RE: Privacy features in Touch (cyanogenmod)?

[Matt B .]

It's not "nefarious" traffic I'm necessarily looking for. The fact that an App 
is even connecting to the internet can alert me to an App's bad behavior. For 
example, starting up a Podcast client causes it to connect to the internet. I 
don't want this--I'm starting the client just to listen to Podcasts I manually 
added to phone. So I go into app and look to configure the app not to connect 
to internet. If there is no setting to allow this I will likely uninstall the 
App and look for something else.

Same with a music player. If I start the App and it connects to the internet, I 
look for how to stop this. If I can't I will often uninstall the App. There are 
many Apps that I use that do not need to connect to the internet. So it is 
helpful to have a way to verify they are not connecting.

People do get charged for data use, especially on phones so I think this 
becomes an even more important issue on phones to give users control and 
awareness over App internet usage behavior. 

The fact that so many Apps use the internet is because of abuse/bad design. 
Data usage plans wouldn't be so expensive if everyone using a phone wasn't 
connecting to the internet for stuff they don't even know about or care about.

Many Apps use the internet when they shouldn't. The designers just assume the 
internet is free, but it especially is not on a phone. Plus being able to 
control internet access has many privacy/security concerns in general even if 
the connection attempt is NOT "nefarious" per se. Being able to control 
internet access is not about stopping "malware" from calling home. it's about 
knowing which Apps are outgoing, whether nefarious or innocent. I will act on 
"innocent" Apps accessing the internet the same as I would for a "nefarious" 
app--it's about the connection behavior not what's it's trying to do.



> Date: Fri, 5 Jul 2013 10:41:43 +0100
> From: m...@canonical.com
> To: ubuntu-devel-discuss@lists.ubuntu.com
> Subject: Re: Privacy features in Touch (cyanogenmod)?
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Matt B. wrote on 03/07/13 15:00:
> > ...
> > 
> > I too am concerned about a lot of "are you sure" dialogs. I think 
> > people are just looking for a way to learn/know what apps are 
> > connecting to the internet (and why). Like I described how VLC
> > asks to connect for downloading album art/info and tells you why it
> > would be connecting to the internet. Once the user responds to this
> > dialogue there are no more dialogues--ever. The App asks for
> > permission to connect to the internet for a specific purpose. If
> > the user says No, it would be up to the user to go into settings
> > and reset this. The user should not be presented this prompt each
> > time the App starts/runs.
> 
> With the Ubuntu Touch model, the prompt is shown once ever, not once
> each time the app runs. (You shouldn't need to know whether an app is
> not "running" anyway.)
> 
> However, an app accessing the Internet is not currently on the list of
> things that the OS would prompt about. It could be, but I'm not
> confident it would be useful. Such a large proportion of apps use the
> Internet, that nefarious traffic would often be hidden alongside
> legitimate traffic.
> 
> > ...
> > 
> > So I think the most useful OS service is to somehow *give users 
> > awareness of App internet connection behavior* so users CAN learn 
> > that they need to make a settings adjustment IN THE APP or simply 
> > uninstall the App and look for one that isn't so promiscuous with
> > the internet. This I think is the privacy/security function of the
> > OS that is so important--providing some means of "finding out"
> > which Apps are connecting to the internet, which informs the user
> > and allows him/her to decide whether to adjust settings in the App
> > or uninstall it.
> > 
> > ...
> 
> This is part of the reason I designed the network activity indicator.
> <https://wiki.ubuntu.com/Networking#phone-indicator>
> 
> - -- 
> mpt
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
> 
> iEYEARECAAYFAlHWlNcACgkQ6PUxNfU6ecoLAACguuGva3d9xbvrc+p/f+IL4wB+
> h3sAn32qkzhw2eIYLTzUttv3UsQIN3Qz
> =1Kbf
> -END PGP SIGNATURE-
> 
> -- 
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
  -- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Matthew Paul Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matt B. wrote on 03/07/13 15:00:
> ...
> 
> I too am concerned about a lot of "are you sure" dialogs. I think 
> people are just looking for a way to learn/know what apps are 
> connecting to the internet (and why). Like I described how VLC
> asks to connect for downloading album art/info and tells you why it
> would be connecting to the internet. Once the user responds to this
> dialogue there are no more dialogues--ever. The App asks for
> permission to connect to the internet for a specific purpose. If
> the user says No, it would be up to the user to go into settings
> and reset this. The user should not be presented this prompt each
> time the App starts/runs.

With the Ubuntu Touch model, the prompt is shown once ever, not once
each time the app runs. (You shouldn't need to know whether an app is
not "running" anyway.)

However, an app accessing the Internet is not currently on the list of
things that the OS would prompt about. It could be, but I'm not
confident it would be useful. Such a large proportion of apps use the
Internet, that nefarious traffic would often be hidden alongside
legitimate traffic.

> ...
> 
> So I think the most useful OS service is to somehow *give users 
> awareness of App internet connection behavior* so users CAN learn 
> that they need to make a settings adjustment IN THE APP or simply 
> uninstall the App and look for one that isn't so promiscuous with
> the internet. This I think is the privacy/security function of the
> OS that is so important--providing some means of "finding out"
> which Apps are connecting to the internet, which informs the user
> and allows him/her to decide whether to adjust settings in the App
> or uninstall it.
> 
> ...

This is part of the reason I designed the network activity indicator.


- -- 
mpt
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlHWlNcACgkQ6PUxNfU6ecoLAACguuGva3d9xbvrc+p/f+IL4wB+
h3sAn32qkzhw2eIYLTzUttv3UsQIN3Qz
=1Kbf
-END PGP SIGNATURE-

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[J Fernyhough]

On 3 July 2013 15:14, Robie Basak  wrote:

> It's not much good to know that an app is misbehaving. I'd like to stop
> it.
>
> Having an all-or-nothing choice, like Android, often means that apps get
> feature creep, and before you know it your apps have far more
> permissions than you'd prefer. Individually we may know that we have a
> choice to not use the app, but social forces mean that we generally have
> to use it anyway. Few people spend time on writing or improving an
> alternative app if "everyone" is already using the one that needs too
> many permissions).
>
> I'd like to see an alternative where the app won't even know when it
> doesn't have permission to do something.
>
> If I didn't give it permission to have GPS, it'll just see that I have
> GPS turned off all the time to save battery.  If I didn't give it
> permission to have Internet access, I'd like the app to think that I
> just happen not to have neither wifi nor phone signal right now.  If I
> don't want to give it permission to view my contacts, it should just see
> an empty address book. No permission to use my accelerator? The app
> should just think that I don't have one.
>
>
>
This is pretty much the approach taken by PDroid (and OpenPDroid) on
Android. This means it's possible to do, and the PDroid manager application
is pretty straightforward. It's not necessarily for your average user
(without filtering "system apps" the list can be a little overwhelming),
but I'm sure Ubuntu can improve on it.

J
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

RE: Privacy features in Touch (cyanogenmod)?

[Matt B .]

Yeah. This seems like a great way to solve the problem. As I understand it this 
is what Cyanogenmod is implementing and what I wondered if ubuntu would 
incorporate. The cyanogenmod method shouldn't need more than one dialogue to 
accomplish this.

> Date: Wed, 3 Jul 2013 15:14:45 +0100
> From: robie.ba...@ubuntu.com
> To: ubuntu-devel-discuss@lists.ubuntu.com
> Subject: Re: Privacy features in Touch (cyanogenmod)?
> 
> It's not much good to know that an app is misbehaving. I'd like to stop
> it.
> 
> Having an all-or-nothing choice, like Android, often means that apps get
> feature creep, and before you know it your apps have far more
> permissions than you'd prefer. Individually we may know that we have a
> choice to not use the app, but social forces mean that we generally have
> to use it anyway. Few people spend time on writing or improving an
> alternative app if "everyone" is already using the one that needs too
> many permissions).
> 
> I'd like to see an alternative where the app won't even know when it
> doesn't have permission to do something.
>  
> If I didn't give it permission to have GPS, it'll just see that I have
> GPS turned off all the time to save battery.  If I didn't give it
> permission to have Internet access, I'd like the app to think that I
> just happen not to have neither wifi nor phone signal right now.  If I
> don't want to give it permission to view my contacts, it should just see
> an empty address book. No permission to use my accelerator? The app
> should just think that I don't have one.
> 
> -- 
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at: 
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
  -- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Robie Basak]

It's not much good to know that an app is misbehaving. I'd like to stop
it.

Having an all-or-nothing choice, like Android, often means that apps get
feature creep, and before you know it your apps have far more
permissions than you'd prefer. Individually we may know that we have a
choice to not use the app, but social forces mean that we generally have
to use it anyway. Few people spend time on writing or improving an
alternative app if "everyone" is already using the one that needs too
many permissions).

