#606: Managed Device Web API
Discussions
Comment by @nightpool Feb 7, 2021 (See Github)
I'm only an interested bystander, but I couldn't help but notice that many of the sections of your Security & Privacy self-review seemed very incomplete or incorrect, given what I know about the spec. For example, for question 6 ("What information from the underlying platform, e.g. configuration data, is exposed by this specification to an origin?"), you answered "No", but my understanding from the explainer was that one of the major goals of this work was to expose the device serial number and directory ID to web platforms. Is this correct?
Question 8 has similar issues—you said that no information is exposed cross-origin, but that's not what the question is asking. It's asking what information the proposed APIs would expose to any origin at all—i.e., any part of the Web. The response here makes me think that there may have been some miscommunication or confusion about the wording of the security and privacy questionnaire, and the answers may need to be fixed before the TAG could get any useful information out of your self-evaluation.
Additionally, reading through the explainer I had a hard time understanding how the spec proposed to implement the "trusted applications" mechanism. Since this spec clearly introduces the possibility for lot of potential security & privacy issues, I think it's really important to nail down exactly how you expect to authenticate and verify the integrity of "Trusted Applications". For example, one very obvious piece of low-hanging fruit is that this API should only be available in secure contexts, to prevent malicious code insertion by adversaries on the network. The explainer is very handwavy about the authentication mechanism here, and it references several concepts, like "applications", that don't make a ton of sense when applied to the web platform. Looking at the Chromium implementation diagram included in the repo, it seems like this means "access is scoped to installed PWAs with an origin that matches a list of origins defined by Enterprise policy", but since i'm not an expert in Chromium code, I'm still not sure if I interpreted the name "WebApp" correctly.
Finally, I couldn't help but notice that while this API appears to be very general, most of the supportive feedback in the WICG incubator thread comes from a set of cloud-managed kiosk companies with very specific needs. Have you considered narrowing the scope of the proposed API to something that would be much more targeted at this use-case? For example, the current spec exposes 4 different identifiers: the Directory ID, the Serial Number, the Annotated Asset ID, and the Annotated Asset Location. But after reading the desires in that thread from the kiosk companies, why not just expose 1 identifier that can be customized by the device administrator, rather than 4 different identifiers with unclear use-cases?
(How far does this set of 4 identifiers even map to non-Chrome systems anyway? They seem very specific to Chrome's existing enterprise interface. Are they even possible to generalize to other browsers? Are there any other browsers who currently have similar concepts, like Safari? Is there any other prior art you investigated that influenced your API design, beyond the existing Chrome API?)
Comment by @Ananubis Mar 2, 2021 (See Github)
Hi @nightpool,
Thanks for the exhaustive feedback!
We have updated our Security & Privacy self-review to more correctly indicate our proposal.
More specifically, on the questions #6 and #8 the answer is identical -- we are exposing managed configuration which is configured per app and global device-specfic attributes. On all the "untrusted" origins, the API calls will fail and will not expose anything.
The exact mechanism of determining which applications are "trustworthy" is based on the origin of the page. If the current origin belongs to the list of the trusted origins(for Chromium, this means that there is a force-installed Web App in that origin), the access to the trusted APIs shall be given.
Regarding the "authentication" mechanism: since we are scoping all applications by "origin", I do think that relying on HTTPS should be enough to reliably authenticate an app. If the force-installed app is hosted under another less secure protocol, this might be an issue. I think, we shouldn't enforce HTTPS, since some users may have applications hosted in the local network without a proper domai. We should allow such cases, but should alert the device administrator about that potential issue when they would try adding a non-https Web App.
Comment by @Ananubis Mar 25, 2021 (See Github)
Hello TAG reviewers!
The specification for the first part of the API(Managed Configuration) is out for review: https://github.com/WICG/WebApiDevice/pull/9 . The S&P questionnaire has been updated accordingly.
We are planning to send out the Intent to Ship very soon, please review Managed Configuration part of the API.
For us, the first part of this API(Managed Configuration) has a high priority and we would like to get feedback on it as soon as possible.
Thank you
Discussed
Apr 26, 2021 (See Github)
Sangwhan: contentious.. get serial number... for corporate things.. when it's not your computer. you list origins where this API is enabled and it's propagated down to the browser. Your enterprise administrator allows that.
Ken: internal sites. Can they go and do that for like youtube? why would they?
Sangwhan: nothing that blocks you, that's an implementation detail
Lea: what are the use cases?
