Notes from W3C Workshop on Permissions and User Consent

W3C Workshop on Permissions and User Consent

September 26, 27, San Diego

The problems with web permissions – W3C User consent and permissions working group

Much of the value of the internet is based on user trust of the internet. As this trust is broken, the internet is devalued.

The overload of permission requests is causing fatigue and reducing the trust. People are becoming fatigued to cookie reminders and popups and leading to blindly clicking on acceptance. 

Loading a permissions request as soon as the page loads doesn’t allow the user to trust the site, what does it represent, and why they should allow the service.

Confusing wording, especially for nefarious purposes
"uncheck here to continue to not receive notifications”

Bundled, implied, inherited permissions. You accept a master permission request without knowing it has a set of sub-permissions.

Blocking content until permissions are granted is keeping users from gaining trust and understanding the value of the site. Tumbler has a full page takeover

Conversation points
(audience includes browser manufacturers, publishers, academia, and W3C leaders)

  • What is required by law? some of the complexity is part of the legal requirements
  • Disagree with sharing data, data still shared
  • Context – what is actually inferred in the data sharing, for instance geolocation providing home location
  • Can consent be withdrawn easily
  • Are users really informed, too complex
  • Permissions process should also follow WCAG accessibility guidelines
  • Trust is gone, people already assume the system is corrupt. 
  • Signal/noise – confuse user into consent
  • Understanding a company’s use of data is overwhelming from the inside, due to fragmentation in development process. So how do you legitimately declare your data usage?
  • Sensors that don’t require permissions can be used for fingerprinting.  what should we be prompting for and are there any backwards permissions that need to be adopted.
  • Users throw up their hands. with so many permissions and sensors being used, people may give up from frustration.  fatigue or fatalism
  • Do not track included transparent information, such as privacy policy location, opt out process, etc. 
  • Should settings for what you give consent be in the browser or in the web site. 
  • Readable language may make it easier to read, but it doesn’t mean that it is providing a full grasp of what the permissions are allowing, such as cameras accessing private details that go beyond a selfie or light/color detection (expected use)
  • Problem is with premise: we need to obtain permission to do these things. Do we need to have them at all? Should browsers be sharing this in the first place? Apple’s storage access API turns off the function. someone that allows this is open to abuse. So, the prompt is at the device level, not the web. What features do we believe the web platform needs? Should there be a baseline for what browsers do not share. 
  • We can build an API that restricts access, but people could realize they didn’t ask for permission, so they use a polyfill that uses a previously consented API to pull in additional information. Such as using the camera app to determine location or sound. 
  • Good example: input type file, drag and drop… these are implicitly given permission via the platform. 
  • The browser should be handling the permissions model. 
  • There are three actors:
    • The perfect actor
    • The absolute devil
    • Everyone else. People that provide a useful service, but also want as much data as possible to earn a profit.  It’s not that they want as much data, they may be forced to get that much data within the advertising industry.  Publishers would prefer browsers stop this. 
  • Advertising is the center of most data abuse. Advertising industry is requiring this data and forcing sites to abuse the process. Brave is an example of a browser that is not allowing third party data exchange. 
  • The internet has grown quickly via organized chaos. Business models are built on this, not all is for abusing the system. But we shouldn’t allow this to prevent the next generation of applications. 
  • should the web give access to sensors and devices? in the term of IoT? How do we allow the web of things while providing privacy, such as discovering other devices? Some devices may not have a display and permissions are asked via secondary interfaces. 
  • There’s still a difficulty of understanding the downstream information from a single page 
  • Who owns this problem?
    • web platform 
    • publisher
    • government/laws. 
    • All of these move at different speeds
  • The web is inherently casual. There is value in having a distinction between applications and the web. The act of installing software was important. This doesn’t exist in visiting a web site. 

To whom do sites answer?

  • W3C Permissions Workshop
  • September 2018
  • Martin Thomson

Event ownership

in the early days

Loading a site

  • Condition: visit site, click link
  • Accountability towards user: loading spinner, status bar
  • Redress: stop button

Rendering a page

  • Condition: visit a site
  • Accountability towards user: site is visible
  • Redress: Close the window

Javascript

  • Condition: visit site
  • Accountability towards user: slow script dialog (?), OS(?)
  • Redress: close window

Can visiting a site and staying on the page provide a consent to run javascript and third-party cookie/data? What is the redress? Is it leaving the page? 

window.open

  • Condition:  none>engagement gesture
  • Accountability towards user: a new window is visible
    • caveat: popunders
  • Redress: close the window

<input type=file>

  • Condition: selection of file to upload
  • Accountability towards user:  none
  • Redress: none

Geolocation

  • Condition: First real attempt to gain permission for access to sensitive information. First API to use the door hanger
  • Accountability towards user: varies
  • Redress: none

How do you make the person that owns this information accountable to the person providing the information?

