Identity/Profile/Proposal
Contents
Profile
Adding Profile Data to Persona
Background & Motivation
Two of Persona's primary goals are to make signing up and signing into sites as easy as possible. Persona succeeds in making signin easy, but misses the mark for sign up. To create an account, many sites that use Persona must still ask users for additional personal information. How many times do users have to fill out their real names whenever they visit a new site?
Services like Facebook Connect and OAuth make it easy for users to create a single profile that they can share with multiple sites, but these systems do not offer the user fine enough control over which data is released to which site. Users either give up everything or nothing. There should be a better way.
Proposal
Add basic profile information to Persona. To make use of profile facilities, sites must request a set of profile information from a well defined list of possible attributes. Users would then have the opportunity to approve or deny the request, as well as modify any information that is released. Sites can request the data they need, users retain control over what is released.
Initial plans are to collect only a minimal set of data - starting with name and photo. If a user fills in these two attributes, sites may get this data without explicit user consent - this detail has not yet been finalized. Data will only be stored in localStorage on the user's browser until key-wrapping facilities are ready - there will be no initial server side component.
Once we better understand the needs of sites as well as the expectations of users, additional information will be collected in the form of "contact cards" A contact card is an individual profile, a user may have one contact card per email address. Additional fields in a contact card will likely include address, phone number, D.O.B., a web site, twitter handle, facebook handle, and possibly a short bio.
Once key-wrapping support is ready, a profile server will be set up to save data and provide a sync mechanism across multiple devices. All data stored on the profile server will be client side encrypted much in the same way as Firefox Sync operates today. Keys to unencrypt the stored data will not leave the user's devices, making the data unaccessible to third parties who have access to Persona's servers.
Data collected
Initially, only a minimal set of data will be requested from the user. The attributes collected are name and photo. In the future, additional attributes will be stored in multiple "contact cards". Additional data likely includes address, phone number, D.O.B., a web site, twitter handle, facebook handle, and possibly a short bio. The exact list of extended attributes which are collected have yet to be determined.
Data retention
Until key wrapping support is ready, profile data will be retained only on the user's device. When a user manually signs out of Persona or a new user signs in on the device, the original user's profile data will be cleared. When key wrapping support is complete and client side encryption is possible, a profile server will be set up which acts as a sync mechanism. This data will be retained on Mozilla's servers but will be unaccessible by ourselves or by third parties as the keys to unencrypt the data will not leave the user's devices.
Comparisons
Facebook Connect[1] and OAuth[2] are two similar projects with similar aims. Facebook Connect is based on OAuth2. While many sites such as Twitter use OAuth for authentication, it's original purpose is authorization.
OAuth enabled sites request authorization to access individual protected resources. When a site requests an OAuth token, each protected resources is explicitly requested using a "scope" parameter [3]. Users are informed of each permission being requested when users are presented with the OAuth dialog - this allows a user to make a decision as to whether they trust a site enough to provide them with personal information.
While Facebook uses OAuth2 as its base protocol, it takes a somewhat relaxed approach to the base level of data that is given to a site without asking for permission. "By default, we give you access to the user's name, picture and any other data they have shared with everyone on Facebook." Additional sites must be requested explicitly [4]
A Facebook Connect enabled site or app will receive the following fields without explicitly requesting additional permission:
id, name, first_name, middle_name, last_name, gender, locale, link (profile URL), username, cover (photo)
OAuth suffers from an all or nothing approach to authorization. A user is unable to approve only a subset of the requested data.
Persona will operate using an explicit request/scope model, but give the user finer control over which fields are authorized. Name and photo may be given by default, additional fields must be explicitly requested.
- - Facebook Connect - https://developers.facebook.com/docs/guides/web/#login
- - OAuth2 Spec - http://tools.ietf.org/html/draft-ietf-oauth-v2-26
- - OAuth2 Spec, Scope Section - http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-3.3
- - Facebook Connect User Object - https://developers.facebook.com/docs/reference/api/user/
User Data
Concrete user data that will initially be collected:
{ name: <string> photo: <base-64 encoded image> }
Users affected
All Persona users will be affected by this proposal. Approximately 100,000 sign-ins/month.
Opt-in/Opt-out
All features will be opt-in. Users will not have to supply profile information. When sites request information, users can decline the request or modify any data before it is sent.
Privacy Policy
Profile data collection and release may require a privacy policy update. Changes to our privacy policy will be made and published before this service is released. Profile information that a user releases to a site will be governed by that site's privacy policy and TOS.
Publication of Collected Data
An individual user's profile data will never be published by Mozilla. We may publish aggregate information relating the number of users using the service or KPI indicators.
Profile information that a user releases to a site will be published at that site's discression.
Background Bugs & Wiki Pages
- https://github.com/mozilla/browserid/issues/880
- https://github.com/mozilla/browserid/issues/1588
- https://github.com/mozilla/browserid/issues/1589
- https://bugzilla.mozilla.org/show_bug.cgi?id=755732 - Legal for TOS/PP update
- https://bugzilla.mozilla.org/show_bug.cgi?id=756431 - Security Review request