I'd like to see an alternative where the app won't even know when it
doesn't have permission to do something.
 
If I didn't give it permission to have GPS, it'll just see that I have
GPS turned off all the time to save battery.  If I didn't give it
permission to have Internet access, I'd like the app to think that I
just happen not to have neither wifi nor phone signal right now.  If I
don't want to give it permission to view my contacts, it should just see
an empty address book. No permission to use my accelerator? The app
should just think that I don't have one.

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

RE: Privacy features in Touch (cyanogenmod)?

[Matt B .]

> Date: Tue, 2 Jul 2013 16:57:57 +0100
> From: m...@canonical.com
> To: ubuntu-devel-discuss@lists.ubuntu.com
> Subject: Re: Privacy features in Touch (cyanogenmod)?
> 
> > I agree this is a good model. Still, I worry about the possibility
> > of having a lot of "are you sure" dialogs in a nicely integrated 
> > application.
> 
> That's a reasonable concern. But I haven't thought of a case where an
> app would needfully request more than one or two privileges at a time.
> Have you?
>
>
> Cheers
> - -- 
> mpt


I too am concerned about a lot of "are you sure" dialogs. I think people are 
just looking for a way to learn/know what apps are connecting to the internet 
(and why). Like I described how VLC asks to connect for downloading album 
art/info and tells you why it would be connecting to the internet. Once the 
user responds to this dialogue there are no more dialogues--ever. The App asks 
for permission to connect to the internet for a specific purpose. If the user 
says No, it would be up to the user to go into settings and reset this. The 
user should not be presented this prompt each time the App starts/runs.

I think users want control over whether an App connects or not. Not that they 
want a prompt for each event (which can get annoying). They simply want an App 
to ask for the privilege of internet access and state the reason why. From this 
point forward the user does not experience any more prompts--but the user still 
has some means (via the OS) of monitoring App internet connection behavior in 
general. The user can discover (has some interface I guess) that can inform of 
what Apps are connecting and based on a previous dialogue presented to the user 
can explain/understand those connections he/she is seeing.

With many Apps, not allowing internet access doesn't impair the App. But the 
App itself keeps trying to connect to the internet to do non-essential 
functions. This is bad App design, and I choose not to use Apps that behave 
this way. 

The TRICK is how to learn that the App is behaving this way! 

It can be hard for users to know what Apps are behaving this way. When I learn 
of this behavior, I uninstall the App and find a better behaving one. For other 
Apps, I use an App setting (preferable) or OS setting (not desirable) to say 
"don't connect to internet for this"--and once I do this I do not have to deal 
with anymore prompts. It is the best balance between smooth OS experience and 
constant nagging that makes OS unusable.

So I think the most useful OS service is to somehow give users awareness of App 
internet connection behavior so users CAN learn that they need to make a 
settings adjustment IN THE APP or simply uninstall the App and look for one 
that isn't so promiscuous with the internet. This I think is the 
privacy/security function of the OS that is so important--providing some means 
of "finding out" which Apps are connecting to the internet, which informs the 
user and allows him/her to decide whether to adjust settings in the App or 
uninstall it. The OS having to block an App from internet access or access to 
the Contacts list seems like it is having to compensate for bad App design 
(cause the settings that control this should really be in the App). Not to 
mention a resource drag on the OS having to do this. So I would think the OS 
really shouldn't deal with this or devote resources to it.

So I think the main point is: the most important OS function here is find some 
means/interface/mechanism to apprise users of App Internet Connection Behavior. 
Android in a way does this: this App will access So & So--informing the user of 
what to expect which allows user to make an informed decision about whether to 
install the App or not. But MPT is absolutely right in saying this design is 
incomplete. Because Android says nothing to whether the App has settings that 
can adjust how it behaves with respect to the internet. And the user won't 
fully understand the Apps behavior and what options it has with respect to this 
behavior until he/she installs and uses the App for a time.
  -- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Marc Deslauriers]

On 13-07-02 03:19 PM, Matthew Paul Thomas wrote:
> J Fernyhough wrote on 24/06/13 13:28:
> 
>> On 24 June 2013 13:13, Marc Deslauriers wrote:
>>>
>>> On 13-06-24 08:07 AM, Matthew Paul Thomas wrote:

 J Fernyhough wrote on 22/06/13 16:06:

> On 22 June 2013 15:12, Matthew Paul Thomas
> 
>>
>> On Ubuntu, an app will request a privilege during runtime.
>> For example, a game might have a "find my friends who
>> already play this game" function, that accesses your
>> contacts. The game would work just fine if you don't use
>> this function. But if you do use it, Ubuntu would then --
>> and only then -- ask you if you want to grant the app
>> access to your contacts.
> ...
>
> This is excellent! One quick feature request: a "remember
> this choice" checkbox. ;)

 I don't understand. Why would Ubuntu forget the choice
 otherwise?
>>>
>>> Because granting a permission may depend on the context?
>>>
>>> For example, I may want to allow a photo application to use my
>>> GPS to tag a picture when I'm in some public place, but not when
>>> I take a picture when I'm at home.
> 
> A photo app that triggered an OS prompt to grant access to your
> location, after every photo you took, would quickly become intolerable.

Yes, agreed. Now that I think about it, it would in fact be intolerable. It
seems to me I currently do this sort of thing though with my Android phone...but
I can't seem to recall what the exact context is. Perhaps I'm thinking of the
browser prompting for a GPS authorization for each different web page, but that
is different.

> 
> More viable would be a setting to use your location unless you are
> within X distance of an editable list of locations.
> 
> And that setting would likely be more findable -- and would therefore
> protect more people -- in the photo app itself, rather than in System
> Settings. It would certainly be explained more clearly, because the
> photo app would know what it is using the location data for, while the
> OS would not. For example, you might want the app to record the
> location of every photo for your own reference, but strip it out when
> posting the photo online, whether that happened moments or weeks later.
> 
> This illustrates my general understanding of the purpose of the
> permissions feature. It is primarily for protecting against
> overzealous app developers. It is not workable for trying to control
> an app's use of data once the app does have access. That can be done
> more practically, and more understandably, inside the app itself.

Yes, I agree.

>>> Granting a permission shouldn't mean I grant it forever, unless
>>> I decide it should be forever...having both "Just this once" and 
>>> "Always" buttons satisfies my use case.
>>>
>>> Marc.
> 
> I don't see how those two buttons would satisfy that use case. If you
> didn't want to be prompted after every photo you took, each day you
> would tap "Always" after taking your first photo away from home, and
> then ... what? Have a separate app that detects when you're returning
> home, and reminds you to go into System Settings for your nightly
> revocation of location access to the photo app? Sooner or later you'd
> forget.

Yes, it was a bad use case, and I can't think of a better one now.

Marc.

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Matthew Paul Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

J Fernyhough wrote on 24/06/13 13:28:
> 
> On 24 June 2013 13:13, Marc Deslauriers wrote:
>> 
>> On 13-06-24 08:07 AM, Matthew Paul Thomas wrote:
>>> 
>>> J Fernyhough wrote on 22/06/13 16:06:
>>> 
 On 22 June 2013 15:12, Matthew Paul Thomas
 
> 
> On Ubuntu, an app will request a privilege during runtime.
> For example, a game might have a "find my friends who
> already play this game" function, that accesses your
> contacts. The game would work just fine if you don't use
> this function. But if you do use it, Ubuntu would then --
> and only then -- ask you if you want to grant the app
> access to your contacts.
 ...
 
 This is excellent! One quick feature request: a "remember
 this choice" checkbox. ;)
>>> 
>>> I don't understand. Why would Ubuntu forget the choice
>>> otherwise?
>> 
>> Because granting a permission may depend on the context?
>> 
>> For example, I may want to allow a photo application to use my
>> GPS to tag a picture when I'm in some public place, but not when
>> I take a picture when I'm at home.

A photo app that triggered an OS prompt to grant access to your
location, after every photo you took, would quickly become intolerable.

More viable would be a setting to use your location unless you are
within X distance of an editable list of locations.

And that setting would likely be more findable -- and would therefore
protect more people -- in the photo app itself, rather than in System
Settings. It would certainly be explained more clearly, because the
photo app would know what it is using the location data for, while the
OS would not. For example, you might want the app to record the
location of every photo for your own reference, but strip it out when
posting the photo online, whether that happened moments or weeks later.

This illustrates my general understanding of the purpose of the
permissions feature. It is primarily for protecting against
overzealous app developers. It is not workable for trying to control
an app's use of data once the app does have access. That can be done
more practically, and more understandably, inside the app itself.

