Privacy features in Touch (cyanogenmod)?

Sat Jun 22 16:19:06 UTC 2013

On Sat, Jun 22, 2013 at 7:12 AM, Matthew Paul Thomas <mpt at canonical.com> wrote:
> In the next couple of weeks I will design the UI for apps to request
> privileges on Ubuntu Touch.

Yay!

>
> When installing an app, Android shows you a list of privileges the app
> will require -- accessing your contacts, accessing your current
> location, and so on. If you decline, the app doesn't install.
>
> This is poor design. Of all the time you spend with an app, the moment
> you're about to install it is the moment when you know the least about
> it. So it's the moment when you're least able to make informed
> decisions about granting those privileges. And if an app developer can
> assume that consent will be uninformed, they're more likely to abuse
> that consent.
>
> Cyanogenmod is working around that, by letting you reduce an app's
> privileges after installation. But that requires you to notice, and
> care, and remember, and know how to change it -- four difficult things.
>
> On Ubuntu, an app will request a privilege during runtime. For
> example, a game might have a "find my friends who already play this
> game" function, that accesses your contacts. The game would work just
> fine if you don't use this function. But if you do use it, Ubuntu
> would then -- and only then -- ask you if you want to grant the app
> access to your contacts.

I agree this is a good model. Still, I worry about the possibility of
having a lot of "are you sure" dialogs in a nicely integrated
application.

For the act of adding an online account, I think that should be as
simple as choosing an online account from the system Online Accounts
dialog. The interface will need to clearly communicate that in
choosing an account you are granting "Foo app" permission to use it,
but I don't think there's a reason to have anything else on top.
Similar deal with documents or contacts: there are some odd cases
where apps don't want to use the system's Contacts dialog, but I think
in most cases they should be able to trigger that dialog, and have
access to specific (selected) contacts granted implicitly. MacOS X
seems to be doing that nowadays, and Plash (which was an intriguing
idea that didn't seem to get anywhere) had that sort of thing
happening for file choosers: http://plash.beasts.org/powerbox.html.

The other bit I wonder about is how this might affect something like
the "Recent Files" list in an application. Do you think that sort of
thing would work cleanly, or should we be thinking about a
replacement? (Or do people even use that?).

One thing that drives me mad with Android's approach is lots of apps
ask for permanent access to your contacts for a single thing that they
do, once, ever, but then iOS has driven me mad working in the other
direction, so I'm really excited to see what you have in mind :)

--
Dylan