W3C home > Mailing lists > Public > public-sysapps@w3.org > April 2014

Re: Permissions UI & Necessary API

From: Doug Reeder <reeder_29@yahoo.com>
Date: Fri, 25 Apr 2014 21:58:36 -0400
Cc: sysapps <public-sysapps@w3.org>
Message-Id: <311F0C6D-0AEB-40A2-9D84-848C42E2DC50@yahoo.com>
To: "Kostiainen, Anssi" <anssi.kostiainen@intel.com>

On Apr 25, 2014, at 10:48 AM, Kostiainen, Anssi wrote:

> 1) Allow the developer to associate a custom text string with the permission request.
> I observe some web-based platforms [1] already provide a similar mechanism, however, Im not sure if e.g. Firefox OS uses the information in the context of use as recommended (or just for upfront grants)?

Firefox OS requires an explanation string in the app manifest, for example:
	"permissions": {
		"geolocation": {
			"description": "Needed for geotagging (where you wrote a memo)"

IIRC, this is supposed to be displayed to the user during the install process.  It is never displayed while an app is running.

I'm proposing an explanation string per request, something like
	{timeout: 300000, description: "geotag memos"}

> For example, an evil application could lie to get you grant access to some capabilities it wants to use for other  potentially malicious or otherwise harmful  purposes than it told you to.

Colin Walters, in a comment on http://robert.ocallahan.org/2011/06/permissions-for-web-applications_30.html points out "you have to know applications can pass messages to one another, so the permission set is in reality the union of all of the ones from any apps installed from a developer (or cooperating developers)"

Once info is passed to an app, there's no technical control over what it does with that info, only social control (reviews saying "this app lies about what it does!" ... or a consumer protection agency investigation). In the current model, the app makes no promises (other than app store boilerplate).  An explanation per request allows an app to be be clear.   If many apps are clear, the hope is that users will pay attention, be wary of apps that are vague, and avoid those that lie.

An explanation per request does not imply a security dialog per request.  I envision the system showing one security dialog per description string. So, the user would grant permission to  'allow searchablenotes.hominidsoftware.com to use your computer's location to "geotag memos"'.  Most apps & websites would use only one description, but some would use two or more different ones, allowing a separate permission for 'allow example.com to use your computer's location to "connect you to an appropriate call center"'.

> 2) Prefer user-triggered dialogs.

This is great where you can do it, such as a standard map app, which can have a button "Show my location".  I'm running into a situation where the user gets a system permission dialog, and it's not clear why to him or her.  If you are kind enough to duplicate this scenario on a device, install my app on a Firefox OS device or the Simulator: http://searchablenotes.hominidsoftware.com/install.html

1) Run Searchable Memos
2) Tap the gear icon to open Permissions and Help
3) Turn "Geotag memos when created" to ON.  On the permissions dialog, DON'T enable "remember my choice" but DO tap "Share".
4) Tap the close button in the Permission and Help panel.
5) Tap the + button to create a memo; it will be geotagged without a second permission dialog.
6) Quit the app
7) Re-launch the app.  (Imagine the user returning to the app after a week)
8) Tap the + button to create a memo; the security permission dialog will appear (despite the user not having tapped a control related to geolocation).

If the system permission dialog instead said 'Searchable Memos would like to know your location to "geotag memos"', the user could understand why this dialog is popping up.  

Now, this problem is specific to Firefox OS (and I need to find the right people at Mozilla to talk to).  When run in desktop Firefox or Chrome (http://searchablenotes.hominidsoftware.com/), the permissions are handled differently, and this odd situation doesn't happen.  My particular problem is caused by the intersection of a particular implementation of permissions, with a novel use case.

I think it would be a good thing for the standards and APIs to support novel use cases.  Current devices have several sensors, and manufactures are adding more.  I think we want to encourage users to have a dialog with apps about what data they collect, and why.

Now, I'm only looking at one application - there are many others.  There are workarounds where existing UI and APIs are awkward.  My proposal may not be worth the additional complexity.  But please do consider apps which use APIs in novel ways, and what UIs can do to help users.
Received on Saturday, 26 April 2014 02:00:41 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:36:20 UTC