settings option. Alternatively, you can directly open the Settings page by typing chrome://settings/ in Chrome address bar.
2. Scroll down a little and click on “Site Settings” option.
3. Again scroll down and click on “Additional permissions” option.
4. Now look for “Your device use” (Sites can ask to know when you’re actively using your device) option as shown in following screenshot:
Click on the option and Chrome will open the page where you can enable/disable Idle Detection API feature.
PS: Alternatively, you can direct open Idle Detection Settings page using following URL in Chrome address bar:
chrome://settings/content/idleDetection
5. If you want to completely disable Idle Detection feature and want to restrict or prevent all websites from using Idle Detection API, select following option:
Don’t allow sites to know when you’re actively using your device
You can also allow or disallow certain websites from using Idle Detection API using “Customize behaviors” option. You can click on “Add” button given next to “Not allowed” and “Allowed” websites to add desired websites to blacklist and whitelist respectively. Blacklisted websites will not be able to use Idle Detection API but whitelisted websites will be able to utilize the API.
That’s it. You have successfully disabled Idle Detection API functionality in Google Chrome web browser.
In future, if you decide to restore the API, select the default “Sites can ask to know when you’re actively using your device” option again present on Idle Detection Settings page.
Also Check:
[Tip] How to Remove “Apps” and “Reading List” Buttons from Chrome Bookmarks bar
[Tip] Remove “Search Tabs” Arrow Button from Title bar in Google Chrome
Thanks for this post, VG. Very useful.