RE: [permissions] Analysis of permissions handling and TAG presentation

As part of this discussion, and as mentioned at the WebMob meeting in TPAC and in discussion with Phil Archer, I'd like to bring back to the table a discussion of approaches to "pre-arranged trust" as referenced in a number of DAP specs over the years. As mentioned by David, we did submit some contributions from OMTP/WAC related to how a developer can express intent for API access (through Widgets config.xml) and content/privacy disclosures (XML-based "description resource" based upon POWDER, and linked via config.xml). These were balanced against a pre-loaded web runtime provider policy expressed in XML (based upon XACML), and allowed for user selection of more restrictive (but not looser) permissions for an installable webapp.

Updating these approaches to use JSON, and for applicability to browser-based apps (e.g. API disclosures as part of description resources linked to HTML documents rather than config.xml), are examples of things that could be done to extend similar capabilities to web browsing. The goal would be to minimize the need for user prompts. Prompts are IMO a legacy/fallback approach to permissions management, through which social engineering and UI quirks (as shown in the screen shots) can in the end result in *less* safety for users. If we can successfully establish a chain of trust in browser webapp sources and related metadata (e.g. description resources), then there should be a great advantage in using these to provide a simpler, more secure user experience for browser-based apps.

Thanks,
Bryan Sullivan 

-----Original Message-----
From: David Rogers [mailto:david.rogers@copperhorse.co.uk] 
Sent: Friday, January 10, 2014 3:07 AM
To: 'Dominique Hazael-Massieux'; public-web-mobile@w3.org
Subject: RE: [permissions] Analysis of permissions handling and TAG presentation

Hi Dom,

Thanks for putting this together. Looking at a couple of the screenshots, it is worrying that we're still in a world where prompting is being used as the primary mechanism for consent. As was discussed in projects outside W3C (OMTP BONDI and others), there are many issues with prompting, not least user prompt fatigue and auto-behaviour which can lead to very undesirable security outcomes. This is not taking into account deliberate social engineering against the user. This was also discussed at length in DAP and I would hope that work is not lost - I know good people are looking at this issue, such as Adrienne Porter Felt[1] so I hope that some of that will ultimately end up in the W3C.

What I believe the W3C and members should do in this space is:

* don't limit yourself to considering the end point with the user as being 'the browser chrome' - 'installable' web apps can have permission mechanisms controlled by the OS, arbitrating the API access
* consider API design and whether the developer can get meaningful information as to why a permission was denied - even potentially 'negotiated'. This would give a much greater richness in applications and usage.

You know I've discussed this before, but we don't seem to have moved forward as a community on this topic from four years ago. I don't advocate banning prompts entirely because that is not realistic, however we should be in no doubt that prompts are not the only way. Prompts are the easiest thing to implement and so is deferring responsibility/liability to the user - it's kind of "the cheat's way out". 

Thanks,


David.
 
[1] http://research.google.com/pubs/AdrienneFelt.html 

-----Original Message-----
From: Dominique Hazael-Massieux [mailto:dom@w3.org] 
Sent: 09 January 2014 09:53
To: public-web-mobile@w3.org
Subject: [permissions] Analysis of permissions handling and TAG presentation

Hi,

In our previous discussions, permission management was one of the the topics that were raised as potential blockers for the proper development of the Web as a platform on mobile device.

During our Shenzhen F2F, I took an action item  (ACTION-93) to re-raise this topic to the W3C Technical Architecture Group (TAG).

I was kindly invited to their F2F meeting yesterday to discuss this topic; in the process, I updated the presentation I had prepared on the topic two years ago (and which presented in Shenzhen):
http://www.w3.org/2014/Talks/dhm-tag-permissions/


The major new piece in the presentation is some research I quickly conducted in preparation for the meeting: I looked at all the features I knew of that require user consent and that I could run on my laptop, created example codes that triggered these user consent requests, ran them on Firefox and Chrome, captured screenshots of the resulting UI, and documented the various themes that emerged.

The result of that work is visible in:
https://github.com/dontcallmedom/web-permissions-req/


In particular:
* I built a table that summarizes the various approaches taken across
APIs/features:
http://dontcallmedom.github.io/web-permissions-req/matrix.html


* the screenshots are at
https://github.com/dontcallmedom/web-permissions-req/screenshots/


* the code snippets are at:
https://github.com/dontcallmedom/web-permissions-req/tests/

and can be run from
http://dontcallmedom.github.io/dontcallmedom/web-permissions-req/tests/...

A particular fun one is
http://dontcallmedom.github.io/web-permissions-req/tests/all.html which run all the permission requests at once, with the following result in
Chrome:
http://dontcallmedom.github.io/web-permissions-req/screenshots/all-chromium.png


I presented the result of that work to the TAG and they were quite receptive to the need of stronger coordination in this space. 

In particular, Alex Russell took an action item to see which best practices could be extracted from the various approaches, and to try and identify targets for more convergence across APIs:
https://www.w3.org/2001/tag/group/track/users/43338


Dan Appelquist took an action item to ask WG Chairs about which of their APIs require user consent:
https://www.w3.org/2001/tag/group/track/actions/850


I indicated that our group was willing to help in progressing this topic further.

I already have some ideas as to what could be usefully done:
* as highlighted in the repo
https://github.com/dontcallmedom/web-permissions-req/#todo collecting more screenshots of more permissions from more browsers on more devices

* start collecting relevant research papers on permission management; this was already started in http://www.w3.org/wiki/Mobile/articles#API_Permissions but I feel there must be a lot more available out there — if anyone has contacts in the HCI academic world, this would be a great thing to ask e.g. a student to build

Dom

Received on Friday, 10 January 2014 21:01:41 UTC