[TAG] Reading systems and permissions prompts

[rhiaro]

It is left up to the reading systems to decide how to handle executing scripts and interacting with sensors, and I note (in Reading Systems, Scripting Considerations):

Reading Systems that support scripting and network access should also include methods to notify the user that network activity is occurring and/or that allow them to disable it.

Which is a great recommendation. Could this be strengthened or made more obvious by splitting out Security and Privacy into separate sections in the spec?

What thought has been given to scripts/sensor access which in a web browser would require a permission prompt? Is there scope for security/privacy recommendations for reading systems about this? One option would be to recommend that reading systems simply do not execute any scripts that would normally trigger a permission prompt - I imagine the experience of reading being interrupted by a prompt would be poor. Another option is to think about front-loading required permissions, ie. asking them the first time the book is loaded, or at the point of download (with options to change this decision later in the settings).

[dauwhe]

The text has been strengthened:

If Reading System developers opt to allow network access, it is strongly RECOMMENDED that they include methods to notify the user that network activity is occurring and/or that allow them to disable it.

[rhiaro]

Thanks @dauwhe.

Has there been any further thought about access to features which in a browser would require a permission prompt?

[iherman]

The issue was discussed in a meeting on 2022-04-08

List of resolutions:

• Resolution No. 1: Close remaining privacy and security issues.

View the transcript

1. Close Privacy & Security Issues.

Dave Cramer: the TAG has reappeared of making a couple comments, I am making a PR to mention that when using web APIs, which have the most dramatic privacy and security implications (geolocations, push notifications) then you should get user consent.

See github issue epub-specs#1959.

Dave Cramer: we have several issues where there was never much discussion in the issue (#1959 for example).
… I think the PR i mentioned earlier would serve to close this issue.
… agree/disagree?

Ivan Herman: we had a lot of discussion with PING, good discussions, after which we made extensive additions to answer the issues they raised.
… and we contacted them several times to get their acknowledgement. So at this point we consider these issues closed..
… they have the right to reopen issues if they like.
… Amy from TAG has closed the issue of epub review on the TAG repo, so that is an indication of how they feel.

Gregorio Pellegrino: so is this passed? it is okay?

See github issue epub-specs#1872.

Ivan Herman: yes, it is okay.

Dave Cramer: risk of exposure and finger printability.
… this was raised before we clarified the threat model, can we close this now?

See github issue epub-specs#1873.

Dave Cramer: obfuscation, which we've discussed extensively, followed by updates to the spec docs.

See github issue epub-specs#1875.

See github issue epub-specs#1876.

Dave Cramer: interactivity, which we've addressed as best we can given that it's ambiguous.
… self-contained packages, this is a case where its appropriate to close because epub is clear that it is largely self-contained, subject to exceptions enumerated in the spec. Not dramatically impacting privacy.

See github issue epub-specs#1957.

Dave Cramer: we enumerated the threat model, which deals with #1957.

See github issue epub-specs#1958.

Dave Cramer: permission prompts, we're dealing with this, strengthened text.

See github issue epub-specs#1959.

Proposed resolution: Close remaining privacy and security issues. (Wendy Reid)

Dave Cramer: broad user expectations issues, which is covered by the other changes we've made.

Ivan Herman: +1.

Matthew Chan: +1.

Shinya Takami (高見真也): +1.

Bill Kasdorf: +1.

Dave Cramer: +7.

Wendy Reid: +1.

Matt Garrish: +1.

Murata Makoto: +1.

Dan Lazin: +1.

Charles LaPierre: +1.

Ben Schroeter: +1.

Masakazu Kitahara: +1.

Resolution #1: Close remaining privacy and security issues.

Ivan Herman: clap, clap.

Dave Cramer: I think the spec is now much more informative/clear about some of these issues, so thanks everyone.

GeorgeK: +1.

[iherman]

@rhiaro, the extra text has been added to the spec, see #2242