Add sections on the Web being safe to browse, trusted user interface, and asking users for consent.

[dbaron]

This is a very rough draft of changes to add sections on the Web being safe to browse, trusted user interface, and asking users for consent. It is intended to fix #146, though it's possible I've gone a little bit beyond my remit in that issue.

This contains a bunch of ideas that I think are widely accepted, but also some that are probably less so, and some that could certainly use more research on what users actually understand about the web's safety. (I thought about whether to explicitly call out the desire for research on that, but so far haven't done so.)

I think this will likely need a considerable amount of review and refinement. I suspect if I kept it on my computer until next week and then looked at it again, I'd want to rewrite most or all of it. But nevertheless I think it's useful to get some feedback on it, particularly on the high-level aspects: are these the right topics to bring up here, the right way to organize them, and the right points to make?

I've picked a few reviewers who I think are likely to have comments, but I'd welcome comments from others as well.

[hober]

At a high level and on my first, hurried read, this looks really great. I'll try to take a closer look in the next few days.

[alice]

Some thoughts below. I think this is a good start, but I think we might need a few more iterations.

[alice]

I'm not sure I understand this caveat. I agree with the general principle, of course, but I'm not sure what it adds here - to me it reads as though there can/should be escape hatches from users' privacy protections in cases where the user is harming others, which I'm sure is not the intended reading.

[dbaron]

So the caveat is really to the sentence before the quote -- the idea that following a link should always be safe. Taking that position absolutely would imply that we're taking the position that governments shouldn't punish people for, say, viewing child pornography. And I don't think that's a position that I'd like to take. So I want some way to say that we want it to be safe from a technical perspective but not necessarily from a legal one.

(At the same time, there's an entirely separate discussion about mechanisms that governments want to use to enforce some legal rules, and what the downsides of those mechanisms are, and while some of that discussion is relevant to the TAG, I'd like to avoid getting into it in this section.)

I should think more about a better way to word this.

[alice]

I'm also a little unclear on what this paragraph is saying. What user interfaces are you referring to? Can we rephrase this to focus on the point about user expectations and privacy, and either omit the aspirational aspects or give them their own paragraph?

[dbaron]

I've tried to do this; I think I pulled the aspirational bits out into their own paragraph, which I actually ended up structuring as a list.

[alice]

Perhaps this is worthy of its own sub-heading?

[dbaron]

Sorry for the delay getting back to these -- I'm going to post revisions soon (I hope) that will address many of the comments.

But while I'm working on that, I wanted to get back to this one: I think this paragraph is still pretty central to the idea that it should be safe to visit a web page, and I think I'd like to keep them together in the same subsection. (But perhaps some of the other edits I'm currently making will make this a little clearer.)

[alice]

This seems out of scope for API design, albeit a critical point for user agent UI design.

It seems like the point below is the more critical one: if a feature relies on adding extra decisions for a user to make, care should be taken that the feature is providing enough value (either through providing a clear user benefit, or through simplifying some other decision process for the user) to make it worthwhile.

[hober]

I see your point, @alice, but I think it's in scope to the extent that different API shapes make different UI designs easier / more likely / etc.

[alice]

Perhaps that point should be made more explicitly, in that case?

[hober]

Agreed!

[alice]

w3ctag/design-reviews#461 (comment) this seems like a good first pass.

[dbaron]

I'm a little confused by @alice's last comment in this thread -- was it meant as a comment on the following section (on informed consent), rather than this section on trusted UI?

(Also, I think the "point below" in the initial comment was referring to the second paragraph of this section, and not the following section, but please correct me if I'm wrong.)

In any case, what I've tried to do here (and I realize I should comment before pushing the changes since pushing the changes will likely hide the review comments) in convert these two paragraphs into one and connect them more closely. Though perhaps you were looking for something different?

[alice]

Is this worth a separate sub-heading as well?

[hober]

Does this paragraph argue against the existence of private browsing mode? Users sometimes think that there will be no server-side record of what they did while visiting a site with private browsing mode on.

[dbaron]

To @alice's question of separate subheading starting with the third paragraph of this section -- I think both the second and third paragraphs of this section are trying to define the "when appropriate" in the section's title, so I prefer not.

Regarding @hober's question on private browsing mode: I don't think it argues against the existence of such a mode, but I would argue (although this is more tied to the first of the three subsections) that implementations offering such a mode ought to try to adjust its user interface so that users have more accurate expectations of what it does and doesn't do.

[alice]

Is this an editorial on the geolocation API?

[dbaron]

I was trying to say that I think the geolocation API is ok since it's a question that users can understand, even if they don't necessarily follow all the implications of how location tracking is used in today's ecosystem of tracking/sharing/reselling user data.

[alice]

I think the parenthetical might be best as its own clarifying sentence, in that case.

[dbaron]

Perhaps, but I'm going to leave this one as is for now.

[alice]

Which users? How do we determine what the "target audience" users will or won't be able to understand?

[dbaron]

I'll expand on this based on w3ctag/design-reviews#461 (comment) and w3ctag/design-reviews#461 (comment) .

[alice]

Is this a risk we're warning about?

[dbaron]

Maybe. I fully admit it's a little bit off-topic for the section, but I think it's a risk worth mentioning. But I'm open to taking it out if you think it doesn't fit.

[alice]

Perhaps it should be rewritten as two sentences illustrating two sides of a trade-off.

[dbaron]

I changed it to 2 sentences.

[hober]

After a closer read, I'm still really happy with this. I've left some comments where I think the text could be improved, but I'm okay with landing this as-is and improving it in follow-up patches.

[hober]

this sentence reads strangely to me. I think I know what you're trying to say, but this is a confusing way to say it.

Does this read better to anyone else:

For example, a person walking down the street generally expects to be recognized by their friends but,
depending on the country,
they may not expect the fact that they walked down that particular street at that particular time to be recorded in a permanent government database.

[dbaron]

I agree it's better. I took most of your suggestions but turned "depending on the country" into a parenthetical and omitted a few words ("the fact", "particular", "particular").

[hober]

Internally on the WebKit team, we tend to talk about "meaningfully informed consent", by which we mean that not only was the user informed of the risks, they were informed of the risks in a way we believe they're likely to be able to understand and make sound judgments based upon. I don't know if this is a distinction worth making here.

[dbaron]

Maybe, though I'm actually worried, based on its definition in other contexts (particularly medical ones), that the term "informed consent" might even be too strong, since it seems to imply being properly informed of all risks. Does "meaningful consent" make sense? I've left it alone for now, but I'm definitely open to changing it.

[alice]

I like "meaningful consent"

[dbaron]

I changed it to "meaningful consent" (and the id to "consent").

[hober]

Does this paragraph argue against the existence of private browsing mode? Users sometimes think that there will be no server-side record of what they did while visiting a site with private browsing mode on.

[dbaron]

Also, I've made a live version of the changes on this branch visible.

[alice]

Couple of thoughts that don't need to be addressed in this PR.

[alice]

I like "meaningful consent"

[alice]

I think the parenthetical might be best as its own clarifying sentence, in that case.

[alice]

Perhaps it should be rewritten as two sentences illustrating two sides of a trade-off.