enableHighAccuracy as a privacy feature from Dominique Hazael-Massieux on 2010-03-24 (public-geolocation@w3.org from March 2010)

From: Dominique Hazael-Massieux <dom@w3.org>
Date: Wed, 24 Mar 2010 09:10:32 +0100
To: public-geolocation <public-geolocation@w3.org>
Message-ID: <1269418232.7232.37.camel@localhost>

Hi,

The current Geolocation API editors draft [1] offers an optional
enableHighAccuracy attribute on PositionOptions to make it possible for
developers to inform whether they need a high level of accuracy or not,
in the perspective of the power consumption and time that acquiring very
accurate data may require.

But this attribute also offers a potentially useful privacy-enabler hook:
indeed, a web site that doesn't need detailed location information can
reduce the privacy risks associated with location information by
ensuring that attribute is set to false.

But that aspect is not evoked at all in the specification — I think it
should be (and have a specific text proposal below).

Right now, the spec doesn't recommend NOT sending high-accuracy data
when it is not required, when I think it would clearly make sense for
all interested parties to do so.

Consider the case of a user who has a GPS that already has a fix, they
go to a website that has enableHighAccuracy set to false.  The
application doesn't need accuracy, but nothing in the specification will
prevent high accuracy location information from being sent.  Why
needlessly expose information that the website doesn't need?

More specifically, I think it would make sense to require user agents to
always provide less accurate information when enableHighAccuracy is
false (which is the default when not specified).  The algorithm and user
interface shouldn't be specified, and instead be left to the
implementers.  The enableHighAccuracy flag could also be used for user
agents as a hook to enable additional privacy-features (that I'll be
happy to discuss if anybody is interested in the few ideas I've had).

To that end, here is a proposed addition to the spec that would complete
the existing "enableHighAccuracy" description:
        When enableHighAccuracy is false, user agents SHOULD ensure that
        the location data sent back to the application is of limited
        accuracy, regardless of whether higher accuracy data is
        available, thus helping to reduce unneeded exposure of
        privacy-sensitive data.

I'm also happy to provide test cases to help determine the current
browsers behavior if that's helpful.

Dom

1. http://dev.w3.org/geo/api/spec-source.html#position_options_interface

Received on Wednesday, 24 March 2010 08:10:42 UTC