- From: Kostiainen, Anssi <anssi.kostiainen@intel.com>
- Date: Tue, 18 Jun 2019 12:35:09 +0000
- To: Fuqiao Xue <xfq@w3.org>, W3C Devices and Sensors WG <public-device-apis@w3.org>
Hi All, Thanks Fuqiao for passing the workshop report. Follow-up to the "should we do this" workshop take-away relevant to this group happens in: https://github.com/w3ctag/security-questionnaire/issues/48 This issue discusses the "drop the feature" mitigation strategy added to the TAG-maintained Security and Privacy Questionnaire: https://w3ctag.github.io/security-questionnaire/#mitigations The above section also quotes DAS WG-developed mitigations as best practices in various places implying this group has helped shape these guidelines used for horizontal review of all W3C specs. There are also examples of APIs developed in this group that have been improved with better privacy protections over time. Examples include now deprecated devicelight/proximity redesigned as ProximitySensor and reworked privacy protections for the Battery Status API informed by some browser vendors' decision to unship the said API. If you have any feedback on the questionnaire, please consider sharing it in its repo to help improve the questionnaire for the benefit of all. Any questions regarding the workshop, please contact Samuel Weiler <weiler@w3.org>. Thanks, -Anssi (DAS WG co-chair) > On 18 Jun 2019, at 5.01, Fuqiao Xue <xfq@w3.org> wrote: > > FYI > >> Begin forwarded message: >> >> From: xueyuan <xueyuan@w3.org> >> Subject: Workshop Report: W3C Workshop on Permissions and User Consent >> Date: June 17, 2019 15:20:24 GMT+8 >> To: w3c-ac-forum@w3.org >> Cc: chairs@w3.org >> Resent-From: chairs@w3.org >> >> >> Dear Advisory Committee Representative, >> Chairs, >> >> The report from the W3C Workshop on Permissions and User Consent, held in late 2018 in San Diego [1], is now available: >> >> https://www.w3.org/Privacy/permissions-ws-2018/report.html >> >> This report contains a brief summary and collects highlights from the individual sessions, with links to the presentation slides. More detailed minutes are also available [2]. >> >> One of the take-aways was that some features may simply too dangerous even when gated behind permissions prompts – when we add new features to the web platform, we need to ask “should we do this (at all)”. >> >> We recognized that users suffer from ‘permission fatigue’ (or, perhaps, ‘prompt fatigue’), and the workshop explored several models for avoiding prompts: >> >> * Implicit consent - as exemplified by the File Access API and drag-and-drop. >> * Installation ceremonies as an indicator of trust (the “casual web” v. the “installed web”). >> * Using engagement as a metric of trust. This has significant flaws - people frequently use web sites that they do not trust. >> >> Another outcome of the workshop was “Adding another permission? A guide” [3], a whitepaper for feature developers written Program Committee member Nick Doty based on the discussions at the workshop. >> >> We thank our host, Qualcomm, the Program Committee, and all participants for making this event possible. >> >> If you have further questions, please contact Samuel Weiler <weiler@w3.org>. >> >> For Wendy Seltzer, Strategy Lead; >> Xueyuan Jia, W3C Marketing & Communications >> >> [1] https://www.w3.org/Privacy/permissions-ws-2018/ >> [2] https://www.w3.org/Privacy/permissions-ws-2018/minutes.html >> [3] https://github.com/w3cping/adding-permissions/blob/master/README.md >> >> >
Received on Tuesday, 18 June 2019 12:35:42 UTC