How does right to be forgotten come into effect.

Once most sensors send data, the data is not possible to retract. After giving permission for geolocation, there’s not the ability to define the data usage post-approval.

getUserMedia

  • Condition: doorhanger
  • Accountability towards user:  on-screen indicators, camera light
  • Redress: varies

Mozilla doorhanger

Mozilla doorhanger notification for autofill options

Notifications

  • Condition: doorhanger
  • Accountability towards user: popup message 
  • Redress: action menu on notification, or byzantine mess of hard-to-find, browser-specific menus

Push

  • Condition: (see Notifications)
  • Accountability towards user: (see Notifications)
  • Redress: (see Notifications)

For Discussion

  • Browsers often infer permission
  • Design language and expectations both evolve
  • Calling sites to account requires more than tasing the problem on to users.
  • Crawling the web, looking for bad behaviors, to determine consequences. 

Why would content blocking not be considered the same as malware detection.
Malware detection is a backwards strategy. Wait until something bad has happened and then stop additional bad behavior from happening. It’s better to set the foundation to prevent bad behavior from happening. 

Detecting malbehavior is a strategy, but it’s better to have prevented it beforehand.

Some exploits cannot be detected until they are abused. People are good at detecting potential exploits within API functionality. 
85% of zero-day attacks are based on unsafe memory. These could be avoided if this was a better foundation. 
WebRTC used to detect users’ IP Address. It required a sequence of actions and finding a non-standard path. But WebRTC allowed IP Address, the mal-behavior process needs to parse the valid use to find the invalid use.

  • It’s important to incorporate privacy into the initial specifications. Otherwise it is going to require patching. 
    Trackers and malicious actors are why we cannot have good things. 
  • A low proportion of people are enough to create a significant conflict. 
  • If you are recording in a two party state, consent is required by law. For instance getting consent to record a Skype session. 

Need for an accountability pattern on the web.

Engagement is different than a gesture, clicking or typing. Engagement could be a site I have regular interactions with and browser infers certain permissions should be granted. 

Permission Persistence

W3C User Consent and Permissions Working Group
September 26, 2018

How do browsers deal with persistent permissions.

  • The patterns are not consistent.
  • Some browsers will remember your “yes” forever.
  • Others will make that last until you close the browser, others until you navigate away from the page. 
  • This is an inconsistent expectation for the user. 

Notifications is a good example. 

The permission action and consequences are disconnected. 
Firefox: show the prompt to ask for permissions. We see this a lot. That is separate from the persistence issue. 
Lean on the operating system. In many times the operating system has mechanisms to store this information. For instance a permission may be set on Android, this should be available to the web application.

There was a proposal to simplify and standardize the chrome around applications. Signaling language and pattern. 

cookies have an expiration policy, but this can be abused by using the maximum mount of time… 15+ years. 

sharing information in accordance with law (2 options):

  • We meet legal obligations and practices
  • We do whatever we want until the law bans it.

Users may not understand the purpose of providing permission until after a short time. For instance, notification may be good immediately, but it could be problematic when notifications are too common and interrupt a work process. 

Browsers should learn a user’s preference and immediately begin blocking the preference For instance a person continually blocks geolocation. The browser should then make it no by default.

The Immersive Web

Nell Walliczek
Principal Engineer Amazon

Virtual Reality

Richie’s plank is an example of VR with powerful impact. The user must walk on a virtual plank above the city.

Categories: 

  • Tethered (oculus rift) use computer or gaming console for processing.
  • mobile vr (holds a phone and the phone does the processing)
  • standalone vr – all in one, can have full 6 degrees of freedom and track movement

AR

  • Headset AR – hololens, oculus rift
  • handheld ar – mobile device with AR

XR

the umbrella for AR and VR

Environment awareness

  • hit testing – you can shoot a virtual array and figure out where it intersects with real world. 
  • anchoring
  • point clouds
  • eshes
  • lighting
  • semantic labeling

User awareness

  • location in 3d space
  • input sources
  • eye tracking
  • facial expressions

Immersive web working group

webxr API specifications are being finalized 
There’s a repo for security and privacy concerns

What is webxr

imperative API
provides access to input an output capabilities common associated with VR and AR.

