Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privacy: Interaction of existing permission-based features with WebXR feature consent #702

Closed
ddorwin opened this issue Jun 14, 2019 · 4 comments · Fixed by #900
Closed

Privacy: Interaction of existing permission-based features with WebXR feature consent #702

ddorwin opened this issue Jun 14, 2019 · 4 comments · Fixed by #900
Assignees
@Manishearth
Labels
consent tracking All things related to acquiring and communicating user consent fixed by pending PR A PR that is in review will resolve this issue. privacy-and-security Issues related to privacy and security
Milestone
Pre-CR

Comments

@ddorwin
Copy link
Contributor

ddorwin commented Jun 14, 2019

We should ensure that the feature selection and privacy design addresses the interaction of existing permission-based features with the WebXR feature and/or consent mechanism(s).

A concrete example involves AR, which involves rendering what the user sees, which may come from the camera, and existing camera-access APIs. The idea behind "AR Mode" and the entry interstitial was to be able to convey to the user the privacy implications and scope of consent. However, (unless we do something to prevent it) applications can still have access to camera via getUserMedia().

Thus:

  • If the origin already has camera access, the message displayed to the user is incorrect - the application could be recording the user's (visual) environment even though it's not WebXR that enabled this.
  • The application could request camera access from within the session, which could change the implications about which the user had been carefully informed when consenting to the session creation.
    • Worse yet, this camera access permission is likely to be persisted beyond the XR session (the scope about which the user was told).
    • This will become additionally confusing when aligned camera access is added to WebXR because the lifetimes of the consent will likely be different for the two APIs for which users will not understand the difference.
      • Furthermore, applications may thus be incentivized to use getUserMedia() inside AR sessions to avoid future prompts.
  • In both cases, users are unlikely to understand the implications of combining the various types of access. There is more discussion of this here.

Related to this, a aligned camera access API will need to decide whether it interacts with or is orthogonal to the existing camera permission (and policy-controlled feature).
@ddorwin ddorwin mentioned this issue Jun 14, 2019
Closed
@toji toji added this to the June 2019 milestone Jun 17, 2019
@NellWaliczek NellWaliczek mentioned this issue Jun 19, 2019
Closed
@NellWaliczek NellWaliczek added the privacy-and-security Issues related to privacy and security label Jun 19, 2019
@avadacatavra
Copy link

As mentioned here, I think it's important to maintain consistency between existing permissions and XR permissions.

@ddorwin to see if I understand what you're saying:

  1. I grant camera access to foo.com, then enter an XR experience. Camera access is then persisted throughout the XR session and upon XR termination, I return to foo.com and still have camera access
  2. I grant camera access when entering an XR experience from foo.com explicitly for the XR session. Upon termination, the camera access should also be terminated otherwise we would persist the consent outside of the context in which it was granted

This was referenced Jun 20, 2019
Closed
Closed
@ddorwin
Copy link
Contributor Author

ddorwin commented Jun 21, 2019

As mentioned here, I think it's important to maintain consistency between existing permissions and XR permissions.

It's not clear that XR-related consent will be permission-based. Please see the last few paragraphs of #689 (comment), especially the part about the distinction between "permissions" and "user consent." Session-scoped consent (relevant: #721) makes that distinction especially important.

@ddorwin to see if I understand what you're saying:

  1. I grant camera access to foo.com, then enter an XR experience. Camera access is then persisted throughout the XR session and upon XR termination, I return to foo.com and still have camera access

If all of that is getUserMedia(), then there is no real change in the introduction of XR. The main concern would be if the user agent had told the user that the application doesn't have camera access when, for example, starting an AR session. Things get more complicated, however, when a WebXR-specific frame-aligned camera data API is added. At that time, we would need to decide whether this new API respects the existing camera permission or requires explicit XR-specific consent.

  1. I grant camera access when entering an XR experience from foo.com explicitly for the XR session. Upon termination, the camera access should also be terminated otherwise we would persist the consent outside of the context in which it was granted

This seems a bit odd since the duration of consent for getUserMedia() depends on whether it was called inside an XRSession. (That doesn't mean this isn't better for the user.)

There may not be anything specifically wrong with persisting such consent outside the session if we're talking about getUserMedia() - except that the different durations of consent could be confusing to users. Additionally, there may be good reason to handle an XR-specific frame-aligned camera data API differently as described above.

@NellWaliczek
Copy link
Member

Do we have an example we can use that isn't getUserMedia() since sort of straddles the line between being tied into WebXR vs. orthogonal (and as of yet there actually a design for how we'd expose device-aligned camera feeds.). What about perhaps geolocation or uh... notifications... or bluetooth?

@toji toji modified the milestones: June 2019, July 2019 Jun 24, 2019
@cwilso cwilso modified the milestones: July 2019, August 2019 Jul 8, 2019
@johnpallett johnpallett mentioned this issue Jul 16, 2019
Closed
@NellWaliczek NellWaliczek self-assigned this Jul 31, 2019
@NellWaliczek NellWaliczek added the consent tracking All things related to acquiring and communicating user consent label Sep 16, 2019
@Manishearth Manishearth mentioned this issue Nov 6, 2019
Merged
@probot-label probot-label bot added the fixed by pending PR A PR that is in review will resolve this issue. label Nov 6, 2019
@probot-label
Copy link

probot-label bot commented Nov 6, 2019

This issue is fixed by PR #900

@toji toji modified the milestones: October 2019, November 2019 Nov 18, 2019
@toji toji removed this from the December 2019 milestone Feb 3, 2020
@toji toji added this to the Pre-CR milestone Feb 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Manishearth Manishearth

Labels
consent tracking All things related to acquiring and communicating user consent fixed by pending PR A PR that is in review will resolve this issue. privacy-and-security Issues related to privacy and security
Projects
None yet
Milestone
Pre-CR
Development

Successfully merging a pull request may close this issue.

Use permissions API for XR feature requests Manishearth/webxr
6 participants
@cwilso @toji @Manishearth @ddorwin @avadacatavra @NellWaliczek