W3C home > Mailing lists > Public > public-webapps@w3.org > January to March 2012

Re: Installing web apps

From: Tobie Langel <tobie@fb.com>
Date: Thu, 9 Feb 2012 15:17:50 +0000
To: Marcos Caceres <w3c@marcosc.com>, Adrienne Porter Felt <apf@berkeley.edu>
CC: Robin Berjon <robin@berjon.com>, Paul Libbrecht <paul@hoplahup.net>, Boris Zbarsky <bzbarsky@mit.edu>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <CB5999BE.52577%tobie@fb.com>


On 2/9/12 1:21 PM, "Marcos Caceres" <w3c@marcosc.com> wrote:
>
>On Wednesday, February 8, 2012 at 10:33 PM, Adrienne Porter Felt wrote:
>
>> > > I agree that the current UI is not great. However, I disagree about
>>"everyone" clicking through permission grants. I've done two user
>>studies and found that about ~18% of people look at permissions for a
>>given installation, and about ~60% look occasionally. We found that most
>>have no idea what they really mean -- but that is a separate problem
>>pertaining to the presentation. Also, about 20% of people have in the
>>past avoided apps that they considered "bad" because the permissions
>>alerted them to something that they didn't like.
>> > 
>> > 
>> > Did you publish this research somewhere? Would be interested to know
>>your sample size and type, response rate, etc.
>> 
>> It's in submission, but I can put together a tech report if you are
>>interested. Results are from two studies: self-reported data from 308
>>online Android users (recruited via Admob), and confirmed by an
>>observational study of 25 Android users in the bay area (selected from a
>>large pool of Craigslist applicants so that they match the overall
>>Android population by gender, age, etc.).

At Facebook, we use a pretty fine-grained permission system for users to
grand third party apps access to their data, rights to post on their
behalf, etc. 

The correlation between the number of permissions requested by the app and
the percentage of users which will avoid using the app altogether is
strong, so much so that we're warning devs against asking for too many
permissions upfront:

"There is a strong inverse correlation between the number of permissions
your app requests and the number of users that will allow those
permissions. The greater the number of permissions you ask for, the lower
the number of users that will grant them; so we recommend that you only
request the permissions you absolutely need for your app."
--https://developers.facebook.com/docs/authentication/

"Only ask for the permissions you actually need; the more you ask for, the
less likely users will grant them. Users may join your app and
automatically trust their friends, but the first hurdle is trusting your
app when first prompted with the permissions dialog."
--https://developers.facebook.com/socialdesign/personalize/

Instead, we advocate a permissions model which lies somewhere in the
middle of what has been discussed here so far:

There's an initial request of permissions done prior to the app being
first used. If these permissions are granted, they are granted
indefinitely (or until the user revokes them). If they are not, the app
just can't be used. After that, the application has the possibility to ask
extra permissions any number of times. This is typically done following a
user action that the existing permissions won't allow. Permissions granted
that way (and this is key difference with the models discussed so far) are
also granted indefinitely.


Best,

--tobie
Received on Thursday, 9 February 2012 15:19:02 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:50 GMT