Purpose of this workshop

Existing and novel Web APIs being used in more and more contexts challenge what users can easily deal with. They may have trouble understanding which information is being disclosed to whom and the threats presented by those disclosures. Deciding when and how to seek a user’s permission or when that permission can be inferred or bypassed has been challenging, with different APIs, operating systems, and browsers handling things in different ways. Both web applications and native applications may face similar challenges in this space, therefore discussions on challenges and solutions spanning these two contexts are in scope.

The W3C Workshop on Permissions brings together security and privacy experts, UI/UX designers and researchers, browser vendors, OS developers, API authors, web publishers and users. We aim to address the privacy, security and usability challenges involved in controlling access to an increasingly powerful set of capabilities on the Web and other platforms.

Topics covered

To keep the scope of this workshop practical, we’d like to encourage conversation about the ways in which user agents can (or cannot) engage users in its decisions about which capabilities to expose to which websites. The proposed scope includes:

• user concerns and preferences;
• better alignment of permission lifetime/duration with user tasks;
• risks and benefits of human-centric grouping/categorization of permissions and applications;
• challenges with novel capabilities;
• capability abuse threat models and mitigations;
• scoping of permissions to origins vs. applications, relation to same origin policy;
• UIs and controls;
• integrated permission control surfaces tailored to the capability itself;
• permission transparency, accountability, and control; and
• balancing well-specified permissions UX in standards with the ability for implementers to meet the future user and product requirements.

We aim to share experiences and user studies, leading to common understanding of how to ensure user comprehension and control of powerful capabilities while managing cognitive load. We would like to focus on usable security topics and thus propose to explicitly leave advertising-related aspects out of scope. While there is some overlap, we believe this topic area is expansive and would like the outcome of this workshop to provide practical next steps related to permissions.

The workshop will build on the W3C Workshop on Permissions and User Consent held in 2018.

Location and Time

The workshop will be held at Google Munich, Erika-Mann-Straße 33, on the 5th – 6th of December 2022.

The closest airport is Munich International Airport (MUC).

Important Dates

• Position papers due: Oct 26
• Invitations sent to participants: Nov 7
• Program announced: Nov 9
• Workshop: Dec 5-6

Note that because of the compressed schedule, we will be notifying attendees as soon as possible after we receive a statement of interest.

Program Committee

• Balazs Engedy, Google
• Lukasz Olejnik, independent researcher, fellow of Geneva Academy of International Humanitarian Law and Human rights
• Wendy Seltzer, W3C
• Christine Runnegar, Internet Society
• Mike Taylor, Google
• Marcos Caceres, Apple
• Anssi Kostiainen, Intel
• Serena Chen, Google
• Abdulrahman Alqabandi, Microsoft
• Sam Weiler, W3C
• Maryam Mehrnezhad, Royal Holloway University of London
• Marian Harbach, Google

What is W3C?

W3C is a voluntary standards consortium that convenes companies and communities to help structure productive discussions around existing and emerging technologies, and offers a Royalty-Free patent framework for Web Recommendations. W3C develops work based on the priorities of our members and our community.