W3C home > Mailing lists > Public > public-geolocation@w3.org > June 2008

Re: Privacy in the Geolocation Spec

From: Jon Ferraiolo <jferrai@us.ibm.com>
Date: Tue, 24 Jun 2008 15:39:57 -0700
To: Ian Hickson <ian@hixie.ch>
Cc: Alec Berntson <alecb@windows.microsoft.com>, Andrei Popescu <andreip@google.com>, public-geolocation@w3.org, "public-geolocation@w3c.org" <public-geolocation@w3c.org>, public-geolocation-request@w3.org
Message-ID: <OF56F7858F.64D8929B-ON88257472.007B4AFA-88257472.007C81FD@us.ibm.com>

I agree with Ian. In fact, I would go even further and say that the
geolocation specification (or any other specifications that extend outside
of the browser sandbox) should identify security issues and suggest
possible alternatives for addressing those security issues, and no hard
mandates (MUSTs) or even semi-hard mandates (SHOULDs). The reason for this
mushiness is that there is usually a user interface aspect (e.g., a prompt)
to allowing software to extend outside of the browser sandbox, and user
interface is complicated. Depending on a complex set of circumstances, you
could choose any of the following user interface options for how the user
"opts in" to allowing the operation to take place:

* Prompt the user each time the operation happens
* Prompt the user once for each "session"
* Prompt the user the first time he uses a particular web page
* Prompt the user the first time he uses a particular domain
* (When there is an installer involved, such as with a widget) Prompt the
user when he installs the software
* and many other user interface scenarios

Among the factors which complicate things are the nature of the operation,
the trustworthiness of the software provider, and user preferences.

It is early in the industry. We don't know yet how to balance hardcore
security versus reasonable user interface. Therefore, leave the spec mushy
with regard to security.

(Incidentally, similar sentiments were expressed at the Mobile Ajax
Workshop last September:


             Ian Hickson                                                   
             Sent by:                                                   To 
             public-geolocatio         Alec Berntson                       
             n-request@w3.org          <alecb@windows.microsoft.com>       
             06/24/08 03:10 PM         <public-geolocation@w3c.org>,       
                                       Andrei Popescu                      
                                       Re: Privacy in the Geolocation Spec 

On Tue, 24 Jun 2008, Alec Berntson wrote:
> I'd like to see some requirements around privacy. I agree that the W3C
> spec should not define the UI constraints for privacy, however I think
> the following guidelines should be present
> * The Geolocation API must not allow an application access to location
> data without user permission
> * The Geolocation API must allow the user to disable access to location
> data at any point

I would be fine with these being SHOULDs, but if we make them MUSTs then
we are saying that, e.g., a semi automated Web browser that uses crowd
movements in Times Square to decide what page to navigate to would have to
have some sort of special button somewhere to control the Geolocation API,
which seems somewhat silly.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

(image/gif attachment: graycol.gif)

(image/gif attachment: pic07887.gif)

(image/gif attachment: ecblank.gif)

Received on Tuesday, 24 June 2008 22:42:56 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:33:49 UTC