Comments (6)
Hi. I agree that there are two forms of "trust" here - one related to security which relate to certificate, etc. and the other about humans which relate to how and why the app is using their data. For the second one, I am of the strong opinion that users should be able to express their own policies (or reuse from community) about how they want to let others use their data, and that such policies should be used to assist them in making decisions and reducing the ability of apps/companies to manipulate and take advantage of people.
For example, certain things that such (machine-readable) policies can help flag or provide additional contextual information when apps request access to make a better informed decision:
- Use of sensitive data categories
- Sharing with an absurdly large number of other third parties
- Asking access for too much data at once
- Explanations for why data needed as being vague
- Having to read stupidly large "privacy policies" and "terms and conditions" without actually understanding anything
- Not understanding the request and how it will impact them
- Not understanding who is the entity or company behind the app
- Identifying when the community has identified an app or an app provider being malicious
- Ensuring the "consent" is appropriate to context, for example, not allowing one click to give access to all of data at once
- Having an indication of a 'risk score' associated with the request - e.g. access to contacts for address books is low risk, access to medical records from a non-health entity is extremely high risk.
In order to enable this, both the app request and the user/community preference or guides need to be in machine-readable forms so that the agent can interpret and use them. Otherwise there is a strong likelihood to continue the current malpractices where users get a notice that only provides a link to a website T&C that they either don't read or don't fully understand, and end up giving access to do something with their data they had not anticipated or intended.
from authorization-panel.
Yes, but that is still just the technical aspect. A random user would not have much to go on to formulate those policies. Dedicated Authorization Servers could serve as a centralization point. I think we need to be much more elaborate in involving the social fabric of the ecosystem, the humans, not the machines.
from authorization-panel.
Having to read stupidly large "privacy policies" and "terms and conditions" without actually understanding anything
IMO we should collaborate with community-driven services like https://tosdr.org/ to address this specific problem.
from authorization-panel.
Currently, at use.id we're using the OIDC Dynamic Client Registration metadata values policy_uri
(policies) and tos_uri
(terms of service) to provide users with links to those documents. Towards the future, we aim to implement something like the ODRL vocabulary, combined with DPV or gConsent (like described #55). This legal consent information could possibly be embedded within SAI Data Grants (like described here). There already exists a specification combining ODRL with DPV specifically for Solid. In the end, this should enable both the user and the application to express legal conditions that are also machine-readable, and which can therefore be displayed in a structure manner, and even programatically compared.
from authorization-panel.
Hi. I have written up an article titled "Making Sense of Solid for Data Governance and GDPR" https://osf.io/m29hn/ that analyses how Solid in its current state relates to GDPR's requirements, what are some of the possible governance models (for Pods and Apps), and some issues that are known to be problematic also apply to Solid. The aim is to emphasise the necessity and importance of answering (through developments) the question this issue has raised. The article also explores some specific ideas for improving things (Section 8).
from authorization-panel.
Both user and resource associated Authorization Servers #43 could let users configure some kind of 'trust policies'. For example app that have specific certifications, published by specific entities etc.
This would affect Consent Screen when user gives app authorizations. It would show if app meets or doesn't meet those polices. IMO even stronger case to have dedicated Authorization Servers which would take all the responsibilities related to authorizing apps, revoking authorizations #24 etc.
from authorization-panel.
Related Issues (20)
- Required Credentials Discovery HOT 6
- support Trig serialization of Access Control Resources
- define a 2nd relation for ACRs to go with "acl" HOT 1
- Ideas for access modes and corresponding operations in the Protocol HOT 53
- acp:CreatorAgent logic HOT 5
- place meeting minutes on "draft-minutes" branch HOT 3
- Process Point of Order in meeting 2021-09-29 HOT 15
- ACP Draft design flaw HOT 18
- Distinction between policies which can be enforced by technology and by law HOT 5
- Enforce a secure default for client restrictions HOT 5
- Consider ACP matcher for conditional by relationship
- Update authorization-ucr's editors HOT 5
- Specify that the modes available are calculated using the resolution algorithm.
- Remove acp:mode from Context properties HOT 2
- Cannot match a context that contains a client/issuer HOT 4
- ACP vocabulary base URI problems HOT 1
- Serve ACP vocabulary from its base URI
- Authorization focused meetings HOT 13
- Clarify and/or mitigate risks related to negation (acp:deny) HOT 2
- ACP acronym also used for: Authoritative Claims Provider (OIDC + VC)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from authorization-panel.