Re: Additional security and privacy considerations? from Alissa Cooper on 2009-06-05 (public-geolocation@w3.org from June 2009)

From: Alissa Cooper <acooper@cdt.org>
Date: Fri, 5 Jun 2009 12:51:07 -0400
To: public-geolocation <public-geolocation@w3.org>
Message-Id: <5B0F72E6-EFAB-498F-91C1-91F92D089591@cdt.org>

On Jun 5, 2009, at 12:02 PM, Andrei Popescu wrote:

> Hi Alissa,
>
> On Fri, Jun 5, 2009 at 4:11 PM, Alissa Cooper<acooper@cdt.org> wrote:
>> One more thought on this:
>>
>>> //-------------------------------------------------------
>>> Additional implementation consideration
>>>
>>> This section is non-normative
>>>
>>> Further to the requirements listed in the previous section,
>>> implementors of the Geolocation API are also advised to consider the
>>> following aspects that may negatively affect the privacy of their
>>> users: in certain cases, users may inadvertently grant permission to
>>> the User Agent to disclose their location to Web sites. In other
>>> cases, the content hosted at a certain URL changes in such a way  
>>> that
>>> the previously granted location permissions no longer apply as far  
>>> as
>>> a user is concerned. Or the users might simply change their mind.
>>>
>>> While predicting or preventing these situations is inherently
>>> difficult, mitigation and in-depth defensive measures are an
>>> implementation responsibility and not prescribed by this
>>> specification. In designing these measures, implementers are advised
>>> to enable user awareness of location sharing, and to provide easy
>>> access to interfaces that enable revocation of permissions, even  
>>> when
>>> users have previously granted authorization.
>>> //-------------------------------------------------------
>>
>> Would it be possible to say "revocation of global and per-origin
>> permissions" in the last sentence? The first paragraph alludes to  
>> user
>> concerns about specific sites, but I think it's worth making  
>> explicit that
>> permission revocation should be thought of as a per-origin control in
>> addition to a global control. Once I've authorized 100 sites, I  
>> shouldn't
>> have to de-authorize them all just because I stop trusting one of  
>> them.
>>
>
> What are "global permissions"? The permissions must be per-origin, as
> stated in the normative privacy section.
>
>


global = all the permissions that have been granted (perhaps global is  
not the right word)

In any event, adding just "per-origin" would have the same effect.

Alissa

Received on Friday, 5 June 2009 16:51:43 UTC