I will add a link and instructions about revoking the tool from user's authorized applications.
On Fri, 3 Feb 2017, at 11:32 AM, Maximilian Doerr wrote: > My viewpoint is that tokens are considered private information, and > it’s during the active browsing session is permitted without > disclosure as the end-user is in control of connecting the application > or not. However, I consider the storing of these tokens for later use > to be storing private data which by the ToS of labs, must be disclosed > to the user. > > Cyberpower678 > English Wikipedia Account Creation Team > English Wikipedia Administrator > Global User Renamer > >> On Feb 2, 2017, at 22:27, Bryan Davis <bd...@wikimedia.org> wrote: >> >> On Thu, Feb 2, 2017 at 8:00 PM, Maximilian Doerr >> <maximilian.do...@gmail.com> wrote: >>> As long as the information isn't permanently stored, and the storage >>> location is secure, you can go ahead and do that, BUT such storage >>> must be disclosed to the user in a very visible manner, like a tool >>> ToS, similar to what https://tools.wmflabs.org/iabot/ does for first >>> time use, that discloses what it stores, why it's being stored, and >>> how long it's being stored for, so users can make an informed >>> decision on whether or not to use your tool and if they are >>> comfortable with that condition. >> >> Documenting how the tool works and what it stores are very good and >> reasonable things to do. However I would personally assume that the >> approval of the OAuth grant in the first place by the end user is >> consent to use the token. There is no contract, implied or otherwise, >> in the OAuth prompt that the grant of rights is limited to the scope >> of a single browser session. OAuth tokens are similar in concept to a >> valet key [0]. When a grant request is accepted you as the granting >> user are giving the requesting application the right and ability to >> perform any of the actions covered by the grant until such a time as >> the grant is revoked by you using Special:OAuthManageMyGrants [1] or >> the application itself has its rights revoked globally for some terms >> of service violation. That being said, tokens should not be stored >> without a reason and reasonable precautions should be taken to ensure >> that tokens are not exposed to other users of the application or >> 3rd-parties. >> >> >> [0]: https://en.wikipedia.org/wiki/Key_(lock)#Car_keys >> [1]: https://meta.wikimedia.org/wiki/Special:OAuthManageMyGrants >> >> Bryan >> -- >> Bryan Davis Wikimedia Foundation >> <bd...@wikimedia.org> >> [[m:User:BDavis_(WMF)]] Sr Software Engineer >> Boise, ID USA >> irc: bd808 >> v:415.839.6885 x6855 >> >> _______________________________________________ >> Labs-l mailing list >> Labs-l@lists.wikimedia.org >> https://lists.wikimedia.org/mailman/listinfo/labs-l > _________________________________________________ > Labs-l mailing list > Labs-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/labs-l
_______________________________________________ Labs-l mailing list Labs-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/labs-l