RE: FW: ACTION-660: Input to BP2, on Security and Privacy

I think that the main concern is the following scenario:

A mobile user downloads an application for a specific purpose.  Say it's an IM chat client.  This IM chat client needs access to the internet.  The user is happy with this access to the internet for IM purposes.  But does that mean that the IM chat client automatically gets access to the user's location information from cell site IDs or GPS?  What about the phone book?  History of who the user has called?  Private emails?  Bank account details?

And what about an application which uploads the user's location to an internet-based service?  Does that application get access to emails/phone call logs etc?  Does it get to send the user's location to lots of places or only the one server?

These are the kinds of issue which Brian is highlighting.

Regards,

Kevin
 

Kevin Holley
Manager, Application Standards
Group Technology
O2
Telefónica O2 Europe plc,

Direct Line: +44 1473 782214
Mobile: +44 7802 220811
Fax: +44 7711 752031
Email: kevin.holley@o2.com
IM: kevinaholley (MSN/Y!/AIM etc.)

www.o2.com


-----Original Message-----
From: public-bpwg-request@w3.org [mailto:public-bpwg-request@w3.org] On Behalf Of Sean Owen
Sent: 14 February 2008 23:54
To: Sullivan, Bryan
Cc: BPWG-Public
Subject: Re: FW: ACTION-660: Input to BP2, on Security and Privacy


On Thu, Feb 14, 2008 at 6:25 PM, Sullivan, Bryan <BS3131@att.com> wrote:
>  Because the related web/internet technologies are standardized, the
>  specific methods may not be mobile specific, but the basic fact that
>  their use is more important in the mobile environment is what is
>  important. That's why the recommendations are included, and verifying
>  compliance to the recommendations is important.

I may be splitting hairs too early, but, you're saying that while
security in general is not an unimportant issue in mobile, of course,
it is not specific to mobile. So sure, we do not need to go over
general security stuff again, and if that's what you're thinking, I
agree. Then we need to see what's mobile-specific here...

>  Any network API's or device API's (data or device internal functions)
>  that are callable from a web application context can result in private
>  information exchange. Certainly these functions are callable as device
>  vendors publish API's for their use, and MIDP for example provides
>  specific API's. Some browsers may be more isolated than others, and not
>  provide application access to these functions. But others do, and web
>  applications can likely call the functions natively.

Again we go back to scoping. We are not writing about MIDP (right??)
and I don't know of any HTML or HTTP mechanisms that transmit location
info or contacts (unless there are X- headers that are semi-standard?)
If no in-scope, existing technologies raise this problem, what will we
say about this?

We aren't chartered to write a document musing on future issues for
potential mobile technologies -- well, are we? I don't want to do
that, it's not what I had in mind.


This electronic message contains information from O2 which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address below) immediately.

Switchboard: +44 (0)113 272 2000

Telefónica O2 Europe plc   Registered Office:  Wellington Street, Slough, Berkshire SL1 1YP
Registered in England and Wales:  5310128 VAT number: GB 778 6037 85

Received on Friday, 15 February 2008 09:06:20 UTC