RE: Policy requirements question (was Re: RE: [Powerbox] New draft based on further collaboration and prototyping) from David Rogers on 2010-06-01 (public-device-apis@w3.org from June 2010)

From: David Rogers <david.rogers@omtp.org>
Date: Tue, 1 Jun 2010 18:17:32 +0100
To: "James Salsman" <jsalsman@gmail.com>, <public-device-apis@w3.org>
Message-ID: <4C83800CE03F754ABA6BA928A6D94A06021E08C7@exch-be14.exchange.local>

Hi James,

 

It depends on the actual policy you apply, generally we work off the premise that the user can prevent stuff happening. If the user wants to prevent access they could do so if they wished. In terms of prompting, this offers a mechanism to reduce prompting and intelligently describe the decisions a user wants to make – for example, don’t ever dial a premium rate number in the UK, or only allow me to do it from this particular application.

 

Interesting points about the privacy policy etc. So the way I see this happening is you could delegate authority to someone you really trust (for example a consumer organisation like ‘Which?’ or a children’s charity who provide a safe-online access service for your kids). The policy is provided by them to you and sits on your device. This acts as an arbitrator to the application. For example, if a Facebook application wanted full and unfettered access to your camera, the policy would step in and say, hey – the user doesn’t want that and the API used would be able to gracefully fail for the developer saying that the reason the access was denyed was for security.

 

A lot of the rest is down to good implementation – e.g. making things user configurable and simple etc.

 

Clearly I’ve simplified a lot here!

 

Cheers,

 

 

David.

 

 

 

From: public-device-apis-request@w3.org [mailto:public-device-apis-request@w3.org] On Behalf Of James Salsman
Sent: 01 June 2010 17:59
To: public-device-apis@w3.org
Subject: Policy requirements question (was Re: RE: [Powerbox] New draft based on further collaboration and prototyping)

 

Does http://dev.w3.org/2009/dap/policy-reqs/ suggest that an application should request microphone access once, upon installation or invocation, and from that point on would be able to record and transmit audio with no way contemplated for the user to monitor its microphone or network access, or revoke the permission, say if the company controlling the application changes hands or changes its privacy policy?

Am I reading that correctly?

It would be nice to improve upon current practice, especially in the area of security.

 On Jun 1, 2010 8:56 AM, "David Rogers" <david.rogers@omtp.org> wrote:
 
 Hi Robin and Tyler,
 
 Another important point that we discussed before when powerbox first
 came up was to ensure that we can cover-off some of the basic abuse
 cases (as outlined here:
 http://dev.w3.org/2009/dap/policy-reqs/#abuse-cases ).
 
 Would it be possible to show how powerbox can handle those?
 
 Thanks,
 
 
 David.

 
 -----Original Message-----
 From: public-device-apis-request@w3.org
 [mailto:public-device-apis-reque...

Received on Tuesday, 1 June 2010 17:18:10 UTC