RE: wording for the privacy section from Ian Hickson on 2008-10-29 (public-geolocation@w3.org from October 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 29 Oct 2008 05:28:57 +0000 (UTC)
To: John Morris <jmorris@cdt.org>
Cc: public-geolocation <public-geolocation@w3.org>
Message-ID: <Pine.LNX.4.62.0810290514220.1041@hixie.dreamhostps.com>

On Wed, 29 Oct 2008, John Morris wrote:
> 
> But they ALSO have the ability (say, by adopting Geopriv) to force 
> downstream site and app developers to consider and (we hope) protect 
> privacy.

Any scheme based on the idea that anything we can do can force Web authors 
to consider anything at all is doomed to fail. Web authors care about what 
they want to care about. There's nothing we can do about that.

Sites that care about their reputation will care about their user's 
privacy.

Sites that don't care about their reputation will steal credit card 
numbers before they steal location.

> the developer's local law may will force them to honor those 
> expectations

Expecting the law to uphold technical specifications is IMHO highly 
inappropriate. Using technical specifications to uphold morals is equally 
inappropriate. (P3P was an example of attempting both of those, as far as 
I can tell. I think we should learn from those mistakes.)

We should use the current laws -- the enforcability of privacy statements, 
for example. If it worked for things like credit cards in the past, 
there's no reason to believe it won't work for geographical positions.

> This means that as a user of a particular browser, I will hesitate to 
> give permission for my location to be given to anyone, because I have 
> zero assurance that the ultimate recipient of my location info will not 
> abuse it.

Yes. You *should* hesitate. This is healthy behavior. Encouraging any 
behavior that leads to users NOT hesitating would be a disaster.

> To answer a specific question you raised, I am not familiar with the 
> iPhone OS stack, but it if is similar to the spec in this WG, then yes, 
> I certainly think that it is insecure.

In that case I strongly disagree.

Just out of interest, could you show what you think the API should look 
like to handle Geopriv, along with all on-the-wire examples? (Please be 
thorough, i.e. don't say "and then you send a geopriv XML packet" or 
whatever, please actually show the entirety of all data that is to be sent 
in all directions so that we can have a full view of what it is you are 
proposing.) It may be that our disagreement is just based on my ignorance 
of what you are actually considering.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 29 October 2008 05:29:33 UTC