Ken: IT managed laptops. We have specific sites that can do something. is it about limiting or enabling what sites are allowed to do?
Sangwhan: I've seen one case which has the software license portal and it gives the serial numbers that you're supposed to use for your installations. If you don't have access based on the serial number of your device it won't let you download it.
Hadley: would that have to happen in the browser?
Dan: they're moving all of their intranet applications to the browser
Sangwhan: alternative is as a native app
Hadley: that might be safer
Sangwhan: this is uncomfortable in many ways. Undefined aspect is centralized management - probably an implementation detail.
Dan: the people in adtech space are agitating for unique IDs for everyone.. what's to stop them taking advantage of this so that ...
Ken: knowing enterprise it would be opposite, they're never going to do that
Hadley: there are some abuse cases
Ken: I'm sure there are abuse cases
Sangwhan: another use case is the device is preauthenticated to automatically log into certain tools, no ID or password. Knows serial number or host name
Dan: feels like we should say this is not really the web... this is the enterprise software stack. Enterprise specific features for enterprise customers with special APIs can be shipped in Chrome, it's not the web
Hadley: I hear what you're saying.. a lot of it I'm not sure I'm okay with it. If they are fundamentally making changes to the UA and how other parts of the web are working w'eve got to have an opinion.
Amy: last time we talked about this we talked about if only Chrome ships it then it constrains what browser people in corporate settings can use
Sangwhan: either everyone implements this exact API that Chrome ships or we let it become a standard
Lea: interest from other browsers?
Sangwhan: pretty sure Mozilla would not
Ken: pretty sure Edge would
Hadley: MS target market..
Ken: if I want to do something at work I use my IT laptop and it says 'managed by your organisation' and there are a lot of settings you can't even change
Hadley: I wonder if we're in a minority, rebelling against enterprise control...
Sangwhan: should it be a standard?
Ken: is MS interested in this API? Same across edge and chrome makes sense. or do they have any concerns.
Dan: are there certain elements we would like to question? What is really necessary? A more webby approach?
Lea: I was missing a list of use cases for the particular bits of information. What use cases are enabled by returning the serial number? there is nothing in the explainer.
Sangwhan: there are ways to do similar things to the use cases they need for enterprise but I think it's for convenience
Lea: we need to know what problems they're solving
Hadley: it lists two but implies others, buried in detailed description [reads] .. what worries me about these is that they deliberately break the sandboxy nature of the user agent.
Sangwhan: not sure I buy the configuration, that's more convenience.. you could preinstall a client cert on the root of every device which would allow you to uniquely identify each device. There are different ways to do this. It's just more work.
Hadley: worth saying. Good alternate solution.
Sangwhan: same applies for personalisation..
[discussion of certs at OS / browser level]
Hadley: why does this need to go through the web?
Lea: what's the alternative? Don't we want web to compete with native?
Sangwhan: visualbasic.NET?
Amy: we don't want the web to compete on the field of creepy corporate spy-ware. That's not the future we want.
Dan: +1
Sangwhan: instead a fetch on localhost...
Ken: everyone does that at some point
Hadley: feels this really belongs in the OS and at the network level, and push it to IETF
Sangwhan: I don't have a solution
Lea: mixed feelings as well
Dan: resonate with not wanting web to compete on field of spyware.. when you're an employee and your machine is provisioned by taht company, and you oepn your web browser, you still have ane xpectation of privacy - visit your bank website, check on your dentist appointment, perform functions related to your daily life, use your computer during your offtime even if you're in a job where your time is managed.. you still have an expectation of privacy when it comes to use of the web. We need to be aware of that.
Ken: even today people install extensions on my IT laptop, on edge and firefox, that will monitor whatever site I visit, whatever I do, because there are web extensions APIs and I cannot remove them or turn them off. It's the same at other companies.
Dan: I would not be okay with that.
Ken: its unfortunately very common.
[dystopia discussion]
Dan: it might be the right thing to say why do you want to do that with the web
Sangwhan: I could ask.. the main thing seems to be to uniquely identify the device, solvable with client cert. Ask the reason they chose this design?
Hadley: sounds good. Add that it brings up some concerns if you want.
[discuss more at plenary
Comment by @cynthia Apr 27, 2021 (See Github)
Apologies this took so long, it was a pretty contentious issue so it took some time for us to figure out what we want to say. We feel this is a risky feature - the use cases we see in the explainer seem like this mainly is to uniquely identify devices. Couldn't this be enabled by pre-installing unique client certificates on the device?
