Web Bluetooth API In Chrome 56 Sparks Privacy Concerns

Google distributed Chrome 56 at the end of January. Buried within for the first time, developers will find the Web Bluetooth API, which lets websites contact and trade information with nearby Bluetooth devices, such as IoT hardware. The change has some frothing at the mouth over personal privacy.

The Web Bluetooth API has been in the works since mid 2015 and reached penultimate form in mid 2016. "Essentially, Web Bluetooth lets you control any Bluetooth Low Energy device -- smart home appliances, health accessories like heart rate or glucose monitors, temperature sensors, etc. -- directly from your PC or smartphone, without having to install an app first," explained Uri Shaked, Google Developer Expert for Web Technologies, in a Web post last summer. Chrome 56 is among the first browsers for mainstream users to ship with the Web Bluetooth API available.

Google's Pete LePage pitches the API as good news for developers in this YouTube video.

"Until now, the ability to communicate with Bluetooth devices has been possible only for native apps," explained LePage. "With Chrome 56, your Web app can communicate with nearby Bluetooth devices in a private and secure manner, using the Web Bluetooth API. The Web Bluetooth API uses the GATT protocol, which enables your app to connect to devices, such as light bulbs, toys, heart-rate monitors, LED displays and more, with just a few lines of JavaScript."

There are a few important items to consider here. First, the Web Bluetooth API requires HTTPS and TLS for the server-to-browser connection. This goes a step beyond SSL as far as security is concerned. More to the point, users have to grant each website permission to scan for and speak with nearby Bluetooth devices. In other words, it's not a one-and-done permission ask; users have to approve access each and every time. Last, this assumes Bluetooth of the machine in question is turned on and active.

What types of websites might want access to this data? Think about all your IoT companies that rely on Bluetooth for speaking to smartphones: Google, Nest, Honeywell, Philips, and others. Companies such as this may find Bluetooth access from the browser helpful with assisting customers setup and/or manage their devices. Surely this type of access will result in at least some positive outcome for end users, but not everyone sees it that way.

"Merely scanning for nearby devices is a marketer's dream," argues The Register. "Instead of merely knowing that a visitor to your site is using Chrome 56 running on Mac OS version 10.11.6, you can also find out what phone's are in the house, whether they're using Philips or Osram smart lights, and if they use their own name for device names. There's nothing in the Bluetooth Web API to stipulate how all that data is stored by the site owner."

There are more than a few questions left unanswered by Google here. For example, is the API limited to desktops, or does it apply to smartphones as well? (Chrome 56 is available for MacOS, Android, and iOS.) Will end users be able to revoke permissions, or otherwise fine-tune what's shared? ProgrammableWeb reached out to Google seeking answers to these and other questions, the but the company has so far not responded.

Eric Zeman I am a journalist who covers the mobile telecommunications industry. I freelance for ProgrammableWeb and other online properties.

Comments