With it you can 

  1. detect available devices
  2. query device capapbilitys
  3. poll for position 

User consent and privacy

  • fingerprinting during bootstrapping
  • real world geometry
  • camera access and perception of camera access
  • object or image identification
  • permissions

fingerprinting

  • sites need to have a button for entering vr and ar
  • some experiences require specific hardware behavior
  • multiple devices may be connected
  • spinning up the fun hardware just to reject isn’t a good experience

proposed mitigation

  • supports checks only for vr vs. ar
  • inline vs. explosive data restrictions
  • user action required to enter exclusive
  • consent requested
  • actual hardware bootstrapping happens as a last step

real world geometry

  • room geometry may be used to identify when two sessions are occurring in the same space
  • RWG may indicate a specific location
  • inferred location history
  • estimating the size of the suer’s house, to estimate user income
  • facial geometry
  • gait analysis
  • credit card # geometry

Roomba is mapping room geography and possibly sharing with third parties: https://www.nytimes.com/2017/07/25/technology/roomba-irobot-data-privacy.html

Camera access and perception thereof

Issues

  • See-thru vs. pass-thru (see through like leapfrog where the glass is clear and image applied to glass)
  • Can users reason about the difference
  • Is there a meaningful difference if RWG is available
  • Polyfills will blur the line

Object and image identification

issues

  • registered images objects can be anything
  • can be used to profile users, identifyth the presents of specific brands of tv
  • can be used to blackmail users 

Permissions

Issues

  • Bundling XR Permissions
  • Bundling with non-XR permissions
  • Upfront vs. just in time
  • Duration

Some things people consider features, such as a global vr cloud for people to share, may be considered a privacy violation from others. 

XR experiences can be so physically powerful that they create virtual memories and emotional impact. Is the user consenting to this impact?

How do you adequately express the extent of sharing people are providing when engaging in AR? It’s a wall of text but is there a way to simplify and still express the complete picture.

Permissions in the XR space

  • worry about fingerprinting concerns
  • session setups to not fail out if permissions are not available
  • mental models – make sure there are consistencies
  • immersive/exclusive mode

Two modes:

  • exclusive mode: with permission  progressive enhancement.
  • embed 3d experience in line in a page, just like canvas. when you click a button that says use my harder, that it opens like a full screen that is immersive.

Our permissions mode is based on immersive experience, not the embedded/inline mode.
Consider bundled permissions at the immersive experience.

AR lite mode: allow browser to do automatic image stitching while still allowing hit casting

web RTC needed to determine if a person could enter a video chat by providing an evaluation of hardware. For instance, don’t prompt video conference if there is no camera. 

Constrainable pattern, section 11. 

An ordered list of constraints when requesting a media stream.
Determine camera, data rate, resolution, etc.

Platform permissions handling

Representatives

  • Apple
  • Brave
  • Chrome web platform
  • Mozilla

what should be left to browsers vs app

  • tie permission to user event
  • what is value of asset and permission

from an immersive web perspective, permissions take on a new dimension. Because immersion involves a new level of physicality, the permission prompt can impact the user experience, and pull the user out of the event. 

The user could be in an uncomfortable virtual situation, i.e. about to go down a roller coaster drop. They may immediately accept it to reduce the anxiety of the situation.

It’s difficult to confirm informed consent. Browser should be agent and steward. Users should be presented with consent requests when they need to make a decision. 

Are we asking users enough questions? we review some new API and find there are some fingerprinting risks. Should we push this to the user? 

Some APIs are data (geolocation) some are functions (notifications) and some are a mix (camera, microphone). It would be good to have a grid that provides user with better understanding of when they are giving access to functionality and data.

Permissions, Policy, and Regulation – Consumer Reports Digital Standard

Consumer Reports began evaluating permissions when consumer products began sharing data

The Digital Standard

The Standard

Below is the current version of the Digital Standard. You can click on the Test Name to view and comment on a section on Github. There you can propose a change, run a test and report results, or start a conversation about how to tackle one of the open questions. Please note that you will need to be logged into your GitHub account to see the GitHub pages.
Each criteria has been color-coded to help direct your contribution and participation.

  • Well understood with a developed testing approach in place.
  • Under development with some outstanding questions.
  • Under discussion, usually due to the sensitivity and complexity of the issue.

Minimization: only important information is collected
Automatic Content Recognition: take snapshots and send it to the cloud for content recognition. It was challenged by the FCC and now it needs to be declared. 

Glow was a product that failed their privacy standards and was exposed for it’s lack of data stewardship

CR now provides easy to understand support grids.

Dark Patterns twitter account for sharing screen shots of bad examples

Better ads standard 

Better Ads Standard seeks to define what could be the best experience and set standards around that.

