RE: [permissions] Analysis of permissions handling and TAG presentation

Hi Dom,

Thanks for putting this together. Looking at a couple of the screenshots, it is worrying that we're still in a world where prompting is being used as the primary mechanism for consent. As was discussed in projects outside W3C (OMTP BONDI and others), there are many issues with prompting, not least user prompt fatigue and auto-behaviour which can lead to very undesirable security outcomes. This is not taking into account deliberate social engineering against the user. This was also discussed at length in DAP and I would hope that work is not lost - I know good people are looking at this issue, such as Adrienne Porter Felt[1] so I hope that some of that will ultimately end up in the W3C.

What I believe the W3C and members should do in this space is:

* don't limit yourself to considering the end point with the user as being 'the browser chrome' - 'installable' web apps can have permission mechanisms controlled by the OS, arbitrating the API access
* consider API design and whether the developer can get meaningful information as to why a permission was denied - even potentially 'negotiated'. This would give a much greater richness in applications and usage.

You know I've discussed this before, but we don't seem to have moved forward as a community on this topic from four years ago. I don't advocate banning prompts entirely because that is not realistic, however we should be in no doubt that prompts are not the only way. Prompts are the easiest thing to implement and so is deferring responsibility/liability to the user - it's kind of "the cheat's way out". 

Thanks,


David.
 
[1] http://research.google.com/pubs/AdrienneFelt.html 

-----Original Message-----
From: Dominique Hazael-Massieux [mailto:dom@w3.org] 
Sent: 09 January 2014 09:53
To: public-web-mobile@w3.org
Subject: [permissions] Analysis of permissions handling and TAG presentation

Hi,

In our previous discussions, permission management was one of the the topics that were raised as potential blockers for the proper development of the Web as a platform on mobile device.

During our Shenzhen F2F, I took an action item  (ACTION-93) to re-raise this topic to the W3C Technical Architecture Group (TAG).

I was kindly invited to their F2F meeting yesterday to discuss this topic; in the process, I updated the presentation I had prepared on the topic two years ago (and which presented in Shenzhen):
http://www.w3.org/2014/Talks/dhm-tag-permissions/

The major new piece in the presentation is some research I quickly conducted in preparation for the meeting: I looked at all the features I knew of that require user consent and that I could run on my laptop, created example codes that triggered these user consent requests, ran them on Firefox and Chrome, captured screenshots of the resulting UI, and documented the various themes that emerged.

The result of that work is visible in:
https://github.com/dontcallmedom/web-permissions-req/

In particular:
* I built a table that summarizes the various approaches taken across
APIs/features:
http://dontcallmedom.github.io/web-permissions-req/matrix.html

* the screenshots are at
https://github.com/dontcallmedom/web-permissions-req/screenshots/

* the code snippets are at:
https://github.com/dontcallmedom/web-permissions-req/tests/
and can be run from
http://dontcallmedom.github.io/dontcallmedom/web-permissions-req/tests/...
A particular fun one is
http://dontcallmedom.github.io/web-permissions-req/tests/all.html which run all the permission requests at once, with the following result in
Chrome:
http://dontcallmedom.github.io/web-permissions-req/screenshots/all-chromium.png

I presented the result of that work to the TAG and they were quite receptive to the need of stronger coordination in this space. 

In particular, Alex Russell took an action item to see which best practices could be extracted from the various approaches, and to try and identify targets for more convergence across APIs:
https://www.w3.org/2001/tag/group/track/users/43338

Dan Appelquist took an action item to ask WG Chairs about which of their APIs require user consent:
https://www.w3.org/2001/tag/group/track/actions/850

I indicated that our group was willing to help in progressing this topic further.

I already have some ideas as to what could be usefully done:
* as highlighted in the repo
https://github.com/dontcallmedom/web-permissions-req/#todo collecting more screenshots of more permissions from more browsers on more devices

* start collecting relevant research papers on permission management; this was already started in http://www.w3.org/wiki/Mobile/articles#API_Permissions but I feel there must be a lot more available out there — if anyone has contacts in the HCI academic world, this would be a great thing to ask e.g. a student to build

Dom

Received on Friday, 10 January 2014 11:08:05 UTC