W3C home > Mailing lists > Public > public-geolocation@w3.org > June 2009

RE: Additional security and privacy considerations?

From: Perry Tancredi <ptancredi@quova.com>
Date: Tue, 2 Jun 2009 15:22:40 -0700
Message-ID: <964B2AC952DAA94BAA5CEF61CB2114CA4E1B1A@EXCH-MVCL.quova.com>
To: "Doug Turner" <doug.turner@gmail.com>, "Andrei Popescu" <andreip@google.com>
Cc: "Thomas Roessler" <tlr@w3.org>, "Greg Bolsinga" <bolsinga@apple.com>, "Rigo Wenning" <rigo@w3.org>, "public-geolocation" <public-geolocation@w3.org>
I agree that the additional sentence should not be added.

Here is an alternative to the text that Doug questioned that may be more
clear:

"In designing these measures, implementers are advised to give users the
ability to know when location information is being shared, and to
provide..."

That text allows for either active or passive measures without
specifically endorsing either.

Perry

> -----Original Message-----
> From: public-geolocation-request@w3.org 
> [mailto:public-geolocation-request@w3.org] On Behalf Of Doug Turner
> Sent: Tuesday, June 02, 2009 2:47 PM
> To: Andrei Popescu
> Cc: Thomas Roessler; Greg Bolsinga; Rigo Wenning; public-geolocation
> Subject: Re: Additional security and privacy considerations?
> 
> I do not think we should add the additional sentence.
> 
> Also,
> 
> "In designing these measures, implementers are advised to 
> enable user awareness of location sharing, and to provide 
> easy access to interfaces that enable revocation of 
> permissions, even when users have previously granted authorization."
> 
> What exactly is "user awareness of location sharing"?
> 
> Regards
> Doug Turner
> 
> 
> On Jun 2, 2009, at 5:35 PM, Andrei Popescu wrote:
> 
> > Hi,
> >
> > I think we need to close this discussion. After discussing 
> with Thomas 
> > offline, we have one wording proposal and one question for 
> our group.
> >
> > Here is the wording proposal:
> >
> > //-------------------------------------------------------
> > Additional implementation consideration
> >
> > This section is non-normative
> >
> > Further to the requirements listed in the previous section, 
> > implementors of the Geolocation API are also advised to 
> consider the 
> > following aspects that may negatively affect the privacy of their
> > users: in certain cases, users may inadvertently grant 
> permission to 
> > the User Agent to disclose their location to Web sites. In other 
> > cases, the content hosted at a certain URL changes in such 
> a way that 
> > the previously granted location permissions no longer apply 
> as far as 
> > a user is concerned. Or the users might simply change their mind.
> >
> > While predicting or preventing these situations is inherently 
> > difficult, mitigation and in-depth defensive measures are an 
> > implementation responsibility and not prescribed by this 
> > specification. In designing these measures, implementers 
> are advised 
> > to enable user awareness of location sharing, and to provide easy 
> > access to interfaces that enable revocation of permissions, 
> even when 
> > users have previously granted authorization.
> > //-------------------------------------------------------
> >
> > I think such wording captures well the privacy concerns that were 
> > raised by Thomas while clearly indicating that the defenses against 
> > potential problems are completely up to the implementations to 
> > consider. We also both think that listing these privacy concerns in 
> > the spec is a responsible thing for us to do.
> >
> > And here is the question:
> >
> > Should the wording also contain the following additional sentence:
> >
> > "Additional defense measures might include limiting the scope of 
> > authorizations in time by asking for re-authorization in 
> certain time 
> > intervals."
> >
> > My personal opinion is that it should not. This sentence suggests a 
> > concrete solution direction to solve the above mentioned 
> concerns. I 
> > think we should not add it to the spec because:
> >
> > 1. Adding such concrete implementation recommendations, especially 
> > without any implementation experience or user studies to 
> back them up, 
> > is dangerous. They are likely to get ignored by 
> implementers who will 
> > do what they think best for their product, making the spec less 
> > credible. At the same time, people can wrongly accuse 
> implementers of 
> > ignoring the spec, as Doug rightly pointed out.
> >
> > 2. I have concerns about this solution. There is no expiry interval 
> > magic constant that applies well to all Web applications, while the 
> > user experience of having to repeatedly and for no apparent reason 
> > grant permissions to the same origins is terrible.
> >
> > Anyway, I would be grateful to know your opinion on this matter.
> >
> > Many thanks,
> > Andrei
> 
> 
> 
Received on Tuesday, 2 June 2009 22:23:17 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 22 March 2012 18:13:44 GMT