Hi Kazue,
Thank you much for turning this up. It's an even stronger example of why we can't trust any authorization server we don't specify (and can change) ourselves.
Folks may remember that I recently posted about a similar experience with my Dropbox where I had no recollection of allowing Microsoft Word full access to my entire Dropbox. The mechanism that allowed that to happen may be different than Pokemon's link to Google, but that hardly matters.
Frankly, I find it amazing that the UMA group, the HEART group, and even VRM are still treating the user-specified authorization server as a "nice-to-have" MAY instead of a MUST. As far as I'm concerned, the only sustainable path for both OAuth and VRM is to build on top of a user-specified authorization server.
I have referred to this as: "There's only one Alice." Standards like UMA, HEART, and VRM that don't take this as a given are unlikely to scale or to drive competition and substitutability that make for an effective standard.
Adrian
On Thursday, July 14, 2016, Kazue Sako <
k-sako@ab.jp.nec.com> wrote:
Hi Andrian and Doc,
This seems to have an interesting point regarding use of OAuth where many people here are familiar with.
A friend of mine showed me an interesting link.
http://ericrafaloff.com/pokemon-go-and-google/
As google is using OAuth, the usual flow should show the user a consent screen. Yet this was not the case with Pokemon Go.
>Meaning authorization servers by big companies acting on persons’ behalf. In this case Nintendo (Pokemon Go parent) and Google.
Actually, Pokemon Go was developed by a company called Niantic which was a part of Google at the time they developed Ingress (according to the link above).
Kazue Sako
________________________________________
> On Jul 13, 2016, at 9:07 AM, Adrian Gropper <agropper@healthurl.com> wrote:
>
> https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-collecting-from-your-phone?utm_term=.pmzKLWaD1#.prLqPbnwM
Here’s the link without the tracking cruft:
https://www.buzzfeed.com/josephbernstein/heres-all-the-data-pokemon-go-is-collecting-from-your-phone
> This may well have been a case of accidental social engineering but it makes the point that multiple random authorization servers will not scale.
Meaning authorization servers by big companies acting on persons’ behalf. In this case Nintendo (Pokemon Go parent) and Google.
> If Pokemon wants access to my Google stuff, they need to ask my authorization server and not the one Google helpfully gave to me.
Meaning one you operate personally.
Does one exist? Do we have an example or a prototype among all our developments here? (I’m so snowed under looking at all of it that I confess to being a bit lost?in a good way.)
> Is there any other alternative? How could Google's ever play both sides as both game developer and privacy protector?
That’s the right question. The answer has to come from our sovereign personal whatever (authorization server is a good term, but it needs to be distinguished from the same operated by giant companies playing both sides).
And the Castle Doctrine needs to apply. <http://bit.ly/3stldoc> or <http://j.mp/cstl3>
Doc
> Adrian
>
> --
>
> Adrian Gropper MD
>
> PROTECT YOUR FUTURE - RESTORE Health Privacy!
> HELP us fight for the right to control personal health data.
> DONATE: http://patientprivacyrights.org/donate-2/
>
--
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.orghttp://kantarainitiative.org/mailman/listinfo/wg-uma