Re: security problems [WAS: Intent to remove: sensor APIs]
On 02.08.2017 15:53, Blair MacIntyre wrote: FWIW, I wouldn’t mind being involved in a discussion about this, > if people want to seriously consider putting it behind a > "user-permission prompt" (similar to geolocation) or "user-action requirement” I'd even go further and move it to an extra package, that may not even be deployed in the first place. One major reason is that browsers are often used on system where we can't always trust the user to always take the right decisions. Scenarios could be my 90rs old grandpa (who's already annoyed by all that web-2.0 stuff) or business machines where companies wanna protect themselves from espionage etc (similar to banning smartphones w/ cameras from their facilities, etc. The more of those things are added to the browser, the harder it gets to manage this. Sooner or later we'll get to a point where FF is just banned (or forked). I doubt that this is your intention. There has been discussion of this issue in the WebVR community, for > example, noting that in WebVR, you don’t get any device reports > without a user action requesting the “VR”. By device reports you mean calling home ? On top of that, there is very likely a need to not just “ask once at > the start” but toggle access to sensitive info on/off as the user uses > a web app And there should be a manual control (eg. via keys or mouse gestures), w/o the web app noticing that it's manual. There's even more: the user also needs control over where the data is actually coming from (eg. which device exactly). Otherwise that fancy feature will only be usable in some specific usecases. I think as we move toward exposing AR technology (like Tango, ARKit, > Windows Holographic) in web user-agents, we may need to rethink how > we obtain and manage the data user’s give to pages. Yes, that's a very vital issue. And I'd also suggest which parts of that are implemented *inside* the browser at all (vs external applications) > I believe that respecting user privacy and supporting their ability > to control information flow may actually be the thing that makes the web a preferred platform for AR/VR, Perhaps we should also rethink what "the web" *actually* means here. Does everything that the web might offer need to run inside the browser ? Does that mean the browser has to become an kind of own operating system ? since the various platforms are giving all data to apps automatically, > which create a “take it or leave it” attitude regarding privacy and > sensor information. An important point here is that it's easy to leave it. If you don't want to run any proprietary code, just don't do it. Period. And it doesn't seem to be easy making great number of people dependent on it. OTOH, if these things are already integrated in the browser, it isn't so easy anymore. It quickly becomes an all or nothing decision. Anyway, if folks want to discuss this, let me know. We should probably move off this thread? Agreed, for the WebVR stuff (maybe should be even discussed on a separate list). In general, I'd just like to highlight that security is a vital aspect. --mtx ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: security problems [WAS: Intent to remove: sensor APIs]
> At least these things should be purely optional and providing an > *easy* way to filter that data. (same for the geolocation stuff). FWIW, I wouldn’t mind being involved in a discussion about this, if people want to seriously consider putting it behind a "user-permission prompt" (similar to geolocation) or "user-action requirement” (similar to webvr and some aspects of mobile video playing) of some sort. There has been discussion of this issue in the WebVR community, for example, noting that in WebVR, you don’t get any device reports without a user action requesting the “VR”. But, there is the tension between making the APIs usable, permission fatigue on the part of users, etc. On top of that, there is very likely a need to not just “ask once at the start” but toggle access to sensitive info on/off as the user uses a web app (e.g., in the experimental Argon4 “AR-enabled” web browser, we have the ability to toggle location data on/off at any time without having to reload). I think as we move toward exposing AR technology (like Tango, ARKit, Windows Holographic) in web user-agents, we may need to rethink how we obtain and manage the data user’s give to pages. I want the web to work well in these new application areas; but I also want the characteristics of the web we love (i.e., the ability to feel relatively safe as you move around and follow links) to survive as well. I believe that respecting user privacy and supporting their ability to control information flow may actually be the thing that makes the web a preferred platform for AR/VR, since the various platforms are giving all data to apps automatically, which create a “take it or leave it” attitude regarding privacy and sensor information. This is a major driver for me for how a WebAR api may structured. Anyway, if folks want to discuss this, let me know. We should probably move off this thread? ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
security problems [WAS: Intent to remove: sensor APIs]
On 02.08.2017 14:29, Michael Hoye wrote: You need to dial this rhetoric back about 100%. It is not acceptable to bring even an implied accusation like that to a technical discussion, or indeed any conversation at all, at Mozilla. Who did I accuse of what exactly ? All I'd like to say here is that those features add yet another tool for mass sourveillance. I've grown up in the GDR regime - I've learned what it means when your privacy is invaded or you get punished because somebody in your family or a neighbor said a wrong word. And we're strongly marching towards the same again, but now with the oppressors having much better technology, in our bedrooms. It's not fiction, it's fact - it's already there. Spying phone apps everywhere, even spying TV sets, remote controllable cards, etc, etc. Quite recently, the German parliament voted yet another enabling act for mass sourveillance (eg. wiretapping people just because some neighbour or colleque *might* possibly have done a tax fraud, etc). And they did what w/ only a small minority of the representatives even present (reminds me to 1933). So, the problem is very immanent. We need to be very careful here, which information to send out (or even aquire in the first place). Various fingerprinting techniques already impose a big problem (IMHO, generic cookies should never have been introduced in the first place). We're always happy to listen to honest criticism and walk back our mistakes, but we are going have those discussions without demeaning the work or comparing the people doing that work to volkscryptopolitzei collaborators. Please. I didn't imply anybody here collaborating with dark forces. I'm just warning about the danger of these features. At least these things should be purely optional and providing an *easy* way to filter that data. (same for the geolocation stuff). --mtx ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
