- From: Tobie Langel <tobie@fb.com>
- Date: Thu, 9 Feb 2012 15:17:50 +0000
- To: Marcos Caceres <w3c@marcosc.com>, Adrienne Porter Felt <apf@berkeley.edu>
- CC: Robin Berjon <robin@berjon.com>, Paul Libbrecht <paul@hoplahup.net>, Boris Zbarsky <bzbarsky@mit.edu>, "public-webapps@w3.org" <public-webapps@w3.org>
On 2/9/12 1:21 PM, "Marcos Caceres" <w3c@marcosc.com> wrote: > >On Wednesday, February 8, 2012 at 10:33 PM, Adrienne Porter Felt wrote: > >> > > I agree that the current UI is not great. However, I disagree about >>"everyone" clicking through permission grants. I've done two user >>studies and found that about ~18% of people look at permissions for a >>given installation, and about ~60% look occasionally. We found that most >>have no idea what they really mean -- but that is a separate problem >>pertaining to the presentation. Also, about 20% of people have in the >>past avoided apps that they considered "bad" because the permissions >>alerted them to something that they didn't like. >> > >> > >> > Did you publish this research somewhere? Would be interested to know >>your sample size and type, response rate, etc. >> >> It's in submission, but I can put together a tech report if you are >>interested. Results are from two studies: self-reported data from 308 >>online Android users (recruited via Admob), and confirmed by an >>observational study of 25 Android users in the bay area (selected from a >>large pool of Craigslist applicants so that they match the overall >>Android population by gender, age, etc.). At Facebook, we use a pretty fine-grained permission system for users to grand third party apps access to their data, rights to post on their behalf, etc. The correlation between the number of permissions requested by the app and the percentage of users which will avoid using the app altogether is strong, so much so that we're warning devs against asking for too many permissions upfront: "There is a strong inverse correlation between the number of permissions your app requests and the number of users that will allow those permissions. The greater the number of permissions you ask for, the lower the number of users that will grant them; so we recommend that you only request the permissions you absolutely need for your app." --https://developers.facebook.com/docs/authentication/ "Only ask for the permissions you actually need; the more you ask for, the less likely users will grant them. Users may join your app and automatically trust their friends, but the first hurdle is trusting your app when first prompted with the permissions dialog." --https://developers.facebook.com/socialdesign/personalize/ Instead, we advocate a permissions model which lies somewhere in the middle of what has been discussed here so far: There's an initial request of permissions done prior to the app being first used. If these permissions are granted, they are granted indefinitely (or until the user revokes them). If they are not, the app just can't be used. After that, the application has the possibility to ask extra permissions any number of times. This is typically done following a user action that the existing permissions won't allow. Permissions granted that way (and this is key difference with the models discussed so far) are also granted indefinitely. Best, --tobie
Received on Thursday, 9 February 2012 15:19:02 UTC