- From: イアンフェッティ <ifette@google.com>
- Date: Tue, 24 Apr 2012 15:39:22 -0700
- To: "public-tracking@w3.org Group WG" <public-tracking@w3.org>
- Message-ID: <CAF4kx8f1fxN8JbSXd52DTVsNj=7Kr3U6ns7EM3zjr+RePsyHRQ@mail.gmail.com>
I've done a quick writeup for ACTION-173 to describe the problems around (explicit,explicit) exception pairs, including a screenshot of what I view to be our rather problematic attempt at applying this to geolocation permissions in Chrome. The writeup with screenshots is at https://docs.google.com/document/d/19mNwTiZgYsrhgYDQHTljuId49DFDrApoTRZrVl-tniA/edit I've included the contents below, but I suspect it will probably get munged by mailing lists and drop images etc. You're probably better off viewing the google doc via the link above, but for the sake of archival I've copied the body into this email. *Perils of cross-products in settings We made what I now believe to be a mistake in our implementation of the W3C Geolocation API. We thought it would be a great privacy feature to remember permissions granted to third parties (e.g. iframes) on a page only in the context of their embedding page. That is, if outer.com iframes inner.com, and inner.com requests access to your location, what we currently have is a prompt in the browser saying “inner.com wants to access your location”, and if you accept, the browser remembers that inner.com can access your location when inner.com is on outer.com. We wanted to prevent a user’s location from being tracked across the web, which I believe was a good goal, but in the end we ended up with a very confusing user experience. The user is asked about inner.com but they see outer.com in the address bar and may not know what inner.com actually represents, and our UI in settings is even more complex, a screenshot of which is included below: (see the “html5demos embedded on ianfette.com”) Luckily, the number of sites that actually request geolocation information is relatively low, and the percentage of users that go into settings to change this is also low. However, this has created awful UI that none of us are happy with, and many complications internally in the code. (Whereas for most things we simply store whether a particular site has a particular permission, we now have to pass around additional state that indicates what site the resource is embedded in. It sounds trivial but it’s not, and has been the source of subtle bugs.) This type of UI also leads to user confusion and suboptimal handling of real use cases. For DNT in particular, I believe that a site wishing to obtain exceptions for third parties will most likely wish to obtain exceptions for all of the third parties on the site. As a concrete example, a site author may believe they will only achieve a sufficient level of monetization via mechanisms requiring an exception to DNT:1, and so they may wish to request exceptions for the ads that will be shown on the page. If they don’t get an exception, they may instead offer the user alternatives (sign in, pay, get some amount of views free, etc.) Given that this is rather burdensome imposition on the user (some form of interaction required before they can view the content), the site is incentivized to ensure that the user is asked as few questions as possible. The site doesn’t want to come back tomorrow and say “My ad network now includes this other third party so let me re-prompt” (assuming the site even is capable of enumerating the third parties that may be included through the ad network). So, the site will request mysite/* to indicate all third parties on the site. The site also doesn’t want to get into a state where they have to support some exponential number of configurations (“A is allowed but not B, C is allowed and so is D but not E...”). Furthermore, before serving content, the site will wish to know whether its required exceptions have been granted or not. Having to serve javascript to the user to do polling is a non-starter as it introduces a round-trip. Keeping things to mysite/* makes it trivial for the browser to indicate whether the site has the exceptions it needs, otherwise the browser has no way of knowing whether the site will be satisfied as the browser doesn’t have a-priori knowledge of what resources will be requested by the site so the browser cannot indicate the status to the site on the initial request. >From the user’s perspective, if a site wishes to request exceptions for even a very limited ad exchange containing ten entities, I’m not sure how we would display any UI that would allow for a usable experience while also offering any meaningful choice. The notion of having ten checkboxes on an infobar scares the daylights out of me from a usability perspective.The management UI that we did for geolocation would become even worse, given the large number of third parties that are likely to be involved compared to the relatively few number of sites using the geolocation API. In short, I’m convinced this is a path we should not follow. Instead, I propose that we limit ourselves to firstparty/* (all third parties on this first party) and */thirdparty (this third party on all contexts). It’s very easy for a user to understand “I am giving an exception everything comprising this site” since the user perceives the site as a single website, not a collection of resources from multiple origins. It’s also easy for a user to understand “I am giving an exception to this widget” as the widget is likely something they’re familiar with, e.g. a gadget from a social network or other third party site they interact with. This is also easy to message to the user in an understandable and concise way, and easy to provide management UI that is intelligible and allows users to later change their mind. (“Here’s a list of sites you have granted exceptions to. Here’s another list of third party thingamajiggers you have granted exceptions to.” Both are linear, you don’t get the “list of 100 common exceptions * top 500 websites = 50000 lines of scrolling uselessness” instead you get perhaps “here’s the 10 sites I frequent that have requested an exception, here’s the 4 widgets I trust and have granted exceptions to.” Yes, this does mean you don’t have an easy way to say “Trust this widget for everything except the following websites” but I frankly think that’s a niche case, and if you don’t trust the privacy controls that the widget gives you, you probably shouldn’t grant it a web-wide exception. Or, you can do your sensitive browsing in a mechanism supported by the browser for that purpose (another profile, “incognito” or “private” browsing, etc.)*
Received on Tuesday, 24 April 2012 22:39:53 UTC