Re: Privacy in the Geolocation Spec from Erik Wilde on 2008-06-25 (public-geolocation@w3.org from June 2008)

From: Erik Wilde <dret@berkeley.edu>
Date: Wed, 25 Jun 2008 10:22:22 -0700
To: public-geolocation@w3.org
Message-ID: <48627ECE.1070401@berkeley.edu>

hello.

Jon Ferraiolo wrote:
> * Prompt the user each time the operation happens
> * Prompt the user once for each "session"
> * Prompt the user the first time he uses a particular web page
> * Prompt the user the first time he uses a particular domain
> * (When there is an installer involved, such as with a widget) Prompt 
> the user when he installs the software
> * and many other user interface scenarios
> Among the factors which complicate things are the nature of the 
> operation, the trustworthiness of the software provider, and user 
> preferences.
> It is early in the industry. We don't know yet how to balance hardcore 
> security versus reasonable user interface. Therefore, leave the spec 
> mushy with regard to security.

i agree with the fact that a user interface around privacy issues can 
get very complicated, in particular if you extend the location concept 
to also include location URIs.

so i would like to configure my mobile device that it discloses my 
accurate GPS location to the navigation web site that i am trusting, 
whereas i only want to disclose that i am in california (using the 
location URI scheme i was talking about earlier) to other web sites. in 
theory, this can be implemented; in practice, this will result in a very 
complicated user interface and associated design challenges. how this 
will be approached in implementations is something that we will see.

so i think that the specification should make it very clear that there 
are serious privacy issues, and maybe even list some possible scenarios 
(or refer to a document doing this). i think it would be a good idea to 
make it entirely clear that this API is very privacy-sensitive, and that 
anybody implementing it should think hard about how to balance privacy 
and possible user interface complexity.

we should at least try to avoid things like the iphone, which in its 
quest to remove as many user controls as possible has no way to disable 
image loading in emails. this is a serious privacy issue, and i am still 
wondering why apple thinks it makes the life of users better if for each 
spam they are receiving, their phone is faithfully reporting to the 
spammer that the spam indeed reached the intended recipient...

cheers,

dret.

Received on Wednesday, 25 June 2008 17:23:15 UTC