Re: API Minimization and User Control [was: Re: DanA: what are you likely to have ready for the F2F] from Frederick.Hirsch@nokia.com on 2011-02-02 (www-tag@w3.org from February 2011)

From: <Frederick.Hirsch@nokia.com>
Date: Wed, 2 Feb 2011 21:34:26 +0100
To: <Daniel.Appelquist@vodafone.com>
CC: <Frederick.Hirsch@nokia.com>, <www-tag@w3.org>
Message-ID: <7A8716BE-E3E6-4E5C-909A-FD4DFDB48E27@nokia.com>
+1 to Dan.

As an example, if a specific contact field is needed for a specific purpose (such as sharing) then only that information should be requested and returned in the API.  it would not be minimization if an API were designed to always return all contacts or all information for a specific contact, when not needed.

This would not necessarily be under user control as it is an issue with how the API is designed.

regards, Frederick

Frederick Hirsch
Nokia



On Feb 2, 2011, at 9:19 AM, ext Appelquist, Daniel, VF-Group wrote:

I am not sure I agree that minimization is an aspect of user control.  Minimization (in this context) is merely applying the principle of providing a the lowest possible surface area of attack (to those who wish to misappropriate private information).  It’s not necessarily implicit that it’s the user deciding what granularity of information (for example, city / neighborhood / street name) but rather that the webapp making the API call must specify the level of granularity it needs and the API must respond with no more than what the WebApp needs. The user could play a role there, but not necessarily. At least that’s my understanding of the principle as applied in the DAP privacy requirements: http://dev.w3.org/2009/dap/privacy-reqs/#privacy-minimization

...or am I missing something?

Dan

PS – I have brought this over to the public tag list – hope that’s OK.

On 02/02/2011 13:35, "Oracle" <ashok.malhotra@oracle.com<x-msg://426/ashok.malhotra@oracle.com>> wrote:

  Dan:
 If you buy the thesis of the paper, it says that letting the user control what private information gets
 exposed is ultimately futile.  Thus,. minimization which is an aspect of user control is not interesting.

All the best, Ashok

 On 2/2/2011 12:49 AM, Appelquist, Daniel, VF-Group wrote:
Re: DanA: what are you likely to have ready for the F2F Hia folks --

 I have been making some updates to http://www.w3.org/2001/tag/doc/APIMinimization.html in anticipation of discussion at the f2f as per ACTION-514.

 Ashok/Jonathan – thanks for that reference but I am not sure it really helps me with the specific work item in question.

 I have found the following IETF Draft ( http://tools.ietf.org/id/draft-hansen-privacy-terminology-00.html ) which has really reinforced some of my thinking in this space – and has helped me think about this problem space.

 Basically what I propose that we could achieve in a TAG document on this subject is to articulate how to apply this principle to the field of browser-based API definition specifically (building on the work of the above IETF draft and the good work of the folks in the DAP working group).

 Any thoughts?

 Thanks,
 Dan

 PS can we take this back to www-tag  or was there a reason you wanted to keep this on tag, noah?

 On 31/01/2011 15:50, "Jonathan Rees" <jar@creativecommons.org<x-msg://426/jar@creativecommons.org>> wrote:


On Sun, Jan 30, 2011 at 11:05 AM, ashok malhotra
 <ashok.malhotra@oracle.com<x-msg://426/ashok.malhotra@oracle.com>> wrote:
 > Re. minimization, take a look at the paper by Abelson, Sussman, Hendler, et
 > al..
 > This argues that users cannot make intelligent choices re. privacy because
 > they do not realize all the
 > consequences of their actions.  Moreover, the landscape will change and the
 > choices you
 > make today may not be appropriate tomorrow.  Hence, they say, that what we
 > need are laws
 > about what data can be used in what context.  They cite as example the FTC
 > laws that limit
 > the use of data that the credit rating companies collect.
 >
 > I'm having trouble finding a good pointer to the paper.  They best I get is
 > http://portal.acm.org/citation.cfm?id=1349043 which allows you to buy a
 > copy.

 http://dig.csail.mit.edu/2008/06/info-accountability-cacm-weitzner.pdf

 (found at project page http://dig.csail.mit.edu/TAMI/ )

 Jonathan

 > All the best, Ashok
 >
 > On 1/29/2011 4:25 PM, Noah Mendelsohn wrote:
 >>
 >> Dan: I hope you're feeling better. I would really appreciate it if you
 >> could give me some guidance soon as to which areas you're working on are
 >> likely to merit F2F time.
 >>
 >> My tentative list includes the following as potential items from you:
 >>
 >> * API minimization
 >> * deep linking proto draft
 >> * Widgets and offline Web apps - I have a note that Matt Womer is doing a
 >> workshop relating to unification Web Apps group and app cache)
 >>
 >> FYI, your open actions are:
 >>
 >> ACTION-390: Review ISSUE-58 and suggest next steps  (I note that Henry has
 >> asked for some discussion of the catalog he's put together)
 >> ACTION-507: With Noah to suggest next steps for TAG on privacy
 >> ACTION-480: Draft overview document framing Web applications as opposed to
 >> traditional Web of documents
 >> ACTION-460: Coordinate with IAB regarding next steps on privacy policy
 >> ACTION-514: open     Draft finding on API minimization
 >> ACTION-505: Start a document wrt issue-25 (deep linking)
 >>
 >> It's not yet clear whether we are overcommitted time-wise, so I'd like to
 >> start by identifying the areas in which there will be real progress to
 >> discuss and/or others sufficiently critical to merit F2F time. Anyway, if
 >> you could give me suggestions as to what to schedule, I'd appreciate it.  I
 >> need to get the agenda out ASAP.  Thank you.
 >>
 >> Noah
 >>
 >>
 >
 >
Received on Wednesday, 2 February 2011 20:35:09 UTC