Request: Standardized per-app privacy control UI

Originator:pierre.bernard
Number:rdar://43036095 Date Originated:August 8 2018
Status:Open Resolved:
Product:macOS + SDK / AppKit Product Version:
Classification:Suggestion Reproducible:
 
Currently privacy controls (e.g. access to location, calendar, …) are available in System Preferences and are structured by type. When a user decides to trust an application and authorize or pre-authorize an application, she has to browse through all types and add the application to the list.

For the user it would be more natural to have privacy controls structured by application. Then she can decide to trust (or not) an application and decide to which information to extend that trust.

Ideally these privacy controls should be available right from within the application. E.g. as standard menu item in the Application menu. A standard item in a standard location. Like the Quit menu item.

This would open a UI that lists all privacy sensitive data and service the application has voiced interest in by way of Info.plist. This UI would also show the reason strings provided in Info.plist. This information is currently missing from System Preferences.

The user can then toggle application access to all privacy sensitive areas in a single place. She can find that place from the Application menu. She can trust that UI since (like NSOpenPanel) it is provided by the OS in a tamperproof way.

Such streamlined UI also allows the user to start cautiously and allow more data access as trust has been built. On first launch, an application may explain what features may be limited by restricted data access and then invoke the privacy UI for the user to make an initial choice. That choice may be restrictive. Later after trust has been established and the user has established the usefulness of the application, she can decide to allow the application access to more information. For that she only needs to turn to the Application menu and make adjustments.

The same works the other way around. The application may request access to a system service for a specific task and the user may decide to grant that access to complete the task. She may not want to give the application indefinite access. A quick trip to the privacy controls in the Application menu can revoke access starting with the next application launch. 

TL;DR;
- Organize privacy controls by application
- Always show Info.plist reason strings
- Make privacy controls available from within each application
- Thus allow for workflows where the user can effortlessly upgrade or downgrade data and service access

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!