Trust models

Web applications may seek access to sensitive information like your current location, calendar and address book, or to device capabilities like a built-in camera or microphone. Users need to be able to trust the applications to behave sensibly and not flout their privacy.

One approach is to always ask the user for permission, e.g. is it okay to pass the device location to a given web page? This is fraught with difficulties as the user is likely to be focusing on the task in hand and liable to click through the dialogue without due consideration. Users are also unlikely to know whether a given web page is trustworthy.

This is where it is appropriate to consult someone you trust to advise you on the decision. Better yet to delegate the decision to that person. In the context of web applications this means making use of a trust management service.

When the web application makes a request for a restricted service, the browser contacts the trust management service to see if the request should be granted or denied according to the preferences the user has registered with the trust management service. A more refined approach is illustrated below: