Thanks Shane for thinking about this and for starting the conversation!
> My primary concern is that under this proposal I [as a user] am
> relinquishing control over who has access to my [non-public] data to
> Mozilla.
This concern doesn't seem to be addressable, to me. In all 3 cases
(current, under the proposal in the wiki, and in your modifications),
users relinquish control to Mozilla over who has access to their
non-public data in Mozillians.org. I think that's inevitable, so I'm
going to move on to the other details you describe.
>> 3rd Parties get automatic accessto more than my public data
I think this is an assumption you're making about the proposal that is
not supported by the proposal. Instead, the proposal suggests 2 levels
of access, one very broadly granted ("vouched") and one very tightly
controlled ("reviewed"). Whether 3rd parties ever are granted the
"reviewed" type of access is TBD.
I suggest 3rd parties should only ever be granted access to the
"reviewed" level if we are as assured about their stewardship of data as
we are about 1st-party apps. I think this may be very difficult or
impossible for most 3rd-party apps to achieve. Still, I would not
suggest we categorically exclude 3rd-party apps; instead, I would simply
suggest that we set very high standards for "reviewed" apps since we're
sharing data with them that has been shared only within a trust network.
While the "review" part of "reviewed" remains to be specified, I think
it should ensure that "reviewed" apps are...
> - under mozilla purview (privacy/data policies/etc)
> - runs on mozilla infrastructure
and also that...
- application owners have demonstrated (through conversation or
even contract) that they understand, will respect, and will perpetuate
the privacy levels associated with non-public data
In other words, I think the proposal's idea of "reviewed", while
unspecified, sets a very high bar. It's high enough that I agree with
you when you say
> - since this is internal,3rd party apps may be a false dichotomy
It may help to know that our initial list of apps likely to pass
"review" includes only a small number: Air Mozilla, BMO, a few others.
Internal tools whose need for this data is easy to justify and whose PII
stewardship is already demonstrated.
> - external untrusted apps
> <snip>
> - opt-out available to user (per app? all untrusted apps?)
I think the proposal in the wiki is elegant because it does not require
this additional opt-out, and it thereby saves our users the pain of
trying to stay on top of per-application API grants (and allows us to
plug some gaping holes without blocking while we build this more complex
UI). It specifically doesn't require this opt-out because the fields
available to "vouched" level API keys are public -- they have been set
to public by the user. Users who share profile data publicly have
already made the data programatically available to the entire internet.
The data there is leaked, but the API is not the source of the leak.
Users who wish to hide data from other Mozillians who have API keys
should first hide it from the entire internet; and in the proposal on
the wiki, the same setting (change "public" to "Mozillians" on the
field) does both things.
Shane, I really appreciate your feedback. To be honest, I was hoping
that someone from the security team would be interested in helping to
design the review process. Would you be up for helping us articulate
what it ought to look like?
> Shane Carave;o <mailto:
mixed...@gmail.com>
> May 17, 2014 6:35 PM
> _______________________________________________
> dev-community-tools mailing list
>
dev-commu...@lists.mozilla.org
>
https://lists.mozilla.org/listinfo/dev-community-tools