Re: wording for the privacy section from Jon Ferraiolo on 2008-10-27 (public-geolocation@w3.org from October 2008)

From: Jon Ferraiolo <jferrai@us.ibm.com>
Date: Mon, 27 Oct 2008 14:54:59 -0700
To: "Andrei Popescu" <andreip@google.com>
Cc: public-geolocation <public-geolocation@w3.org>, public-geolocation-request@w3.org
Message-ID: <OF0783E9C7.F5A731D5-ON882574EF.00773B0B-882574EF.007863F4@us.ibm.com>

Hi,
Sorry I haven't followed the security issues very closely lately, but I'll
pipe in now to say that I don't think you want to say MUST NOT. I'm not
even sure you should say SHOULD NOT, but certainly not MUST NOT.

There are many different usage scenarios where the geolocation APIs might
be used. Suppose you have a company intranet application that uses location
information, and that application is installed as a widget onto a mobile
phone (that the company buys for its employees), with appropriate digsig
information that confirms that the application comes from the right
company. In this case (and likely in many others), there is no reason why
the implementation should ask user permission before the application can
access the location APIs.

I would propose that the specification include loosely worded text that
talks about the importance of privacy concerns and suggests that in many
common scenarios the implementation should gain explicit user permission
before allowing an application to gain access to this APIs.

My general model for security in W3C specs is that the spec should
highlight the security concerns and suggest possible ways for
implementations to address those concerns, and nothing else. It is better
to leave the definition of explicit security policy (e.g., "MUST prompt the
user") to the rest of the industry. In the mobile space, OMTP or OMA are
better places for establishing security policies. (Believe me, W3C
committees will be much more enjoyable and fast-moving if you can push
security policy questions off to a different consortium.)

Jon





                                                                           
             "Andrei Popescu"                                              
             <andreip@google.c                                             
             om>                                                        To 
             Sent by:                  public-geolocation                  
             public-geolocatio         <public-geolocation@w3.org>         
             n-request@w3.org                                           cc 
                                                                           
                                                                   Subject 
             10/27/2008 01:55          wording for the privacy section     
             PM                                                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





Hello,

Regarding the privacy issues, I'd like to propose the following wording:

"A conforming implementation MUST NOT allow an application to use this
API to obtain geolocation data without user permission.  A conforming
implementation MUST allow the user to revoke the permission to an
application that is allowed to use this API to obtain geolocation
data." We'd also have to define what a "conforming implementation" is
(i.e. one that implements all the interfaces in the specification, and
satisfies all other MUST-, REQUIRED- and SHALL-level criteria.) What
do you think?

Thanks,
Andrei

Attachments

image/gif attachment: graycol.gif
image/gif attachment: pic00179.gif
image/gif attachment: ecblank.gif

Received on Monday, 27 October 2008 21:56:05 UTC