W3C home > Mailing lists > Public > public-xg-socialweb@w3.org > January 2010

Fwd: A comment on Security and Privacy Implications for Contact APIs

From: Dan Brickley <danbri@danbri.org>
Date: Wed, 27 Jan 2010 16:27:35 +0100
Message-ID: <eb19f3361001270727i43f709d6r93d575bd5b8f9d22@mail.gmail.com>
To: public-xg-socialweb@w3.org
>From the TAG list, regarding the recent Contact APIs draft.


---------- Forwarded message ----------
From:  <noah_mendelsohn@us.ibm.com>
Date: Wed, Jan 27, 2010 at 4:14 PM
Subject: A comment on Security and Privacy Implications for Contact APIs
To: public-device-apis@w3.org
Cc: www-tag@w3.org


Congratulations on the publication of the publication of working draft
"The Contacts API" [1].  I would like to comment on the Security and
Privacy considerations section [2], which states:

-----------
This section is under development.

This section has been inspired (verbatim where necessary) from the
Geolocation WG latest public working draft specification.

There are a number of reasons for this approach:

1. The programmatic styles of the Contacts API and Geolocation API are
very similar and because they both have the the same implied user
experience within the same implied User Agent the general security and
privacy considerations of both APIs should remain common.

2. The ability to align the security and privacy considerations of the
Geolocation API with DAP APIs is important for the potential future
benefit of making any security and privacy mechanisms developed within the
DAP WG applicable to the Geolocation API at some point in its own ongoing
development.
-----------

It seems to me that, in fact, the use cases and this the user experiences
are potentially quite different for Contacts vs. Geolocation.
Specifically, the information exposed through a geolocation API is
potentially important and sensitive, but the nature of it is generally
clear to a user:  you're giving permission to give out my latitude,
longitude, and perhaps altitude.  A contacts database is potentially very
large, and depending on the device may have quite a wide range of
information for each contact.  This can include (multiple) phone numbers,
email addresses, home addresses, employers, office address,  office or
home latitude and longitude, Facebook ids, geolocations, IM screen names,
etc., etc.  Furthermore, some contact lists will contain a handful of such
entries, and others will contain thousands.

For the above reasons, it seems to me that an appropriate mechanism for
the contacts API will likely involve an ability not just to ask for
permission, but to clarify the subset of the contacts for which access is
being granted.  It may also be necessary to separate access for purposes
of searching vs. access for purposes of display, transmission or
republication.  For example, I can imagine a mobile instant messaging
application wanting to do the following:

1) get permission to search my entire contact lists for everyone with a
compatible screen name
2) get permission to retrieve and display for my selection certain, but
perhaps not all of the information for such users (e.g. I might want it to
get at the user's name as text, screen name, and perhaps a few other bits,
but I might not want to grant it permission to retrieve the users home
mailing address)
3) when the user selects one such name, grant it permission to send
certain information out to the IM network

(Maybe or maybe not that third step needs to be separate.)  I'm not trying
to design the UI or say that it necessarily has to be multi-step.  It
could be a single step in which the user is given a prompt saying:

"Do you give the SuperIM Web application permission to search your entire
contact list for users with screen names, to retrieve for each such user
his/her given name, screen name and email address, and for users you
choose to chat with, permission to send that information to the chat
network?"

"Should I ask you again if you make similar requests in the future?"

etc.

BTW:  I am writing as an individual and as a member of the TAG, but in
this note I do not speak for the TAG as a whole.

Noah

[1] http://www.w3.org/TR/2010/WD-contacts-api-20100121/
[2]
http://www.w3.org/TR/2010/WD-contacts-api-20100121/#security-and-privacy-considerations

--------------------------------------
Noah Mendelsohn
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------
Received on Wednesday, 27 January 2010 15:28:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 January 2010 15:28:12 GMT