canmove, Confirmed users
1,537
edits
Privacy/Reviews/F1A: Difference between revisions
Jump to navigation
Jump to search
→User Data Risk Minimization
(→oauthorizer: delete section) |
|||
| Line 389: | Line 389: | ||
In this section, the privacy champion will identify areas of user data risk and recommendations for minimizing the risk. | In this section, the privacy champion will identify areas of user data risk and recommendations for minimizing the risk. | ||
== Credentials == | |||
There are various credentials employed in this system (username/password, oauth token) that are used via OWA and the 3rd party webapp components to share information. Additionally, other users of the system could potentially have access to a user's sharing credentials. | |||
''The Risk'' is that these credentials might be leaked across third parties or to other users of the system. | |||
''Requirement:'' These credentials are stored by the 3rd party webapp components who use them and only those components (and the browser, extended by the Share Mediator Component) should be able to touch them. Any non-oauth credentials should be stored in the password database and, when possible, encrypted using the browser's master password. | |||
{{ResolutionBox|{{new|}}}} | |||
== Clearing Private Data == | |||
Anything stored persistently should be cleared when the user clears that type of data elsewhere in the browser. For example, when a user clears stored passwords, any passwords that are stored for purposes of sharing should be cleared. The oauth tokens should be removed when the user clears cookies or passwords (since they are related to both). | |||
''The Risk'' is that, while the user may think he is "resetting" credentials stored in his browser, this may not be the case if the 3rd party webapps don't store data in the right place or erase it at the right time. | |||
''Requirement:'' when stored passwords in the browser are cleared, the webapps should delete passwords. Oauth tokens should be deleted when users clear cookies. Contacts and other account data should be erased when the user clears localstorage. | |||
''Recommendation:'' if a user has not set up Firefox to remember passwords, no passwords should be stored in localstorage by the share add-on or its webapp components (they can be retained in memory, but lost when Firefox is closed). | |||
{{ResolutionBox|{{new|}}}} | |||
== Browsing History == | |||
A subset of the user's browsing history is exposed to third party services. This is done through the core UI and functionality of the product. | |||
''The Risk:'' the user will knowingly provide third parties with insight into what sites they've visited in the past. Browsing history is generally considered to be private, and the disclosure of such data should be calculated. This is a very tiny risk since the whole point of this feature is to share URLs. Nonetheless, the risk is there and unless the user is always at the helm when data sharing happens, it could be leaked without consent. | |||
URLs shortened through a URL shortening service are disclosed to that service. If URL shortening services are used, it must be clear what is happening. | |||
''Requirement:'' The UI must clearly show each URL being shared and with which parties the URL will be shared before it is transmitted. If URL shortening is used, there must be user intervention before the URL is sent to the service for shortening. (UI can be used to "remember" the user's preference to shorten URLs, but that must be opt-in). | |||
{{ResolutionBox|{{new|UI is clear. Are shortening services employed?}}}} | |||
= Alignment with Privacy Operating Principles = | = Alignment with Privacy Operating Principles = | ||