"power-supply" is a fingerprinting vector

[pes10k]

This issue is being filed as part of the requested PING review

The proposal allows the site to learn if the user is using a laptop to access the device (if the "Contributing Factors" API returns "power-supply"). I appreciate that the text says there may be other issues that could trigger this other than the device reducing CPU cycles to preserve battery, but it seems likely that the batter is going to be the most common (far and away) case here.

This is a fingerprinting vector and so is privacy harming. Further, it seems like this information is useful at most to a niche of a fraction of a sliver of uses (if a site is going to change its behavior because of compute pressure, I expect that in the vast majority of cases it doesn't mater why the device is experiencing compute pressure).

I recommend removing this feature from the proposal.

[kenchris]

The team took a new look and this and we decided to follow your recommendation and remove the "power-supply" along with the API to access contributing factors. Thanks!

[anssiko]

Thanks @pes10k for this recommendation and thanks @kenchris for acting on this so swiftly. Please do not hesitate to reach out to @pes10k if you have any questions regarding the other privacy review feedback he submitted on behalf of PING.

I'd suggest crediting PING for their helpful concrete review feedback that is already shaping this specification to be even more privacy-preserving.

@pes10k would you like to be explicitly attributed or would you prefer us to say thank you to the entire PING?

[pes10k]

Thanks @anssiko thats a great outcome for this concern. Thank you to you and @kenchris and the rest of the group for addressing the issue.

As for crediting, I'd be very flattered to be mentioned, but please dont change any current practice to do so. If your group generally doesn't credit reviewers, or prefers to credit groups and individuals, that would be equally as great. Thanks!