>> Granting a permission shouldn't mean I grant it forever, unless
>> I decide it should be forever...having both "Just this once" and 
>> "Always" buttons satisfies my use case.
>> 
>> Marc.

I don't see how those two buttons would satisfy that use case. If you
didn't want to be prompted after every photo you took, each day you
would tap "Always" after taking your first photo away from home, and
then ... what? Have a separate app that detects when you're returning
home, and reminds you to go into System Settings for your nightly
revocation of location access to the photo app? Sooner or later you'd
forget.

> Exactly this.
> 
> Though having buttons would result in four choices: Yes, No,
> Always, Never. Having buttons and a checkbox would be three: Yes,
> No, Remember. I think the SuperUser apps on Android might be a
> good example of how a single request might look? It could get a
> little more complicated if the app requests several permissions at
> once, though.
> 
> ...

When requesting access to an online account, the dialog would already
contain up to four controls: a menu if you had multiple accounts of
the selected type, then buttons for "Allow", "Add Another...", and
"Don't Allow".

- -- 
mpt

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlHTJ7sACgkQ6PUxNfU6ecp4PQCfZJXimBom2bQnuv5bibyHhxKz
QKUAoIdlYLHHFMrFSnxwWfmkay+V68XR
=l9O4
-END PGP SIGNATURE-

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Matthew Paul Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dylan McCall wrote on 22/06/13 17:19:
> 
> On Sat, Jun 22, 2013 at 7:12 AM, Matthew Paul Thomas
>> 
>> In the next couple of weeks I will design the UI for apps to
>> request privileges on Ubuntu Touch.
> 
> Yay!

I've now published it, though the UI text still needs a little work.
 ("Other app access"
is a dull title.)

> ...
>> 
>> On Ubuntu, an app will request a privilege during runtime. For 
>> example, a game might have a "find my friends who already play
>> this game" function, that accesses your contacts. The game would
>> work just fine if you don't use this function. But if you do use
>> it, Ubuntu would then -- and only then -- ask you if you want to
>> grant the app access to your contacts.
> 
> I agree this is a good model. Still, I worry about the possibility
> of having a lot of "are you sure" dialogs in a nicely integrated 
> application.

That's a reasonable concern. But I haven't thought of a case where an
app would needfully request more than one or two privileges at a time.
Have you?

> For the act of adding an online account, I think that should be as 
> simple as choosing an online account from the system Online
> Accounts dialog. The interface will need to clearly communicate
> that in choosing an account you are granting "Foo app" permission
> to use it, but I don't think there's a reason to have anything else
> on top.

I'm not sure what you mean by "the system Online Accounts dialog".

If you mean a dialog that appears mid-screen with the application
still visible in the background, then absolutely. I've charted the
flow. 

If you mean the full "Online Accounts" screen of System Settings, then
that would have some visual consistency between listing accounts
prompted (when an app wants access) vs. unprompted (when browsing
System Settings). However, it would hide the context of the app behind
a full-screen Settings screen. And filtering the list to hide
irrelevant accounts, then adding UI to explain why only a subset of
accounts are being shown, would reduce the visual consistency almost
beyond recognition anyway.

> Similar deal with documents or contacts: there are some odd cases 
> where apps don't want to use the system's Contacts dialog, but I
> think in most cases they should be able to trigger that dialog, and
> have access to specific (selected) contacts granted implicitly.
> MacOS X seems to be doing that nowadays, and Plash (which was an
> intriguing idea that didn't seem to get anywhere) had that sort of
> thing happening for file choosers:
> http://plash.beasts.org/powerbox.html.

It hadn't even occurred to me that an app might want access to a
single contact! I was thinking of the sort of apps that go through all
your contacts, looking for other people who have already registered
with the app. Thanks for raising this.


> The other bit I wonder about is how this might affect something
> like the "Recent Files" list in an application. Do you think that
> sort of thing would work cleanly, or should we be thinking about a 
> replacement? (Or do people even use that?).

I guess the list of recent items would have to be inside the "content
picker"

and nowhere else. An app couldn't provide its own UI for recent items
that were created in other apps, though it could for items it created
itself. That's what PC apps do anyway.

> One thing that drives me mad with Android's approach is lots of
> apps ask for permanent access to your contacts for a single thing
> that they do, once, ever, but then iOS has driven me mad working in
> the other direction, so I'm really excited to see what you have in
> mind :)
> 
> ...

Right. I've mentioned this in the spec: "an app might need a privilege
only for an uncommon function that you personally will never use".

Cheers
- -- 
mpt

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlHS+IQACgkQ6PUxNfU6ecqLmwCeMjkwOr4tEAJ8R3TmVzNKuFfE
iVkAoLDIv5e5F2Nes+MP/KJqXvHzcZ5k
=OBQ8
-END PGP SIGNATURE-

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

RE: Privacy features in Touch (cyanogenmod)?

[Matt B .]

Let me tell you guys something I find really ANNOYING on iPhone:

I turn on Airplane mode, and then I go to use an App. I get prompts telling me 
Airplane mode is on (yes, I know Airplane mode is on). I'm getting these 
prompts because the App wants to use the internet. But it is an App that 
DOESN'T REALLY NEED INTERNET. The App makes use of internet for superfluous 
stuff that totally is not needed to fully run the App. An example from an App 
that I absolutely love: VLC. When I install VLC and start using it, it ASKS me 
if I would like VLC to download art/info from the internet regarding the music 
I'm listening to. This is good design! Apps can make use of internet, but they 
should NOT require internet nor force user to enable internet for their use. 
Obviously this doesn't apply to apps that are SOLELY location based or SOLELY 
dependent on the internet.

Hopefully Ubuntu-Touch will be more like VLC overall in terms of how it manages 
Apps' internet promiscuity. And hopefully Ubuntu-Touch will not annoyingly 
prompt user that Airplane mode is on when accessing apps.

Passing on my user-experiences so that Developers can hear my experiences. 
Maybe it can be of some help to make Ubuntu-touch great experience for users.

Thanks.

I found this forum post on MacRumors talking about user's annoyance with 
Airplane Mode and wanting to use Apps with it on. So I'm not the only one 
noticing this. I think the OS needs to implement more discipline with respect 
to Apps ability to connect willy-nilly to the internet.
http://forums.macrumors.com/showthread.php?t=1604335





Date: Mon, 24 Jun 2013 08:13:59 -0400
From: marc.deslauri...@canonical.com
To: ubuntu-devel-discuss@lists.ubuntu.com
Subject: Re: Privacy features in Touch (cyanogenmod)?

On 13-06-24 08:07 AM, Matthew Paul Thomas wrote:
> J Fernyhough wrote on 22/06/13 16:06:
> 
>> On 22 June 2013 15:12, Matthew Paul Thomas 
>> wrote:
>>>
>>> On Ubuntu, an app will request a privilege during runtime. For 
>>> example, a game might have a "find my friends who already play
>>> this game" function, that accesses your contacts. The game would
>>> work just fine if you don't use this function. But if you do use
>>> it, Ubuntu would then -- and only then -- ask you if you want to
>>> grant the app access to your contacts.
>> ...
> 
>> This is excellent! One quick feature request: a "remember this
>> choice" checkbox. ;)
> 
> I don't understand. Why would Ubuntu forget the choice otherwise?
> 
 
Because granting a permission may depend on the context?
 
For example, I may want to allow a photo application to use my GPS to tag a
picture when I'm in some public place, but not when I take a picture when I'm at
home.
 
Granting a permission shouldn't mean I grant it forever, unless I decide it
should be forever...having both "Just this once" and "Always" buttons satisfies
my use case.
 
Marc.
 
 

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss  
   -- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Marc Deslauriers]

On 13-06-24 03:58 PM, Benjamin Kerensa wrote:
> On Mon, Jun 24, 2013 at 10:16 AM, Marc Deslauriers
> mailto:marc.deslauri...@canonical.com>> 
> wrote:
> 
> On 13-06-23 04:06 PM, Benjamin Kerensa wrote:
> > The person in question has perhaps the most foremost expertise on 
> Information
> > Security and Privacy in our community and perhaps in other communities 
> as
> well.
> > He is widely respected and I don't think its just his opinion. I think 
> its
> > widely held that the Amazon Scope is a privacy fail by community members
> at ever
> > level of the Ubuntu project.
> 
> Different people have different levels of privacy. Some people refuse to 
> use
> Facebook, but I do, even though I know they are using my information for 
> ad
> purposes. That's a level I am ok with.
> 
> When I showed a Friend the Amazon Scope, he though it was so cool he 
> asked how
> to install it in Ubuntu 12.04.
> 
> 
> So one friend liking the feature justifies ignoring widely held views that the
> feature is invasive and should be opt-in?

