- From: Robin Berjon <robin@berjon.com>
- Date: Thu, 9 Feb 2012 00:05:19 +0100
- To: Adrienne Porter Felt <apf@berkeley.edu>
- Cc: Paul Libbrecht <paul@hoplahup.net>, Boris Zbarsky <bzbarsky@mit.edu>, public-webapps@w3.org
Hi Adrienne, On Feb 8, 2012, at 22:56 , Adrienne Porter Felt wrote: > I agree that the current UI is not great. However, I disagree about "everyone" clicking through permission grants. I've done two user studies and found that about ~18% of people look at permissions for a given installation, and about ~60% look occasionally. We found that most have no idea what they really mean -- but that is a separate problem pertaining to the presentation. Also, about 20% of people have in the past avoided apps that they considered "bad" because the permissions alerted them to something that they didn't like. Thanks, this is very interesting input. Are the results from those user studies available somewhere? Results from an organisation's internal testing that I've seen before showed that (IIRC) 10-15% responded no either always or when they were too many permissions but without consideration for what they might have meant and the rest always said yes. I am not so certain that the fact that people have no idea what permissions really mean is a separate problem that could be solved with presentation alone. It's very hard to explain what a given permission is for in a given application. Network could be vital, or it could just be for sharing high scores. That's the distinction that the users care about. If it's requested during the action (Share Your Highscores -> Oh, can I use your connection for that?) then it makes sense, but otherwise it's at best a wild guess. Also, those 20% who mentioned avoiding apps in the past due to the permissions prompt — were they self-reported? >> Apps on Android are unlikely to request access to your address book because the Android Intents model makes it so that unless you're installing a contacts manager app, there probably is no reason why any app would have access to that. That said, if it did require access, the odds that a user would notice are close to nil. >> > One thing I've found is that developers often don't understand the relationship between Intents and permissions in Android. A common mistake is for an app to ask for the READ_CONTACTS permission even though it's actually using an Intent to access contacts (which doesn't need the permission). Either that, or apps will unnecessarily implement things that are already provided via Intents for no particular reason. I think these issues could be avoided on the Web by first introducing something that can be accessed via WebIntents and only later introducing direct access via "permissions", and also making the documentation very clear. Yes, or even only ever introducing them (in a Browser Apps context) through Intents. -- Robin Berjon - http://berjon.com/ - @robinberjon
Received on Wednesday, 8 February 2012 23:05:48 UTC