Re: [w3ctag/design-reviews] Prompt API (Issue #1093)

domenic left a comment (w3ctag/design-reviews#1093)

Thank you for your feedback. However, it appears you (or the language model you used to write this response) did not read our specification or explainer very carefully. The resulting review is full of inaccuracies, and the parts that aren't inaccurate are just repeating the same point about nondeterministic outputs over and over. I hope we can get a more serious use of the TAG's time in the future.

Here are some specific points:

> * **Threat model missing**: Security concerns such as prompt injection, history leakage, and cross-origin contamination are not clearly addressed.

I think this is not correct. https://webmachinelearning.github.io/writing-assistance-apis/#privacy is quite detailed, including https://webmachinelearning.github.io/writing-assistance-apis/#privacy-user-input which covers your "history leakage" and "cross-origin contamination". "Prompt injection" is not a concern here since it is the developer, not the user, who is prompting the model.

You state

> * However, there is no mention of how this is enforced, nor of retention policies, which remains a concern.

But I don't think this makes sense. (Perhaps it was generated by an LLM?) It's quite simple how to enforce *not* feeding data into a model that the developer didn't request; simply don't do it. I don't know what type of specification you are expecting here, beyond what already exists.

Similarly, the idea of "retention policy" is nonsensical, when there is in fact no data retained (as explained in the S&P questionnaire and mandated in the specification). For the model itself, there is extensive discussion of retention, e.g. in https://webmachinelearning.github.io/writing-assistance-apis/#privacy-availability-eviction and elsewhere.

> * **Structured output is unreliable**: While structured outputs are discussed as desirable, they are not required (making this a risky feature that could negatively impact users and their ability even use a web page):
>       > “Language models are not guaranteed to produce structurally valid results; efforts to constrain output structure using techniques like prompt templating may be employed...”
>       > — [README.md § Prompt lifecycle](https://github.com/webmachinelearning/prompt-api/blob/main/README.md#prompt-lifecycle)

This appears to be a hallucination in whatever AI you are using to write this TAG review, as that text does not appear anywhere and neither does the anchor it links to. Structured outputs are in fact required; see their dedicated section: https://github.com/webmachinelearning/prompt-api/blob/main/README.md#structured-output-with-json-schema-or-regexp-constraints .

> * **On-device vs remote execution**: The explainer lists "execution location transparency" as a possible future goal, but not a guarantee:
>       > “It may be desirable to offer more insight into whether a model is executing locally or remotely (e.g. to inform UX or data governance decisions).”
>       > — [README.md § Goals: Execution location transparency](https://github.com/webmachinelearning/prompt-api/blob/main/README.md#execution-location-transparency)

Similarly a hallucination. The API is in fact designed to allow "execution location transparency", as you put it.


> * **Potential for computation abuse**: There are no guardrails discussed around background or opportunistic use of models, which could lead to battery or CPU exhaustion similar to past abuses (e.g. crypto-mining).

This is false. See https://webmachinelearning.github.io/writing-assistance-apis/#security-runtime .

> * **Fingerprinting risk**: Even through the explainer demands local model (again, no guaranteed), prompt content can encode sensitive user data or preferences, introducing new unintentional vectors for surveillance or tracking.

This is false. Prompt content is not retained.

> * **No schema support**: Inputs and outputs remain freeform text, which makes robust integration difficult.

This is false, as explained in https://github.com/webmachinelearning/prompt-api/blob/main/README.md#structured-output-with-json-schema-or-regexp-constraints .

> * **Lack of accountability**: With no shared test suite or conformance requirements, there is no path for developers to hold implementations to a common standard.

We are developing a shared test suite, some of which is already available on wpt.fyi.

> * **Unclear relationship to adjacent specs**: The explainer does not clarify how this proposal relates to WebNN, WebGPU, or potential future APIs for structured model execution.

Although in theory we could expand this more, it's worth noting that it is discussed, e.g. in https://github.com/webmachinelearning/prompt-api/blob/main/README.md#execution-location-transparency:~:text=Currently%2C%20web%20developers%20wishing%20to%20use%20language%20models%20must%20either%20call%20out%20to%20cloud%20APIs%2C%20or%20bring%20their%20own%20and%20run%20them%20using%20technologies%20like%20WebAssembly%20and%20WebGPU .

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1093#issuecomment-3222500299
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1093/3222500299@github.com>