Well, if you're allowed to present anecdotal evidence that it's "widely held",
so am I. I present anecdotal evidence of a single friend to demonstrate the fact
that privacy levels are a personal thing.

>  
> 
> 
> Please stop assuming everyone has the same notion of privacy as you do. 
> Opinions
> differ. I completely disagree with the notion that having a global search 
> box in
> Ubuntu is a privacy issue.
> 
> 
> I'm not assuming everyone has the same notion of privacy that I do.  I do
> however I assume that most people do not know what truly is and why it is
> important. Privacy is more than just preventing private information from being
> share or leaked. It is more importantly about the choice of users and
> individuals to decided when and where there information is shared.

I totally agree that privacy is about choice, and that information shouldn't be
leaked without the user's consent. Which is why I think the Unity global search
respects user privacy by stating "Search your computer and online sources" in
the global search box, allowing the user to easily search locally without
sending their search terms to the Internet, and allowing users to disable
Internet in the global search with a privacy applet in the system settings.

> 
> In the case of the scope in question it does not give users control or choice 
> by
> default but instead makes the choice for them. That is a lack of privacy.

Of course it gives users a choice by default. You can simply not use the global
search field, and use local search fields, you can disable Internet access in
the privacy applet, or you can simply uninstall the relevant scopes.

> 
> 
> In Unity 8, you can select right in the Dash which scopes can see your 
> search
> queries, and which don't.
> 
> 
> 
> Sure and you can disable it currently but thats not the point. The point is 
> that
> Canonical has made a decision for its user in regards to how information is
> shared by default and that again is a lack of privacy and disrespectful to 
> user
> choice.

No, it's not. It's respecting what most users expect of a modern operating
system. If you don't believe me, poll users of Siri on iOS. I'm sure they will
agree that having a global search _that actually works_ is what is expected.

> > The trade-off of the scopes features was well understood and just 
> like
> > many other controversial decisions that have been made over the 
> years,
> > it was decided that overall it would benefit the project the most in
> > the mid/long-term.
> >
> >
> > I'm not saying all scopes are bad or privacy fails because not all 
> scopes are
> > install by default and not all scopes take users search queries in the 
> home
> > portion of the Unity Dash with such blatant lack of respect for user
> choice and
> > privacy.
> 
> I don't know what you mean by that. It's clear that you're searching the
> Internet, and it can be disabled with a single click. What do you 
> consider to be
> a "blatant lack of respect for user choice and privacy"?
> 
> 
> Any occasion where users systems upon upgrade or fresh install will result in
> their searches on their desktop being sent to a private company without them
> opting in to such. Privacy is all about control and choice.

Privacy has nothing to do with opt-in or opt-out.

Please see the following web page for a pretty good description of what privacy 
is:

http://blog.sidstamm.com/2012/12/what-is-privacy.html


1- Collection of data is transparent.

Yep, the search box says "Search your computer _and online sources_", and
there's a link to a legal notice that details how your search term is going to
be used.

2- Individuals must be provided choice.

Any user is free to decide if they want their search terms to be collected. They
can simply not use the global search of the dash, or 

Re: Privacy features in Touch (cyanogenmod)?

[Benjamin Kerensa]

On Mon, Jun 24, 2013 at 10:16 AM, Marc Deslauriers <
marc.deslauri...@canonical.com> wrote:

> On 13-06-23 04:06 PM, Benjamin Kerensa wrote:
> > The person in question has perhaps the most foremost expertise on
> Information
> > Security and Privacy in our community and perhaps in other communities
> as well.
> > He is widely respected and I don't think its just his opinion. I think
> its
> > widely held that the Amazon Scope is a privacy fail by community members
> at ever
> > level of the Ubuntu project.
>
> Different people have different levels of privacy. Some people refuse to
> use
> Facebook, but I do, even though I know they are using my information for ad
> purposes. That's a level I am ok with.
>
> When I showed a Friend the Amazon Scope, he though it was so cool he asked
> how
> to install it in Ubuntu 12.04.
>

So one friend liking the feature justifies ignoring widely held views that
the feature is invasive and should be opt-in?


>
> Please stop assuming everyone has the same notion of privacy as you do.
> Opinions
> differ. I completely disagree with the notion that having a global search
> box in
> Ubuntu is a privacy issue.
>

I'm not assuming everyone has the same notion of privacy that I do.  I do
however I assume that most people do not know what truly is and why it is
important. Privacy is more than just preventing private information from
being share or leaked. It is more importantly about the choice of users and
individuals to decided when and where there information is shared.

In the case of the scope in question it does not give users control or
choice by default but instead makes the choice for them. That is a lack of
privacy.

>
> In Unity 8, you can select right in the Dash which scopes can see your
> search
> queries, and which don't.
>


Sure and you can disable it currently but thats not the point. The point is
that Canonical has made a decision for its user in regards to how
information is shared by default and that again is a lack of privacy and
disrespectful to user choice.


>
> >
> >
> >
> > The trade-off of the scopes features was well understood and just
> like
> > many other controversial decisions that have been made over the
> years,
> > it was decided that overall it would benefit the project the most in
> > the mid/long-term.
> >
> >
> > I'm not saying all scopes are bad or privacy fails because not all
> scopes are
> > install by default and not all scopes take users search queries in the
> home
> > portion of the Unity Dash with such blatant lack of respect for user
> choice and
> > privacy.
>
> I don't know what you mean by that. It's clear that you're searching the
> Internet, and it can be disabled with a single click. What do you consider
> to be
> a "blatant lack of respect for user choice and privacy"?
>

Any occasion where users systems upon upgrade or fresh install will result
in their searches on their desktop being sent to a private company without
them opting in to such. Privacy is all about control and choice.



>
> Marc.
>
>
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>



-- 
*Benjamin Kerensa*
*http://benjaminkerensa.com*
*"I am what I am because of who we all are" - Ubuntu*
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Marc Deslauriers]

On 13-06-24 01:12 PM, Scott Kitterman wrote:
> Marc Deslauriers  wrote:
> 
>> On 13-06-23 03:41 AM, Benjamin Kerensa wrote:
 Canonical Engineers have pretty much ignored the proposal of even
>> one member of
 the Ubuntu Tech Board in regards to user privacy.
>>>
 What makes you believe if Canonical ignores a former security team
 member/current tech board member and the EFF that they will give
>> anyone else's
 proposal the time of day?
>>
>> That is completely untrue. I looked at the proposals and the opinions,
>> and I
>> disagree with them. Just because I disagree with someone's opinion on
>> what an
>> adequate level of privacy is doesn't mean I've ignored them.
>>
>> I want Ubuntu to be as capable and usable as other operating systems,
>> and this
>> includes having a global search that returns Internet results.
>>
>>>
 The sad thing is the community does nearly as much work to produce
>> Ubuntu but
 has almost no say in its direction or features.
>>
>> That is also untrue.
>>
>>>
 I think at this point the best option for privacy is to install a
>> community flavor.
>>
>> Are there any community flavors that are specialized in privacy?
> 
> AFAIK, none of the non-Unity flavors send local search results across the 
> network by default. This seems to me a very reasonable approach for default 
> behavior. I don't think it's necessary to specialize in privacy to take such 
> an approach. 
> 

Unity doesn't either. The local searches are kept local.
Only the global search box sends results to the network.

Marc.





-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Marc Deslauriers]

On 13-06-23 04:06 PM, Benjamin Kerensa wrote:
> The person in question has perhaps the most foremost expertise on Information
> Security and Privacy in our community and perhaps in other communities as 
> well.
> He is widely respected and I don't think its just his opinion. I think its
> widely held that the Amazon Scope is a privacy fail by community members at 
> ever
> level of the Ubuntu project.

Different people have different levels of privacy. Some people refuse to use
Facebook, but I do, even though I know they are using my information for ad
purposes. That's a level I am ok with.

When I showed a Friend the Amazon Scope, he though it was so cool he asked how
to install it in Ubuntu 12.04.

Please stop assuming everyone has the same notion of privacy as you do. Opinions
differ. I completely disagree with the notion that having a global search box in
Ubuntu is a privacy issue.

In Unity 8, you can select right in the Dash which scopes can see your search
queries, and which don't.

> 
>  
> 
> The trade-off of the scopes features was well understood and just like
> many other controversial decisions that have been made over the years,
> it was decided that overall it would benefit the project the most in
> the mid/long-term.
> 
> 
> I'm not saying all scopes are bad or privacy fails because not all scopes are
> install by default and not all scopes take users search queries in the home
> portion of the Unity Dash with such blatant lack of respect for user choice 
> and
> privacy.

I don't know what you mean by that. It's clear that you're searching the
Internet, and it can be disabled with a single click. What do you consider to be
a "blatant lack of respect for user choice and privacy"?

