If you use either the Chrome or Brave browser, you may have come across that rather startling warning that says “This site has been blocked from using motion sensors.” If you are on your laptop or, especially, your desktop computer, you may find this puzzling, understandably. What motion are they going to detect from your desktop computer? And why and how would they use it? Here’s what is going on.
First, we need to point out that you get no corresponding message if a site hasn’t been blocked from using motion sensors. Meaning that they can access your motion sensors (primarily your accelerometer, gyroscope, and magnetometer, as well as your light sensors) without it ever being signaled that this is happening.
Back to the question of why would a site bother accessing a motion sensor on your computer? We also had this question, and so started doing a little digging; in fact this is where we started with our research about the motion sensor thing, because, as SlashGear points out, “Unfortunately, those seemingly innocent sensors can also become doorways into users’ lives. Since the permission to access sensor data is granted to the web browser and not specific websites, these websites can have nearly unrestricted access to that data.”
Our guess was that this was a function intended to be used primarily by mobile sites, to access your motion sensors when you are using their site from your mobile device (including, for example, determining whether you were holding your device in portrait or landscape orientation). However that doesn’t mean that websites aren’t accessing these things through your computer (laptop and desktop) browsers as well.
As it turns out, one person has dug down to the very bottom of this mystery; that person is Grant Winny, a developer from Ohio. Grant followed the code trail after noticing the motion sensor alert on several sites, including the same site we visited, Pizza Hut:
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
Brave Browser Notification of Motion Sensor Blocking
It turns out that this is a function that Akamai is behind. Akamai is a massive online content and content delivery system. Grant Winny concluded that this is a script developed by Akamai to determine whether a visitor to a website (i.e. the visitor’s web browser) is a bot, saying that it is “using sensor data like accelerometer capabilities to determine whether a requestor is a bot or not.” (You can read his very in-depth analysis of the whats, wheres, and whys here.)
Interestingly (at least to us), one of the readers of Grant’s site, a user who identifies himself as Bob1023, clearly has the inside info on this Akamai script, sharing that “what you have discovered is Akamai’s bot protection. As you noticed, each site is utilizing a 112 bit random value URL. This script is the obfuscated akamai script. Basically what this script does is collect various unique browser native functions, mouse movements, canvas fingerprints & some other stuff. With this collected info, it puts together a string called Sensor_data. The sensor data is then posted as JSON to the 112 bit URL, then akamai will automatically review the sensor data to see if it matches human standards or if it is bot like. If it matches human standards, you will be given a cookie called _abck, which will allow you to continue on the given site as normal. If akamai thinks the sensor data is bot like, it will return an invalid _abck giving you a 403 status code. No need to worry about any personal info being collected, like I said above it is collecting browser native functions, mouse movements, canvas fingerprints, etc just to verify if you are a bot or human. More & More sites are starting to utilize this protection to prevent fraud, account cracking, etc.” Bob1023 also included a link to Akamai’s ‘Bot Manager’ page for more information: https://www.akamai.com/us/en/products/security/bot-manager.jsp
Of course, it’s worth repeating here again that, as SlashGear notes, “those seemingly innocent sensors can also become doorways into users’ lives.”
And this is why the Chrome and Brave browsers now have blocked access to your motion sensors, such as your accelerometer, gyroscope, and magnetometer, by default. Firefox offers a way to enable and disable the motion and light sensor APIs if you are comfortable monkeying with your advanced settings; supposedly the default is to disable them, although we have been unable to test this as Firefox does not give you any obvious indication that it has blocked an attempt to get at your sensors (read about that here at BleepingComputer), and Safari does not have settings to block motion detectors, although the iOS version (i.e. the mobile version) of Safari does.
In any event, you are likely here reading this because you saw something in your Brave or Chrome browser saying that a site that you were visiting had been blocked from using motion sensors, and now you know why.
Still, if you want to check to be sure – or if for some reason you suspect that your motion sensors aren’t being blocked, here is how to check:
From your Brave menu, go to Preferences, and click on ‘Additional settings’.
Click on ‘Privacy and security’.
Go down to the ‘Site and Shields Settings’ section.
Click on ‘Motion sensors’.
This is what you should see:
NOTE! Brave is very confusing in the way that it presents this information. If your settings look like the image immediately above, you might think “oh my gosh, this setting is to block sites from using my motion sensors, and it’s set to ‘off’!” And you would be wrong about it being off. Because if you slide the switch to ‘on’, you will see that the verbiage changes, and now says:
See? It now says “Allow sites to use motion sensors”. This isn’t a toggle on/off switch, it’s a toggle the state of something switch.
So to sum up, if you don’t want the sites you browse to be able to access your motion sensors, this setting should look like this:
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
Should say “Blocking” sites…and “Allowing” sites…
A clearer way to express “This isn’t a toggle on/off switch, it’s a toggle the state of something switch.” is this:
“The words don’t tell you what the switch does, they describe the effect of the current setting.”
TY! TY! TY! U ROCK!!
Jerry, thank you for the kind feedback!