Self-plagiarization : consent in law and code

Previous Standards Bodies: in the W3C

California AB 375

California Consumer Privacy Act
It was created by Alastair Mactaggart
polling at 80% support
minimal support for initiative from privacy orgs

Replaced the ballot measure with a bill
weaker on enfacement yet broader on what is covered
still little privacy org support
law comes into force in 2020
next fights

  • clean up bill in ca
  • federal preemption

California consumer privacy act

Whom does the law apply? any company world-wide with one or more:

  1. annual gross revenues per $25 million
  2. holds personal info on 50,000 or more people/households/devices
  3. 50% or more of annual revenue from selling consumers’ personal info

Jurisdiction is based on the consumer in California

New rights

  1. know what info is being collected
  2. know whether their info is sold or disclosed
  3. say no to the sale of personal info
  4. access their personal info
  5. equal service and price
  6. deleting data and data portability
  7. over 16? right to opt out. under 16? right to opt in

An empirical analysis of web site data deletion and opt out choices

Hanna Habib:
PhD student in the Societal Computing program at Carnegie Mellon University

Online privacy choices

  • Data deletion choices
  • email communication opt outs
  • targeted ad opt outs

GDPR requires privacy choices

  • explicit consent
  • withdraw consent at any time
  • request deletion of personal info
  • emphasis on usability
  • intelligible language    

Designing a new permissions model

  1. determine where web sites are offering privacy choices
  2. evaluate wither users can realistically exercise these choices
  3. identify best practices

Analyzed 25 web sites from alexa top 50

Recorded:

  • location of privacy choices
  • shortest path to privacy choice
  • description in privacy policy

Requirements

  1. standardize terminology
  2. standardize functionality
  3. standardized placement

Ideal permissions model?

  • descriptive and user-friendly terminology
  • one-click permissions
  • centralized location for permissions

Contextual permission models for better privacy protection

Primal Wijesekera http://ece.ubc.ca/~primal/
primal@cs.berkeley.edu

Custom permission model built for Android
A permission model that only allows access when the user expects it.

Privacy violations occur when sensitive info is use in way defying user’s expectations
Helen Nissenbaum, privacy as context al integrity – reference

Ask on (first use)

prompt on first use of the app. 
lack of context
for instance, Uber app asking for location. 

Experience sample

Uber has accessed your location. Given a choice, would you have allowed or denied this access? yes/no

80% of participants would block at least one permission request
android permissions demystified: a field study on contextual integrity  2015 – research
the feasibility of dynamically granted permissions: aligning mobile privacy with user preferences

Contextual factors

Allow Uber to access this device’s location 
visibility, foreground app

how often users should be prompted

  • 4 exposes per minute/user (2014)
  • 6 exposes per minute/use (2016)

contextual cues helped

Time Error Rate Average Prompts
Ask on first use              15.4% 12
ML Model 3.2% 12
ML Model (lower prompt count) 7.4% 8

Fewer privacy decisions for higher privacy protection when using ML to generalize when there should be a request. 

Permissions Bundling

A way to combat permission fatigue?

The permission prompt problem:

This page would like to 

  • do popups
  • play sounds
  • use microphone, camera
  • know you rlocation
  • gather network information
  • avoid being suspended when in the background
  • a dozen other permissions you wouldn’t think about

This is a basic mobile phone (app) – Skype

Maximal bundle version

 I’m a video phone app. can you allow me to do phone-like things? 

The consent model – The parties

  • The user (good by definition)
  • the platform (good because all is list if it isn’t)
  • the application (good, bad, or ugly)

Ways to mediate

  • Standardize a number of roles, with associated capabilities – let app ask
  • Let the app ask for a bunch o permission, browser guesses what user wants
  • App asks for permissions, user grades trust in page, browser implies permissions

Google IO 2018 Notes: Keynote

Google AI is opening centers around the globe. Last year they began studying retinopathy in India. The AI systems are finding additional information from eye scans, such as cardiovascular risks.

They are also using AI to predict medical events. 76% success in predicting short term regression

Continue Reading Google IO 2018 Notes: Keynote

Google IO 17 – Home, Assistant, and Actions Notes

Actions built for Google Home are now available for Google Assistant on phone

New interfaces for actions:

  • Tap
  • Voice
  • Typing

Purchases are also built in via google wallet. Google facilitated Payments.

New app directory for google actions.  Shortcuts will allow you to more easily market the action.

Actions console on Google

Google Home

Google Home can now do phone calls to any number in US and Canada. The number is generic, but you can use your personal #.

Actions on Google development platform.

Now available on Android and iOS. Includes transactions.