Marc.



-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Scott Kitterman]

Marc Deslauriers  wrote:

>On 13-06-23 03:41 AM, Benjamin Kerensa wrote:
>>> Canonical Engineers have pretty much ignored the proposal of even
>one member of
>>> the Ubuntu Tech Board in regards to user privacy.
>> 
>>> What makes you believe if Canonical ignores a former security team
>>> member/current tech board member and the EFF that they will give
>anyone else's
>>> proposal the time of day?
>
>That is completely untrue. I looked at the proposals and the opinions,
>and I
>disagree with them. Just because I disagree with someone's opinion on
>what an
>adequate level of privacy is doesn't mean I've ignored them.
>
>I want Ubuntu to be as capable and usable as other operating systems,
>and this
>includes having a global search that returns Internet results.
>
>> 
>>> The sad thing is the community does nearly as much work to produce
>Ubuntu but
>>> has almost no say in its direction or features.
>
>That is also untrue.
>
>> 
>>> I think at this point the best option for privacy is to install a
>community flavor.
>
>Are there any community flavors that are specialized in privacy?

AFAIK, none of the non-Unity flavors send local search results across the 
network by default. This seems to me a very reasonable approach for default 
behavior. I don't think it's necessary to specialize in privacy to take such an 
approach. 

Scott K


-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Marc Deslauriers]

On 13-06-23 03:41 AM, Benjamin Kerensa wrote:
>> Canonical Engineers have pretty much ignored the proposal of even one member 
>> of
>> the Ubuntu Tech Board in regards to user privacy.
> 
>> What makes you believe if Canonical ignores a former security team
>> member/current tech board member and the EFF that they will give anyone 
>> else's
>> proposal the time of day?

That is completely untrue. I looked at the proposals and the opinions, and I
disagree with them. Just because I disagree with someone's opinion on what an
adequate level of privacy is doesn't mean I've ignored them.

I want Ubuntu to be as capable and usable as other operating systems, and this
includes having a global search that returns Internet results.

> 
>> The sad thing is the community does nearly as much work to produce Ubuntu but
>> has almost no say in its direction or features.

That is also untrue.

> 
>> I think at this point the best option for privacy is to install a community 
>> flavor.

Are there any community flavors that are specialized in privacy?

Marc.



signature.asc
Description: OpenPGP digital signature
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Matthew Paul Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Daniel Hollocher wrote on 22/06/13 16:31:
> ...
> 
>> This is poor design. Of all the time you spend with an app, the 
>> moment you're about to install it is the moment when you know
>> the least about it. So it's the moment when you're least able to
>> make informed decisions about granting those privileges.
> ...
> 
>> On Ubuntu, an app will request a privilege during runtime.
> 
> What I see you saying is that by the time I've just begun to use
> the app, I will have a better sense of what the app does, and
> therefor know what privileges to grant.

Not necessarily "just begun". For example, you might have been playing
a game for minutes or hours before you encounter the "Tweet this high
score" button.

> But that isn't the case for me.  Once I've started the app, I'm
> still trying to figure out what it does (even a simple game).  So I
> would just allow all privileges given that I don't know how to make
> a better decision and I at least want to make sure that the app
> works.  I think in general, once I have decided to start installing
> an app, I've also decided that I trust the app.

I'm not interested in encouraging people to decide that they trust an
app before they've even figured out what it does. Criminy.

> So, here is an alternative: before installation.  Have the needed 
> permissions displayed on the installation page, along side the
> ratings and forum discussions and app description.  That way, if
> there is some permission that doesn't make sense, I can go straight
> to the comments section to see any discussion about it. (and make
> permissions something I can search against, that way I can filter
> away unwanted permission takers).

That isn't an alternative; it's the Android model I described in the
first place.

> ...
> 
> PS - I think there is a wider issue of incorrectly assuming that 
> giving users finer grained control over privacy will grant greater 
> privacy.  For some users, it has the opposite affect: it
> overwhelms them with difficult questions, leading to "yes to all"
> types of behavior.

I agree. Prompting before install would effectively require a "Yes to
all" response, which would in turn encourage app developers to request
privileges they don't need.

- -- 
mpt

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlHIPQ4ACgkQ6PUxNfU6ecqdtwCgo4O8vNwu2xkA9XCrQqKGoz6v
qgEAnjBe1Bpbyuftu6iIxVV9Ch2DAaLb
=URZQ
-END PGP SIGNATURE-

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Matthew Paul Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Benjamin Kerensa wrote on 23/06/13 08:41:
> 
> On Jun 22, 2013 7:16 AM, "Matthew Paul Thomas"  ...
> 
>> Ubuntu is an operating system, not a person. Neither you nor I 
>> get to decide priorities for Canonical engineers. But anyone is 
>> welcome to implement privacy features and propose them for 
>> inclusion in Ubuntu.
> 
> Canonical Engineers have pretty much ignored the proposal of even 
> one member of the Ubuntu Tech Board in regards to user privacy.
> 
> What makes you believe if Canonical ignores a former security team 
> member/current tech board member and the EFF that they will give 
> anyone else's proposal the time of day?

You're being pretty vague, but my best guess is that you're referring
to the default setting for online search in the Dash.

Every week I talk on Mumble with some of my colleagues. When I get
halfway through typing "mumble" in the Dash, the Amazon results are
ubuntu-calendar all over again. You don't need to lecture me about
what the default setting should be.

That's why I specifically referred to features, not settings, and
implementing them, not just proposing them.

> The sad thing is the community does nearly as much work to produce 
> Ubuntu but has almost no say in its direction or features.
> 
> ...

I reject both the premise that Canonical is not part of "the
community", and the premise that the EFF is. If the EFF spent even
half as much time contributing to Ubuntu as they've pretended to, we'd
all be better off.

- -- 
mpt
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlHISeQACgkQ6PUxNfU6ecr3TgCfSP6tsZLwMlUaU4ps6b1fM6gx
mzYAn2sy3T5k8CYH0qy0aaVTHZ+SdY9j
=lwB4
-END PGP SIGNATURE-

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[J Fernyhough]

On 24 June 2013 13:13, Marc Deslauriers  wrote:
> On 13-06-24 08:07 AM, Matthew Paul Thomas wrote:
>> J Fernyhough wrote on 22/06/13 16:06:
>>
>>> On 22 June 2013 15:12, Matthew Paul Thomas 
>>> wrote:

 On Ubuntu, an app will request a privilege during runtime. For
 example, a game might have a "find my friends who already play
 this game" function, that accesses your contacts. The game would
 work just fine if you don't use this function. But if you do use
 it, Ubuntu would then -- and only then -- ask you if you want to
 grant the app access to your contacts.
>>> ...
>>
>>> This is excellent! One quick feature request: a "remember this
>>> choice" checkbox. ;)
>>
>> I don't understand. Why would Ubuntu forget the choice otherwise?
>>
>
> Because granting a permission may depend on the context?
>
> For example, I may want to allow a photo application to use my GPS to tag a
> picture when I'm in some public place, but not when I take a picture when I'm 
> at
> home.
>
> Granting a permission shouldn't mean I grant it forever, unless I decide it
> should be forever...having both "Just this once" and "Always" buttons 
> satisfies
> my use case.
>
> Marc.
>
>

Exactly this.

Though having buttons would result in four choices: Yes, No, Always,
Never. Having buttons and a checkbox would be three: Yes, No,
Remember. I think the SuperUser apps on Android might be a good
example of how a single request might look? It could get a little more
complicated if the app requests several permissions at once, though.

SU old style: 
https://lh5.ggpht.com/lajZW6rCFPn8N9PLpNOQmCtGmmC4vfhUPXq9DVTSQ5eCDNjQVW0zOBgm1T-pCcEAQoXh
SU new style: 
https://lh5.ggpht.com/8O1yWEIusmeXT76UGaMJCRArG4CyQoTemPonZElB4DKOClM-KKe_mwnPMhn_pR5HEUQ

J

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Marc Deslauriers]

On 13-06-24 08:07 AM, Matthew Paul Thomas wrote:
> J Fernyhough wrote on 22/06/13 16:06:
> 
>> On 22 June 2013 15:12, Matthew Paul Thomas 
>> wrote:
>>>
>>> On Ubuntu, an app will request a privilege during runtime. For 
>>> example, a game might have a "find my friends who already play
>>> this game" function, that accesses your contacts. The game would
>>> work just fine if you don't use this function. But if you do use
>>> it, Ubuntu would then -- and only then -- ask you if you want to
>>> grant the app access to your contacts.
>> ...
> 
>> This is excellent! One quick feature request: a "remember this
>> choice" checkbox. ;)
> 
> I don't understand. Why would Ubuntu forget the choice otherwise?
> 

Because granting a permission may depend on the context?

