Telephone +44(0)1524 64544
Email: info@shadowcat.co.uk

Permission Denied

Seek Permission, Do Not Demand

Tue Jan 3 13:05:20 2017

And this is one of the major questions of our lives: how we keep boundaries, what permission we have to cross boundaries, and how we do so.
(A. B. Yehoshua)

I have a quick gripe to share with you,[1] and it concerns the asking of permission.

This morning I was updating some applications on my phone, I noticed one of the applications asked for a lot more information than previously (it is why the phone didn’t auto-update it).[2] The reason for the asking of these permissions is clearly for the application to build out its community features and grow their market share. But I have an issue with this.

Let me explain a little about the app without saying who it is as that isn’t relevant.

  • It is a companion application to a piece of hardware;
  • As such the makers pronounce it to be a ‘free’ supplement;[3]
  • It has some tracking of activity so needs access to location;
  • It needs access to Bluetooth and some connectivity services.

The previous version of the application had those rights (Bluetooth/location/connectivity) but the makers have added a whole group more as you can see from the following screenshot.

permissions list

So I have no issue with in-app purchases, Identity, Location, Bluetooth; it is the fact that they also want Contacts, SMS, Photo and media, Camera and most importantly Device ID and Call Information. The last one I find the most troubling. I understand it is so they can pass through the information from the phone to the hardware, however they don’t explicitly state that will be the only usage.

It set me to thinking. It shouldn’t matter whether you are in a Windows, Android, Mac or Linux environment, or developing for such doesn’t matter. It also doesn’t matter if you are developing for mobile, web or desktop/server. You should be better about asking for permission and allowing the user to dictate how that is used.

Instead of forcing me to comply with a set of access permissions or deny me an update you should have a greater access control in the application, so I can set what it uses, how it uses it and change those at any time without disabling the upgrade, hardware or application.[4]

We should, as an industry, be seeking to allow our users greater control over their privacy, permissions and usage of data. That is an essential part of open rights that we should be championing.

[Don't forget that you can join in this conversation by using the comments form or by tweeting at @shadowcat_mdk]


Notes

[1] Happy New Year btw

[2] Yes I have my device set to auto-update, the phone will warn me if there is a permissions change and most updates are for security, stability and/or new features so it is generally something I’d want to happen.

[3] Of course it is a loose understanding of the word free, like BOGOF, it isn’t free as it has a condition, you have to have the hardware for it to work properly.

[4] I did check and there are no permissions inside the app. Except for allowing some data to be shown on a public league table/chart. It doesn’t state what the other data will be used for at this time.