Google.ai  is the new hub for artificial intelligence at Google. IO17

Designing for Voice Interactions: value of voice interactions: speed, simplicity, ubiquity

Design strategies

  • Keep people comfortable
  • Ask questions that are easy to answer
  • Structure information in a way that supports easy recall
  • Capabilities: recognize what users say. understand what they mean.

People have higher expectations for voice accuracy. spend extra time planning for exceptions. make it really easy to get back on track. leverage techniques used in everyday conversations.

Conversation UI and why it matters.

Google IO17 Notes – VR, AR, and AI – smart realities

Google wants to democratize Artificial Intelligence with Tensor Flow  and API.AI

Conversational UX Platform for products and services – API.AI

Create conversational experiences across platforms: chatbots, smart home automation, connected cars, mobile and web apps, robots, wearables, Enterprise, etc. (6kB)

Sign up to be one of the first to write AI on Google’s new Tensor Processing Units:

These are part of the google computing engine cloud service and are extremely fast for AI-based computing

Visual Positioning Service, Google Lens, and other Visual/AI Combinations

Google’s Visual Positioning Service uses Augmented Reality to find key visual points for indoor navigation withiut GPS or beacons.

Google Lens is also able to pull objects out of photos and create a data presentation. For instance, a photo of the Chicago cityscape could be analyzed and then provide information about the individual buildings.

Google IO 2017 – Web Development Notes

Lighthouse is being integrated directly into dev tools

Firebase now gives a real time analytics. Cloud functions for Firebase sounds like Akamai for small node functions, like resizing images. But being able to handle these tasks in a global, cached environment.

Google IO: state of the mobile web

Chrome’s mission: move the web platform forward

Real world javascript language performance: key focus for this past year. How does V8 perform in real world scenarios, not just perfect testing spaces.  35% increase in performance since last year on Android

scroll anchoring: page jumps after content loads after page renders, such as a banner ad. This locks the screen, even when content loads at the top. Scroll anchoring can reduce 3 page jumps per load on average.

AMP: Accelerated Mobile Pages. improve mobile experience.

  • On average, AMP pages load in less than a second and use 10x less data
  • LinkedIN found people were 10% more likely to read an article when it is AMP .
  • amp-bind: merchants can build e-commerce experiences
  • Progressive web apps: app focused experiences, reliable, fast, engaging.

Mobile Twitter just relaunched as a PWA

  • Fast loading on slow networks, less data, works well on smart phones.
  • Data saver mode can reduce data downloads by 70%
  • Introducing Twitter Lite | Twitter Blogs

Twitter Lite is a more accessible, faster and more affordable way for people to use Twitter when they are on slow mobile networks, have expensive data plans and with limited storage on their mobile device.

PWAs can be added to the home screen. Developers can soon control the home page button prompt. They can be displayed in app launcher, android settings, android intents, notifications, and launch as a full-screen immersive view

Mobile payments

  • 123B in US alone
  • paymentRequest – simple web payments within Chrome
  • paymentRequest can now use more forms of payment. paypal, alipay, samsung pay… could this integrate quickbooks payments?

Media

  • 70% of internet traffic is video.
  • Biograf: This is a sample video-rich PWA app
  • Notice this has an airplane mode and allows video download
  • Workbox is a tool to better manage service workers

Polymer 2.0 launches today. 10% faster and 80% smaller

Ola Cabs

India’s largest ride sharing app. They are using PWA. over 1m daily rides. 110 cities and 600k drivers. They needed to work with customers that use low cost phones, minimal data plans, and bad connections to reach the entire customer base.

Off line and caching provides faster performance with low data loads. They used polymer for fast web components, Shadow DOM, and HTML import.

  • They rely heavily on cache, but also have an initial load of 1.3 seconds.
  • They strategically load components to only get critical elements first.
  • They are using workbox, they cache these elements for repeated use.
  • Now, they are only requesting new data, such as transaction information.
  • They have a 100 score in lighthouse
  • 20% of their PWA bookings come from users that previously uninstalled their Android app

AMP to PWA

<amp-install-serviceworker>. This takes an AMP page and allows it to install a service worker so a user shifts to a PWA when they click. This gives the fast initial page load of an AMP page and prepares the browser to make the second page load just as fast.

Let’s say someone shares a PWA page with a friend. We’d want the friend to have a fast page load, but if they go to a PWA page as the first experience, they won’t get the acceleration via the service worker. So we could do some detection at the page load to see if the service worker is available, if not, move to the AMP experience of that page.

Shadow DOM and iFrames

Use shadowDOM to update an AMP page with new content to create a fast, progressive web app

This is good for a site that has a lot of static content, such as our marketing site. it wouldn’t be logical for an application, such as QBO

Mobile Vaani, get feedback on your product design via this network for rural India.