There is the side note of certificates being possible to copy - so it's not as strong of a guarantee as a serial number.
What are the potential unethical use-cases that might come from this feature?
Comment by @torgo Apr 30, 2021 (See Github)
Hi @Ananubis just following up @cynthia's comment: I think we'd really like to see a lot more detail on the use cases / full use scenarios that this spec is intended to support. As you note in the explainer, this has been something that has previously been possible using a Chrome-specific API. However now you're proposing to bake this more fully into the web platform, which is raising some concerns both about how this could be misused in the wild by bad actors and how it could be harmful if used as intended. In particular, I'm concerned about how this could be used to make surveillance of employees easier to accomplish. That (possibly unintended) outcome would strongly echo the concerns laid about about pervasive monitoring in RFC7285: Pervasive Monitoring Is an Attack:
In particular, the term "attack", used technically, implies nothing about the motivation of the actor mounting the attack. The motivation for PM can range from non-targeted nation-state surveillance, to legal but privacy-unfriendly purposes by commercial enterprises, to illegal actions by criminals. The same techniques to achieve PM can be used regardless of motivation. Thus, we cannot defend against the most nefarious actors while allowing monitoring by other actors no matter how benevolent some might consider them to be, since the actions required of the attacker are indistinguishable from other attacks. The motivation for PM is, therefore, not relevant for how PM is mitigated in IETF protocols.
Discussed
May 1, 2021 (See Github)
Amy: they've not responded to torgo's last comment, or addressed all of nightpool's points (but did address some, updated security and privacy)
Sangwhan: part of me thinks should not be on the web, part of me thinks it should...?
Amy: introducing friction to surveillence is not necessarily a bad thing (imo) .. I'd like to go through this in detail again and leave a nudge comment
Sangwhan: we should have group consensus about whether it should be part of the web or not, potentially close it off. It's contentious.
Amy: worth opening a specific issue in their repo about asking for documenting abuse cases?
Sangwhan: yep
Discussed
May 31, 2021 (See Github)
Dan: we asked for additional use cases, referenced pervasive monitoring is an attack rfc. Was an input for a joint TAG/IETF workshop from 2014 where amongs other things we had the call for moving more of the web to https. It's clear we can't give this a pass, we can't say it's fine to add to the web platform.
Amy: +1
Dan: and they haven't replied.
Sangwhan: the catch is it'll be implemented regardless
Dan: we can say they can code whatever but not into the web platform as a standard
Amy: anything they can say to make us say it's okay? Don't think so
Dan: if they're not going to engage for a whole month..
Ken: leave a comment asking for engagement?
Yves: do we want to make a statement? a longer thing? I think we all agree that the use case itself is dangerous
Sangwhan: has anyone seen intent to implement?
Ken: implemented.. flag you can turn on. In WICG repo. Chrome flag definitely implemented. Requires Chrome 90+
Dan: I could [write something, saying we'll close unsatisfied](https://github.com/w3ctag/design-reviews/issues/606#issuecomment-851925571
Comment by @torgo Jun 1, 2021 (See Github)
Hi @Ananubis. We haven't heard back from you so at this point we are planning to close this with an unsatisfied status if we don't hear anything by next week. In particular, we haven't seen anything that addresses the ethical issues we've raised.
Comment by @Ananubis Jun 2, 2021 (See Github)
Hi @cynthia, @torgo . Thank for your time to review this request and provide comments. Sorry for the late reply because we have a similar internal discussion with some privacy and secuirty experts.
Please note the precondition of using this API is managed device and trusted applications. It means that the device admins should understand these applications before they are allowed to be used by end users. In addition, we think that the management platform (like 'Google Admin Console' to Chrome OS devices) should provide a proper permission mechanism for admins to turn off these functionalities if they want.
Regarding 'Pervasive Monitoring': As mentioned above, the use of these APIs has several restrictions and the scope is always limited to a specific organization. This API cannot get the privacy-unfriendly data from unmanaged devices or regular device users.
Regarding use cases: Some examples are listed in the explainer and the initial proposal. Please feel free to let us know if you want more details.
Discussed
Jun 14, 2021 (See Github)
Ken: they are discussing internally about security.... [writes comment to ask them to get back to us about that]
Amy: their response justifies it with a very narrow scope, but that scope seems to me to not have a place on the web platfor
Comment by @kenchris Jun 15, 2021 (See Github)
Thanks for the update. Can you get back to us when you have concluded your internal discussions? And hopefully then share what you have concluded?