For example, I may want to allow a photo application to use my GPS to tag a
picture when I'm in some public place, but not when I take a picture when I'm at
home.

Granting a permission shouldn't mean I grant it forever, unless I decide it
should be forever...having both "Just this once" and "Always" buttons satisfies
my use case.

Marc.




signature.asc
Description: OpenPGP digital signature
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Matthew Paul Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

J Fernyhough wrote on 22/06/13 16:06:
> 
> On 22 June 2013 15:12, Matthew Paul Thomas 
> wrote:
>> 
>> On Ubuntu, an app will request a privilege during runtime. For 
>> example, a game might have a "find my friends who already play
>> this game" function, that accesses your contacts. The game would
>> work just fine if you don't use this function. But if you do use
>> it, Ubuntu would then -- and only then -- ask you if you want to
>> grant the app access to your contacts.
> ...
> 
> This is excellent! One quick feature request: a "remember this
> choice" checkbox. ;)

I don't understand. Why would Ubuntu forget the choice otherwise?

> Are there any plans to also collect app permissions into one
> place, for example a "privacy centre" that shows which apps have
> which permissions?
> 
> ...

I hadn't thought about that, but that's a good idea. I've already done
a screen for listing which apps have access to your location.
 Lists
for other privileges could go alongside.

- -- 
mpt

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlHINpsACgkQ6PUxNfU6ecqwBwCfVPP05lP5jDKCTmrtwiPkCiGn
TMUAnAtl2hosqqjDjUWrLeDxj9mEQxYM
=dlf9
-END PGP SIGNATURE-

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Benjamin Kerensa]

On Sun, Jun 23, 2013 at 7:31 AM, Martin Albisetti  wrote:

> On Sun, Jun 23, 2013 at 4:41 AM, Benjamin Kerensa 
> wrote:
> >> > Unfortunately all Ubuntu seems to be working on is features that
> >> > create privacy concerns (like the scopes sending search requests to
> >> > Canonical servers).
> >> >
> >> > ...
> >>
> >> Ubuntu is an operating system, not a person. Neither you nor I get to
> >> decide priorities for Canonical engineers. But anyone is welcome to
> >> implement privacy features and propose them for inclusion in Ubuntu.
> >>
> >
> > Canonical Engineers have pretty much ignored the proposal of even one
> member
> > of the Ubuntu Tech Board in regards to user privacy.
> >
> > What makes you believe if Canonical ignores a former security team
> > member/current tech board member and the EFF that they will give anyone
> > else's proposal the time of day?
>
> It was not ignored, it was read, understood and taken into account.
> The fact that someone thinks that within their own domain of
> expertise, a feature should be disabled, it doesn't mean that in the
> overall context it should.
>

The person in question has perhaps the most foremost expertise on
Information Security and Privacy in our community and perhaps in other
communities as well. He is widely respected and I don't think its just his
opinion. I think its widely held that the Amazon Scope is a privacy fail by
community members at ever level of the Ubuntu project.



> The trade-off of the scopes features was well understood and just like
> many other controversial decisions that have been made over the years,
> it was decided that overall it would benefit the project the most in
> the mid/long-term.
>

I'm not saying all scopes are bad or privacy fails because not all scopes
are install by default and not all scopes take users search queries in the
home portion of the Unity Dash with such blatant lack of respect for user
choice and privacy.


>
>
> > The sad thing is the community does nearly as much work to produce Ubuntu
> > but has almost no say in its direction or features.
>
> Please don't troll a random thread that only vaguely overlaps with a
> topic you are personally unhappy with. So far the conversation has
> been friendly, productive and positive.
> I expect much more from someone with a position of leadership in the
> community reviewing candidates for approval of official members, and
> so does the Code of Conduct[1].
>

Really? You're going to try and throw the CoC in my face simply because I
have raised a concern about privacy on a thread about privacy on a
discussion mailing list. Talk about stifling discussion.

Where is it that Canonical feels its appropriate for Ubuntu Members to have
discussion these days? Because so far my blog, social media accounts,
mailing lists, IRC and forums are not appropriate venues for me to express
my opinion if it be dissenting.

If you only expect discussion that conforms to some sort of criteria that
is always agreeable to Canonical's decisions then you are going to narrow
the audience that Ubuntu can target.


>
> > I think at this point the best option for privacy is to install a
> community
> > flavor.
>
> Or just perform 3 clicks and disable the scopes connecting to the
> servers to send your query and return smarter results.
>

I really do not think you understand what Privacy is because the suggestion
you have given has a lack of respect for control and choice by the user
which in turn means it lacks privacy[1].

1. http://blog.sidstamm.com/2012/12/what-is-privacy.html


>
> [1] http://www.ubuntu.com/about/about-ubuntu/conduct
>
> --
> Martin
>



-- 
*Benjamin Kerensa*
*http://benjaminkerensa.com*
*"I am what I am because of who we all are" - Ubuntu*
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[J Fernyhough]

Martin Albisetti  wrote:
>Right, and while people who care about privacy over features is a
>market, it is a small one and not one we are targeting as a project,
>or ever have.
>There are plenty of other folks addressing it, so measuring our
>decisions against other people's goals can only lead to discomfort.
>

So Ubuntu Touch will _not_ have built-in privacy/access control
features? I'm confuzzled.

J

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Scott Kitterman]

Martin Albisetti  wrote:

>On Sun, Jun 23, 2013 at 11:45 AM, Scott Kitterman
> wrote:
>> I think you're throwing the CoC at someone for expressing dissent is
>worse.
>> It's not like he's expressing a perspective that's not reasonably
>widely held.
>
>It is unrelated to this thread, where, as I pointed out, has been
>positive and actually in favor of better and more efficient privacy
>and security. Throwing in a different topic only serves to derail the
>conversation.
>This is not expressing dissent with what is being discussed, this is
>expressing dissent with something that's part of a different
>conversation.
>Lets keep the Ubuntu world a nice place to be in.
>
>There is a specific part of the CoC that addresses this point, where
>you are unhappy with a decision that has been made in the project:
>
>"We value discussion, data and decisiveness
>
>We gather opinions, data and commitments from concerned parties before
>taking a decision. We expect leaders to help teams come to a decision
>in a reasonable time, to seek guidance or be willing to take the
>decision themselves when consensus is lacking, and to take
>responsibility for implementation.
>
>The poorest decision of all is no decision: clarity of direction has
>value in itself. Sometimes all the data are not available, or
>consensus is elusive. A decision must still be made. There is no
>guarantee of a perfect decision every time - we prefer to err, learn,
>and err less in future than to postpone action indefinitely.
>
>We recognise that the project works better when we trust the teams
>closest to a problem to make the decision for the project. If we learn
>of a decision that we disagree with, we can engage the relevant team
>to find common ground, and failing that, we have a governance
>structure that can review the decision. Ultimately, if a decision has
>been taken by the people responsible for it, and is supported by the
>project governance, it will stand. None of us expects to agree with
>every decision, and we value highly the willingness to stand by the
>project and help it deliver even on the occasions when we ourselves
>may prefer a different route."
>
>The decision has been made, if you still have an issue take it up with
>the proper team.
>
>
>> Personally, I think lack of control over privacy is one of the major
>> shortcomings in all the major offerings available today and if Ubuntu
>Phone
>> were to significantly distinguish itself in this regard it would be a
>positive
>> discriminator in it's favor for users.  Phones are a bit trickier
>though
>> because in many cases (virtually all in the US) the "customer" for a
>phone OS
>> is either the hardware manufacturer or the telco.  These customers
>may have a
>> different perspective on privacy, so I think it's quit natural that
>there's
>> tension on this topic.
>
>Right, and while people who care about privacy over features is a
>market, it is a small one and not one we are targeting as a project,
>or ever have.
>There are plenty of other folks addressing it, so measuring our
>decisions against other people's goals can only lead to discomfort.
>
>Please let this thread continue its course, and if you have any other
>issues open up a new channel of communication.

I think your replies to both of us make his point rather better than he did.  

It's just a fact that the non-Unity flavors are better configured for privacy 
and flinging the CoC at people who say so doesn't change that.  That also seems 
to me like something that totally on topic.

No need to throw the CoC at me again in another reply.  I'm done with this 
thread. Sorry for being confused about this being a list where Ubuntu 
development is discussed. 

