Re: JavaScript Permissions interface in WebApps


I appreciate that you have consistently taken the position that no  
privacy protections should be built into any API.  It is unfortunate  
that you cannot be in London in a week for either the workshop or the  
F2F, so that you could express your views on that subject.  And yes,  
we did "talk to death" many of the issues in December 2008 at the  
Geolocation WG F2F.

But for anyone who was not involved in that process, I think it is  
important to understand some key points about the Geolocation WG and  
that Geolocation meeting:

-- the goal of the leading participants of that WG was to have the W3C  
standardize an API that was developed outside of the W3C before the WG  
was formed.  The API spec brought into the W3C did not address  
privacy, and the proponents of that spec had no interest in changing  
the API to address privacy in a meaningful way.
-- at the December 2008 F2F, opponents of addressing privacy  
repeatedly said that the W3C should not do something specific to  
location, and that if the W3C  were to take any action to address  
privacy, it should do so with a broader framework.
-- the December 2008 F2F was immediately followed (the next day) by a  
workshop which looked at device API issues more broadly, and decided  
to do exactly that - form a WG that would consider a broader  
framework.  Hence DAP was born.
-- in rejecting "last call" objections to the Geolocation API's  
failure to meaningfully address privacy, the Geolocation WG chairs  

"The working group concluded that privacy protection does not belong  
in the
Geolocation API itself, but is better handled as part of a more  
generic privacy
and security framework for device access. The recently formed Device API
and Policy Working Group is chartered to develop precisely such a
framework (”‐geolocation/2009Oct/ 

I make these points simply to assert that the fact that the  
Geolocation WG "talked to death" the idea of taking action to protect  
privacy (and rejected that idea) is not evidence that such action  
should be rejected today.  There are tough issues confronting DAP in  
this area, and I hope you and others can engage in the DAP discussions  
to articulate your perspectives on the issues.  I don't think it is  
enough to say to the DAP group "go read what we said in Geolocation."

It's not clear to me that privacy is or would be the underlying cause  
for browser vendors to fail to implement the DAP specs, but in any  
event I think that would be an unfortunate place to end up.  I hope  
that they will engage in the DAP process.


On Jun 30, 2010, at 12:11 PM, Doug Turner wrote:

> I am familiar with the paper.  I'd still urge you to go read the f2f  
> comments.  Much of this UC paper is the same arguments that the  
> GeoPriv/CDT people made.
>> I understand there are pragmatic concerns - yet can we do more to  
>> find a good balance? supporting rulesets may be a possibility  -  
>> we'll have to talk about it at the workshop
> From a personal pov, there isn't any balance to be found at the API  
> level.  I do not want to build or design an API that embeds policy  
> information in it.  From a developers pov, i have never seen such an  
> API nor would want to use one.
> Sorry that I will not be at the workshop (and somewhat happy since  
> this specific topic was talked to death at the Geolocation WG two  
> Decembers ago).  I do urge this WG to consider the statements made  
> in the other WG.  I worry that whatever is spec'ed out here will not  
> be implemented by the majority of user agents (browsers).
> I hope this helps,
> Doug Turner

Received on Friday, 2 July 2010 16:20:47 UTC