Comment by @Ananubis Jul 22, 2021 (See Github)
Hello @kenchris , we improved the draft specification with more description. Please check 'Permission control' & 'privacy consideration' paragraphs.
Basically, I fully understand that we should protect end users' privacy and avoid collecting device identifiers immorally when they are using web applications. But please note, in this case, the devices are NOT owned (managed) by end users, but device administrators. That's why these new web APIs are named as 'managed device web API' and have many restrictions to avoid they are abused.
I guess this is something new to the web world that 'device owners and end users are different groups'. I noticed that @jyasskin has already created two seperated issues for further discussion.
Discussed
Aug 30, 2021 (See Github)
Dan: leave amy's proposed feedback and close with an unsatisfied...
Hadley: good comment.
[general agreement]
Amy: [closes]
Discussed
Aug 30, 2021 (See Github)
Amy: as i see it there's no reason for a web API here. Nothing that can't be done with existing device administrator tools. The user agent doesn't need to get involved.
Dan: we can be stronger than saying we can't endorse it being added to the web. We could say standardising this could be harmful to web users. We should definitely say it doesn't belong in the web platform or in standardisation. Fine if they want to build it into Chrome as a special thing.
Thanks for the update. We discussed this again in our meetings this week.
NOTE: [RFC7258] treats pervasive monitoring as an attack, but it doesn’t apply to managed devices.
We don't think this is adequate. Given the power dynamics at play in an employer-employee relationship, the UA should still be working in the best interests of the end-user (the employee) even if the device being used is managed by an administrator. That is to say, pervasive monitoring is never a feature. Especially given this in the spec:
[device administrators] may not necessarily have the device user’s best interests
Further, we haven't seen an indication of implementation support from browsers other than Chrome.
As all of the attributes besides serial number are set by the administrator or some internal company system, we have yet to be convinced that the use cases can't be met by the device administrator keeping their own database of these attributes. They already know the serial numbers of the devices they issue to uniquely identify them. Also, the administrator explicitly decides which sites have access to the data. So why is the UA on the managed devices needed to communicate this data to sites? The administrator can do this directly.
We can't endorse adding this as a general mechanism to the Web platform.
Dan: +1 the comment
Tess: works for me
Peter: +1
Rossen: fine to change Is to Wes
Dan: proposed closed for plenary?
Comment by @samuelweiler Aug 30, 2021 (See Github)
@torgo, thank you for drawing this to PING's attention by adding a privacy-tracker label.
As a reminder for the WG, when you're ready for a PING review, please follow the instructions at https://www.w3.org/Guide/documentreview/#how_to_get_horizontal_review
Comment by @rhiaro Sep 1, 2021 (See Github)
Thanks for the update. We discussed this again in our meetings this week.
NOTE: [RFC7258] treats pervasive monitoring as an attack, but it doesn’t apply to managed devices.
We don't think this is adequate. Given the power dynamics at play in an employer-employee relationship, the UA should still be working in the best interests of the end-user (the employee) even if the device being used is managed by an administrator. That is to say, pervasive monitoring is never a feature. Especially given this in the spec:
[device administrators] may not necessarily have the device user’s best interests
Further, we haven't seen an indication of implementation support from browsers other than Chrome.
As all of the attributes besides serial number are set by the administrator or some internal company system, we have yet to be convinced that the use cases can't be met by the device administrator keeping their own database of these attributes. They already know the serial numbers of the devices they issue to uniquely identify them. Also, the administrator explicitly decides which sites have access to the data. So why is the UA on the managed devices needed to communicate this data to sites? The administrator can do this directly.
We can't endorse adding this as a general mechanism to the Web platform.
OpenedFeb 5, 2021
HIQaH! QaH! TAG!
I'm requesting a TAG review of the Managed Device Web API.
This is a proposal to add a series of device related Web APIs that are expected to be used by the applications with the highest degree of trust (i.e., trusted applications). These APIs are explicitly enabled by device owners or administrators through an enterprise policy or an equivalent mechanism. Supporting the similar functionalities in unmanaged devices is a non-goal.
Further details:
We'd prefer the TAG provide feedback as (please delete all but the desired option):
🐛 open issues in our GitHub repo for each point of feedback
☂️ open a single issue in our GitHub repo for the entire review
💬 leave review feedback as a comment in this issue and @-notify @ananubis