Scott K



-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Scott Kitterman]

On Sunday, June 23, 2013 11:31:29 AM Martin Albisetti wrote:
> On Sun, Jun 23, 2013 at 4:41 AM, Benjamin Kerensa  
wrote:
> >> > Unfortunately all Ubuntu seems to be working on is features that
> >> > create privacy concerns (like the scopes sending search requests to
> >> > Canonical servers).
> >> > 
> >> > ...
> >> 
> >> Ubuntu is an operating system, not a person. Neither you nor I get to
> >> decide priorities for Canonical engineers. But anyone is welcome to
> >> implement privacy features and propose them for inclusion in Ubuntu.
> > 
> > Canonical Engineers have pretty much ignored the proposal of even one
> > member of the Ubuntu Tech Board in regards to user privacy.
> > 
> > What makes you believe if Canonical ignores a former security team
> > member/current tech board member and the EFF that they will give anyone
> > else's proposal the time of day?
> 
> It was not ignored, it was read, understood and taken into account.
> The fact that someone thinks that within their own domain of
> expertise, a feature should be disabled, it doesn't mean that in the
> overall context it should.
> The trade-off of the scopes features was well understood and just like
> many other controversial decisions that have been made over the years,
> it was decided that overall it would benefit the project the most in
> the mid/long-term.
> 
> > The sad thing is the community does nearly as much work to produce Ubuntu
> > but has almost no say in its direction or features.
> 
> Please don't troll a random thread that only vaguely overlaps with a
> topic you are personally unhappy with. So far the conversation has
> been friendly, productive and positive.
> I expect much more from someone with a position of leadership in the
> community reviewing candidates for approval of official members, and
> so does the Code of Conduct[1].
> 
> > I think at this point the best option for privacy is to install a
> > community
> > flavor.
> 
> Or just perform 3 clicks and disable the scopes connecting to the
> servers to send your query and return smarter results.
> 
> 
> [1] http://www.ubuntu.com/about/about-ubuntu/conduct

I think you're throwing the CoC at someone for expressing dissent is worse.  
It's not like he's expressing a perspective that's not reasonably widely held.

Personally, I think lack of control over privacy is one of the major 
shortcomings in all the major offerings available today and if Ubuntu Phone 
were to significantly distinguish itself in this regard it would be a positive 
discriminator in it's favor for users.  Phones are a bit trickier though 
because in many cases (virtually all in the US) the "customer" for a phone OS 
is either the hardware manufacturer or the telco.  These customers may have a 
different perspective on privacy, so I think it's quit natural that there's 
tension on this topic.

Scott K

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Martin Albisetti]

On Sun, Jun 23, 2013 at 4:41 AM, Benjamin Kerensa  wrote:
>> > Unfortunately all Ubuntu seems to be working on is features that
>> > create privacy concerns (like the scopes sending search requests to
>> > Canonical servers).
>> >
>> > ...
>>
>> Ubuntu is an operating system, not a person. Neither you nor I get to
>> decide priorities for Canonical engineers. But anyone is welcome to
>> implement privacy features and propose them for inclusion in Ubuntu.
>>
>
> Canonical Engineers have pretty much ignored the proposal of even one member
> of the Ubuntu Tech Board in regards to user privacy.
>
> What makes you believe if Canonical ignores a former security team
> member/current tech board member and the EFF that they will give anyone
> else's proposal the time of day?

It was not ignored, it was read, understood and taken into account.
The fact that someone thinks that within their own domain of
expertise, a feature should be disabled, it doesn't mean that in the
overall context it should.
The trade-off of the scopes features was well understood and just like
many other controversial decisions that have been made over the years,
it was decided that overall it would benefit the project the most in
the mid/long-term.


> The sad thing is the community does nearly as much work to produce Ubuntu
> but has almost no say in its direction or features.

Please don't troll a random thread that only vaguely overlaps with a
topic you are personally unhappy with. So far the conversation has
been friendly, productive and positive.
I expect much more from someone with a position of leadership in the
community reviewing candidates for approval of official members, and
so does the Code of Conduct[1].


> I think at this point the best option for privacy is to install a community
> flavor.

Or just perform 3 clicks and disable the scopes connecting to the
servers to send your query and return smarter results.


[1] http://www.ubuntu.com/about/about-ubuntu/conduct

--
Martin

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Benjamin Kerensa]

On Jun 22, 2013 7:16 AM, "Matthew Paul Thomas"  wrote:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Matt B. wrote on 18/06/13 14:26:
> > ...
> >
> > Can the upcoming Ubuntu-Touch incorporate some of the
> > cynaogenmod-like Privacy features into Ubuntu Touch?
> >
http://arstechnica.com/gadgets/2013/06/how-cyanogenmods-founder-is-giving-android-users-their-privacy-back/
> >
> In the next couple of weeks I will design the UI for apps to request
> privileges on Ubuntu Touch.
>
> When installing an app, Android shows you a list of privileges the app
> will require -- accessing your contacts, accessing your current
> location, and so on. If you decline, the app doesn't install.
>
> This is poor design. Of all the time you spend with an app, the moment
> you're about to install it is the moment when you know the least about
> it. So it's the moment when you're least able to make informed
> decisions about granting those privileges. And if an app developer can
> assume that consent will be uninformed, they're more likely to abuse
> that consent.
>
> Cyanogenmod is working around that, by letting you reduce an app's
> privileges after installation. But that requires you to notice, and
> care, and remember, and know how to change it -- four difficult things.
>
> On Ubuntu, an app will request a privilege during runtime. For
> example, a game might have a "find my friends who already play this
> game" function, that accesses your contacts. The game would work just
> fine if you don't use this function. But if you do use it, Ubuntu
> would then -- and only then -- ask you if you want to grant the app
> access to your contacts.
>
> An app could still ask for a privilege immediately when you launch it.
> But you'd be much less likely to allow it, in that case, than in
> response to an obviously related command. And if a privilege wasn't
> obviously essential to an app, but the app installed *and then*
> refused to work without that privilege, it would be ridiculed and
> downrated.
>
> With our current plan for online accounts, the privacy will go even
> further: an app won't even know *whether* you have a particular kind
> of account unless you grant access to that app.
>
> > I'd also like to see the ability of Ubuntu Desktop to be able to
> > control what apps can and cannot connect to the internet etc.
>
> If anyone would like to implement this, I designed firewall settings a
> couple of years ago. 
>
> > Unfortunately all Ubuntu seems to be working on is features that
> > create privacy concerns (like the scopes sending search requests to
> > Canonical servers).
> >
> > ...
>
> Ubuntu is an operating system, not a person. Neither you nor I get to
> decide priorities for Canonical engineers. But anyone is welcome to
> implement privacy features and propose them for inclusion in Ubuntu.
>

Canonical Engineers have pretty much ignored the proposal of even one
member of the Ubuntu Tech Board in regards to user privacy.

What makes you believe if Canonical ignores a former security team
member/current tech board member and the EFF that they will give anyone
else's proposal the time of day?

The sad thing is the community does nearly as much work to produce Ubuntu
but has almost no say in its direction or features.

I think at this point the best option for privacy is to install a community
flavor.

> I have designed fine-grained settings for the home screen search on
> the phone, including whether it accesses the Internet at all.
>  I
> would be delighted to see equivalent settings implemented for the PC too.
>
> - --
> mpt
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
> iEYEARECAAYFAlHFsLUACgkQ6PUxNfU6ecqmwgCfaCSf2OKEtfnJjr/Q80Gsst1O
> QJ8Ani01xQK/MwbJtR6dymjJGqOlszAt
> =XIbh
> -END PGP SIGNATURE-
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Dylan McCall]

On Sat, Jun 22, 2013 at 7:12 AM, Matthew Paul Thomas  wrote:
> In the next couple of weeks I will design the UI for apps to request
> privileges on Ubuntu Touch.

Yay!

>
> When installing an app, Android shows you a list of privileges the app
> will require -- accessing your contacts, accessing your current
> location, and so on. If you decline, the app doesn't install.
>
> This is poor design. Of all the time you spend with an app, the moment
> you're about to install it is the moment when you know the least about
> it. So it's the moment when you're least able to make informed
> decisions about granting those privileges. And if an app developer can
> assume that consent will be uninformed, they're more likely to abuse
> that consent.
>
> Cyanogenmod is working around that, by letting you reduce an app's
> privileges after installation. But that requires you to notice, and
> care, and remember, and know how to change it -- four difficult things.
>
> On Ubuntu, an app will request a privilege during runtime. For
> example, a game might have a "find my friends who already play this
> game" function, that accesses your contacts. The game would work just
> fine if you don't use this function. But if you do use it, Ubuntu
> would then -- and only then -- ask you if you want to grant the app
> access to your contacts.

I agree this is a good model. Still, I worry about the possibility of
having a lot of "are you sure" dialogs in a nicely integrated
application.

