undefined | Better HN

0 pointshgsgm2y ago0 comments

That's a lot more work than saying "No" to using the malware.

0 comments

It's common for various counterparties, including software, to ask for much more information than they need and possibly be doing untrustworthy things with it while also providing legitimate value to the end user.

I've lied about my birthday while signing up for websites before. I've also made ad-hoc email addresses with forwarding to conceal my main email address. I've given fictitious phone numbers and I've used the names of fictional characters. I do this because I benefit from the service but I don't trust the provider to use my information responsibly.

Not a logical leap to go from there to feeding fake data to extensions when they request data that the user deems unnecessary for their functionality.

saurik2y ago

Yeah: while declaring permissions sounds cool and tries to fit into the narrative of helping protect end users who don't know how to manage anything themselves, at the end of the day it first requires an extremely opinionated central entity in charge of listings which takes a role in attempting to mediate the incentive incompatibilities (something which should raise serious ethical red flags and begs the question of conflicts of interest with respect to that player and the market that they get to fully control) but then still not only doesn't work to prevent users from getting abused, it will never work: "this app has requested access to your birthday" might be easy for end users, but (if this must be an API; but like, to the extent to which birthday is a bad example, this generalizes to every other thing that people currently must grant as "permissions") the only actually-correct solution is to always provide a concrete random date to every app by default and then allow the user to go out of their way--and this must not, under any circumstance, be something the app is allowed to prompt for or have any visibility into: this must be something the user has to initiate through external UI--to say "I grant this app access to my real birthday" (which, to the app, would have to look like the user merely changed the setting on their birthday to some other random date, as opposed to "the user finally gave us permission to see the same date that they can share to every other app").

josteink2y ago

> It's common for various counterparties, including software, to ask for much more information than they need

I believe if you ask for very wide permissions, at least when publihsing a browser-extension in the Google Chrome-store, you will have to justify why those are needed (from a user-facing POV), and your extension will be subject for additional review.

The same also applies when creating other Google-related apps which uses APIs which Google deems sensitive or restricted: You will have to justify their usage and be prepared for a review.

It's not bullet-proof, but it's more than nothing.

j / k navigate · click thread line to collapse