Re: Explicit intents privacy concern

On Fri, Jul 27, 2012 at 3:58 AM, John Lyle <> wrote:
> On 25/07/12 18:22, Greg Billock wrote:
>> My argument is that what this means is that if that service is trying
>> to pass this data (explicitly) to another service, they'll just use
>> some other way to do it. I think this is an unnecessary and possibly
>> deleterious complication we should not introduce.
> This is probably a stupid question, but what should my expectations be as an
> intent service provider?
> If I am an intent service, should I assume that the fact I'm receiving data
> originally from an intent invocation implies that there has been some form
> of user consent through the user agent for this action?  Because for normal
> intent invocation that seems reasonable.  But for explicit intents, that
> isn't the case.
> For example: an intent service which 'shares' an image by posting it to my
> social network profile.  If all intents require user consent then the social
> network intent service doesn't necessarily need to implement a consent stage
> itself.  After all, it may know that the request is coming from an
> authenticated user session, and the expected use pattern of clicking on a
> 'share' button is a pretty good indicator of consent.
> Should all intent services should provide an authorisation step (or perhas
> an 'undo' step) when they receive a request made via intents?

Basically, yes. The best practices there are to provide a confirmation
or verification step for the user.

> Thanks,
> John
> --
> John Lyle
> Research Assistant
> Department of Computer Science, University of Oxford

Received on Friday, 27 July 2012 15:18:24 UTC