W3C home > Mailing lists > Public > public-media-capture@w3.org > October 2015

Re: Comments/Questions on Media Capture Streams – Privacy and Security Considerations

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 23 Oct 2015 16:18:54 -0700
Message-ID: <CABkgnnXJ8_dpHHnBwzePE73C0Fhf78r5acTyCC+-WWayv2ut5w@mail.gmail.com>
To: Nick Doty <npdoty@w3.org>
Cc: Mathieu Hofman <Mathieu.Hofman@citrix.com>, Harald Alvestrand <harald@alvestrand.no>, "public-media-capture@w3.org" <public-media-capture@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
On 23 October 2015 at 16:02, Nick Doty <npdoty@w3.org> wrote:
> We have discussed in other groups, for example at Geolocation last TPAC,
> other "opt-in" style permissions. As part of the basic principle of data
> minimization, we consider it good API design for site developers to be able
> to specify the minimum data that they need, not just to make the request
> more palatable to the end user, but also to limit their own risk. I think
> persisted permission is a special case of this in the security space, and
> something we've become more aware of with evidence of pervasive monitoring.

This isn't entirely about minimization.  I know that we've discussed
this before and the view here at least was that persisting permissions
is useful in reducing user training.  That being the phenomenon where
users get so accustomed to seeing a dialog that muscle memory takes
over whenever they see it.

We need to be sensitive to the potential for this sort of training as
it can significantly reduce the level of assurance we get that the
consent is real.  And it's already the case that consent is marginal
as it is.

This is - I think - the principle that drives the Chrome policy of
persisting these sorts of choices.  Firefox offers users a choice, and
defaults to non-persistent permissions for gUM.  Defaults are very
important here.

I think that both are valid choices, but if you were to suggest that a
site could override UX choices for browsers, even toward an arguably
"safer" posture you might get some resistance on those grounds.  More
so when you consider that even if users are not trained, they can
still be trained to the default, so changing defaults can be
surprising in other ways.

Finally, I would like to point out that browser vendors are quite
covetous of their small areas of differentiation.  How we talk to
users is one of the few ways in which we can distinguish ourselves
from the competition.
Received on Friday, 23 October 2015 23:19:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:26:34 UTC