Re: Additional security and privacy considerations?

On 26 May 2009, at 20:24, Andrei Popescu wrote:

>> 3. Non-normative guidance (which I'd be willing to accept, as I said
>> earlier; in that case, I'd like to re-add the examples and  
>> elaborate a bit
>> more on the text)
>>
>> My question is whether there is opposition against 2 or 3.
>
> As I mentioned already, I would definitely oppose 1 and 2. 3 would
> probably be reasonable as long as it is a separate non-normative
> section and states the goals that you mentioned as something UA
> implementers could consider. We should not mention specific UI
> recommendations since these, as Greg mentioned, are out of scope for a
> spec that deals with location.

I wouldn't mind an example or two, but with a clear understanding that  
we're talking non-normative examples, not specific UI recommendations.

So, I'll leave it to you to invent a section heading and to add  
something that indicates that the text is non-normative.  But here's a  
proposal (edits welcome; additional mitigation techniques more than  
welcome):

> Implementors should consider the risk of users granting  
> authorization inadvertently, and provide mechanisms to limit users'  
> exposure to privacy risks due to such errors. Such mechanisms include:

> 1. User interface cues that indicate whether location data is being  
> shared with a web site, and facilitate easy revocation of previously  
> granted permissions.  For example, a web browser in a typical  
> desktop environment could display a visual indicator when the user  
> interacts with a site that has been authorized to acquire location  
> information.  A mouse click on this indicator could then start an  
> interaction that starts a revocation interaction.

> 2. Expiry of user consent.  For example, implementations could  
> perform an exponential back-off for user consent interactions for a  
> given origin, up to some predetermined time limit on the scale of  
> some days to a few weeks.

Received on Wednesday, 27 May 2009 08:58:52 UTC