canmove, Confirmed users
1,537
edits
Privacy/Reviews/GeolocationAPI: Difference between revisions
→User Data Risk Minimization
| Line 144: | Line 144: | ||
= User Data Risk Minimization = | = User Data Risk Minimization = | ||
=== Location Disclosure === | |||
The Geocoding API service provider may be different than the location provider, and potentially may learn the location of Firefox users who encounter pages using this API. | |||
''The Risk'' is that, since this feature is sending longitude and latitude to the Geocoding service, the user may be leaking his location to an unknown third party. | |||
''Recommendation'': If possible, make sure the location is obtained from the same service provider that is used for geocoding. This way, the same entity is used for both operations, reducing any surprise when users identify with whom their coordinates are shared. | |||
''Requirement'': Ensure the user is aware when this Geocoding API is activated. | |||
{{ResolutionBox|{{ok|User is prompted for authorization unless other Geolocation services are used on the same page. Do we use the same organization for both geolocation and geocoding?}}}} | |||
=== Geographical Tracking === | |||
As the user physically changes location (with a mobile device, laptop, etc), he may also frequently visit sites that use geocoding. As a result, the geocoding service is exposed to the user's location at multiple points in time and space. | |||
''The Risk'' is that the geocoding service will be able to tie multiple requests together into a trail of locations corresponding to an individual's movements. This problem is present also in other geolocation services, not just geocoding. | |||
''Requirement'': Ensure no other client-state data are transmitted to the geocoding service (cookies, etags/cache tags, last-access timestamps, etc). | |||
{{ResolutionBox|{{new|make sure requests to the geocoding API are stateless and anonymous}}}} | |||
=== Local Traces === | |||
Calls to and from the geocoding API may be cached locally. The side-effect of this are that these data could form a "tracking record" of everywhere the users' browser activated geocoding -- a series of addresses where the user probably physically sat. | |||
''The Risk'' is that the locations will be persisted longer than necessary and may become discoverable by others who access the device; this leaks the user's physical location history to another person, probably without consent. | |||
''Requirement'': store addresses and longitude/latitude coordinates in volatile memory only (not on disk or in cache). | |||
{{ResolutionBox|{{new|verify that location data encountered by this feature is kept in memory only (not on disk).}}}} | |||
=== Confused Origin === | |||
Web pages are often composed of objects and frames from many different web sites. An iframe or subordinate resource on a page may trigger access to the geocoding API. Consider a map widget in an iframe; it may want location information geocoded into an address for display, but might be served by "thirdpartymaps.com" instead of the main page. | |||
''The Risk'' is that it will not be clear to the user which part of the page (which origin) caused the geolocation request. | |||
''Requirement'': make it obvious who is requesting the call to the API. | |||
''Recommendation'': allow only script running in the context of the top-level document (the one displayed in the address bar) to make requests to this API. | |||
{{ResolutionBox|{{new|verify that only the top-level page can use this API.}}}} | |||
= Alignment with Privacy Operating Principles = | = Alignment with Privacy Operating Principles = | ||