[whatwg] API for unique identification of devices (mobile/tablet/pc)

Lee Kowalkowski lee.kowalkowski at googlemail.com
Fri Dec 14 04:03:41 PST 2012

On 14 December 2012 08:51, Stan <stasson at orc.ru> wrote:

> First, I don't think it's convenient for users to register themselves
> on many sites, which they visit occasionally.

A device ID won't register a user.  Where will the profile information come
from?  If it comes from a web-based service (like Gravatar), then a device
ID is not required to address the inconvenience, because users will use
multiple devices over time.

I don't think making users register each device would be convenient, either.

> Second, user accounts are based on e-mails as a rule, which is not unique
> at all,

If an email address cannot uniquely identify a user's account, that's a
problem with the web application.

> every user can have multiple e-mails and multiple registrations.

A human can have multiple devices.

> Many web-services
> struggle against users' reputation spoofing made via such fake accounts.

The information sent to a web service can be spoofed/rewritten on the fly.
 Are web services struggling against humans manually creating fake accounts
or against automated systems creating fake accounts?

A human can own a several devices, a determined human can control thousands

A device ID isn't going to be a foolproof countermeasure.  An automated
account spoofing system isn't going to have any trouble automatically
generating random device IDs to send to your web service.

> Third, I think it's up to a certain web-service design and requirements,
> if it
> needs to identify user accounts or user devices.  For example, usage of

the same profile on multiple devices can be a violation of a web-service
> license agreement

Can you tell me of such a service?  I would be so extremely disappointed if
a web service locked me into the first device I used to accessed it.  I
would not continue to use it, there would be absolutely no point in
committing myself to use it, too risky.

Only allowing a user to use 1 device at a time is more likely, but that is
trivial already, you don't need a device ID to enable that. The web
application just needs to store session IDs against users in a 1-to-1
ratio, so if a user logs in on a different device, the other device loses
its session, so only 1 device can be used at any moment.

> or a web-service may bind several devices to the same
> profile.

So that would permit concurrent access, device ID would not be useful there.

> Multiple browser profiles on the same device do not matter, because
> the same device ID will be returned.

That's a bold assumption. Perhaps "Multiple browser profiles on the same
device do not matter, IF the same device ID is returned".  It wouldn't be
inconceivable for one profile to have a browser plug-in installed to
manipulate the device ID.

Moving from one device to another,
> or virtual devices - is just the same thing as having multiple devices
> considered
> above.

Is it?  How?  They would return different device IDs, so how is it just the
same thing?

> The main point, if device ID could be available it would provide more great
> possibilities for users and web-services.

Such as?  It sounds like a device ID cannot possibly be guaranteed to be
unique, at all, therefore serves no benefit.  A web application needs to
maintain its own user session state, there are no short cuts, improvements
or simplifications such as trusting a client-provided arbitrary value, even
systems based on personal digital certificates have to be verified
server-side (e.g. was the certificate issued by a trusted authority?).


More information about the whatwg mailing list