For the act of adding an online account, I think that should be as
simple as choosing an online account from the system Online Accounts
dialog. The interface will need to clearly communicate that in
choosing an account you are granting "Foo app" permission to use it,
but I don't think there's a reason to have anything else on top.
Similar deal with documents or contacts: there are some odd cases
where apps don't want to use the system's Contacts dialog, but I think
in most cases they should be able to trigger that dialog, and have
access to specific (selected) contacts granted implicitly. MacOS X
seems to be doing that nowadays, and Plash (which was an intriguing
idea that didn't seem to get anywhere) had that sort of thing
happening for file choosers: http://plash.beasts.org/powerbox.html.

The other bit I wonder about is how this might affect something like
the "Recent Files" list in an application. Do you think that sort of
thing would work cleanly, or should we be thinking about a
replacement? (Or do people even use that?).

One thing that drives me mad with Android's approach is lots of apps
ask for permanent access to your contacts for a single thing that they
do, once, ever, but then iOS has driven me mad working in the other
direction, so I'm really excited to see what you have in mind :)

--
Dylan

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Daniel Hollocher]

Hi Matthew,


> This is poor design. Of all the time you spend with an app, the moment
> you're about to install it is the moment when you know the least about
> it. So it's the moment when you're least able to make informed
> decisions about granting those privileges.
>
 ...

> On Ubuntu, an app will request a privilege during runtime.


What I see you saying is that by the time I've just begun to use the app, I
will have a better sense of what the app does, and therefor know what
privileges to grant.

But that isn't the case for me.  Once I've started the app, I'm still
trying to figure out what it does (even a simple game).  So I would just
allow all privileges given that I don't know how to make a better decision
and I at least want to make sure that the app works.  I think in general,
once I have decided to start installing an app, I've also decided that I
trust the app.

So, here is an alternative: before installation.  Have the needed
permissions displayed on the installation page, along side the ratings and
forum discussions and app description.  That way, if there is some
permission that doesn't make sense, I can go straight to the comments
section to see any discussion about it. (and make permissions something I
can search against, that way I can filter away unwanted permission takers).

The main point is that I don't think there is much difference between
asking when I am trying to install the app, and when I am trying to run the
app.

Dan

PS - I think there is a wider issue of incorrectly assuming that giving
users finer grained control over privacy will grant greater privacy.  For
some users, it has the opposite affect: it overwhelms them with difficult
questions, leading to "yes to all" types of behavior.
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[J Fernyhough]

On 22 June 2013 15:12, Matthew Paul Thomas  wrote:
> On Ubuntu, an app will request a privilege during runtime. For
> example, a game might have a "find my friends who already play this
> game" function, that accesses your contacts. The game would work just
> fine if you don't use this function. But if you do use it, Ubuntu
> would then -- and only then -- ask you if you want to grant the app
> access to your contacts.
>
> An app could still ask for a privilege immediately when you launch it.
> But you'd be much less likely to allow it, in that case, than in
> response to an obviously related command. And if a privilege wasn't
> obviously essential to an app, but the app installed *and then*
> refused to work without that privilege, it would be ridiculed and
> downrated.
>

This is excellent! One quick feature request: a "remember this choice"
checkbox. ;)

Are there any plans to also collect app permissions into one place,
for example a "privacy centre" that shows which apps have which
permissions?

J

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Matthew Paul Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matt B. wrote on 18/06/13 14:26:
> ...
> 
> Can the upcoming Ubuntu-Touch incorporate some of the 
> cynaogenmod-like Privacy features into Ubuntu Touch? 
> http://arstechnica.com/gadgets/2013/06/how-cyanogenmods-founder-is-giving-android-users-their-privacy-back/
> 
In the next couple of weeks I will design the UI for apps to request
privileges on Ubuntu Touch.

When installing an app, Android shows you a list of privileges the app
will require -- accessing your contacts, accessing your current
location, and so on. If you decline, the app doesn't install.

This is poor design. Of all the time you spend with an app, the moment
you're about to install it is the moment when you know the least about
it. So it's the moment when you're least able to make informed
decisions about granting those privileges. And if an app developer can
assume that consent will be uninformed, they're more likely to abuse
that consent.

Cyanogenmod is working around that, by letting you reduce an app's
privileges after installation. But that requires you to notice, and
care, and remember, and know how to change it -- four difficult things.

On Ubuntu, an app will request a privilege during runtime. For
example, a game might have a "find my friends who already play this
game" function, that accesses your contacts. The game would work just
fine if you don't use this function. But if you do use it, Ubuntu
would then -- and only then -- ask you if you want to grant the app
access to your contacts.

An app could still ask for a privilege immediately when you launch it.
But you'd be much less likely to allow it, in that case, than in
response to an obviously related command. And if a privilege wasn't
obviously essential to an app, but the app installed *and then*
refused to work without that privilege, it would be ridiculed and
downrated.

With our current plan for online accounts, the privacy will go even
further: an app won't even know *whether* you have a particular kind
of account unless you grant access to that app.

> I'd also like to see the ability of Ubuntu Desktop to be able to 
> control what apps can and cannot connect to the internet etc.

If anyone would like to implement this, I designed firewall settings a
couple of years ago. 

> Unfortunately all Ubuntu seems to be working on is features that 
> create privacy concerns (like the scopes sending search requests to
> Canonical servers).
> 
> ...

Ubuntu is an operating system, not a person. Neither you nor I get to
decide priorities for Canonical engineers. But anyone is welcome to
implement privacy features and propose them for inclusion in Ubuntu.

I have designed fine-grained settings for the home screen search on
the phone, including whether it accesses the Internet at all.
 I
would be delighted to see equivalent settings implemented for the PC too.

- -- 
mpt
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlHFsLUACgkQ6PUxNfU6ecqmwgCfaCSf2OKEtfnJjr/Q80Gsst1O
QJ8Ani01xQK/MwbJtR6dymjJGqOlszAt
=XIbh
-END PGP SIGNATURE-

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[J Fernyhough]

On 18 June 2013 14:34, Alexandre Strube  wrote:
> A first approach could be a one-click TOR connection on networkmanager
> applet. Should be an interesting project.
>

This is something different to the original point Matt was making.
While the ability to route through Tor is a nice-to-have, if apps are
allowed to read and send my personal data (contacts, phone records,
specific location) then whether or not this goes through Tor is
irrelevant.

Yes, applications installed on a computer have access to your data.
The thing is, that data isn't centralised into a known location (or
provided by a known service) so that it can be accessed as necessary
by all applications. Added to this is the code review undertaken in
traditional projects; for example I'm reasonably happy that
Thunderbird won't send my email off to someone (that I might use Gmail
is entirely different, as I have chosen to use them as a provider,
though I don't expect them to send my email off to Microsoft).

The new application format has to allow for fine-grained privacy
controls. It's fine if a dialogue is shown saying like "This
application is requesting the following permissions. You can deselect
any you choose, but be aware the application may not function
correctly or as intended", as long as I can make the choice whether
the latest version of "Irritable Felines" has full access to my
contacts, SMS, browser history and geodata. Heck, make it an advanced
option - I assume there will be developer options for U-Touch as for
Android.

A mobile OS built from the ground-up as privacy-aware is a huge
selling point - and for the moment unique.

J

-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss

Re: Privacy features in Touch (cyanogenmod)?

[Alexandre Strube]

A first approach could be a one-click TOR connection on networkmanager
applet. Should be an interesting project.


2013/6/18 Matt B. 

> I wish more software companies developed built-in Privacy features and
> user-control of app internet connections.
>
> The internet is a PUBLIC space and I don't like software companies working
> to put all my data there--including my local searches--while simultaneously
> doing nothing to bring enhanced privacy features to the OS.
>
> Can the upcoming Ubuntu-Touch incorporate some of the cynaogenmod-like
> Privacy features into Ubuntu Touch?
>
> http://arstechnica.com/gadgets/2013/06/how-cyanogenmods-founder-is-giving-android-users-their-privacy-back/
>
> I'd also like to see the ability of Ubuntu Desktop to be able to control
> what apps can and cannot connect to the internet etc. Unfortunately all
> Ubuntu seems to be working on is features that create privacy concerns
> (like the scopes sending search requests to Canonical servers).
>
> Please consider Privacy an important feature in Ubuntu/Ubuntu Touch. Which
> Mobile-OS I select to use will largely be determined by not just its
> freedom but also what it offers me in terms of Privacy & Control over how
> my data get on the internet. I want a say in whether an app can connect to
> the internet and when & why it connects to the internet.
>
> --
> Ubuntu-devel-discuss mailing list
> Ubuntu-devel-discuss@lists.ubuntu.com
> Modify settings or unsubscribe at:
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
>
>


-- 
[]
Alexandre Strube
su...@ubuntu.com
-- 
Ubuntu-devel-discuss mailing list
Ubuntu-devel-discuss@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss