about scripts and your private information
A published script might access the resouces of your phone,
such as your current location and pictures stored in your picture library.
Later, a script might want to sent out this private information
for example by posting it to Facebook or to the web.
TouchDevelop works to protect your private information in the following ways:
- Before installing a script, you can review which capabilities the script uses and how private information might flow.
For example, a script may take picture and post it on Facebook.
- You can configure whether TouchDevelop uses your real or anonymized information.
For example, your anonymized location is a random place on earth.
With the default configuration, TouchDevelop will use your real information
only if you will get a chance to review the information before it escapes the phone and can be seen by someone else.
TouchDevelop scripts can access different capabilities.
Some capabilities provide access to your private information (sources),
other capabilities send out information so that other people can see it (sinks):
- The following icons represent information sources:
- There are two kinds of sinks:
- Vetted Sinks: On these output channels, you will see a message so that you can review the information before it is sent, for example by posting to Facebook.
The following icons represent vetted information sinks:
- Unvetted Sinks: On these output channels, your information is sent silently with no opportunity for you to review, for example sending a web query.
The following icons represent unvetted information sinks:
Information flow describes what kinds of private information, such as your picture taken
from the camera, can flow to what kinds of output channels, such as posting to Facebook.
anonymized vs. real information
For each kind of private information flowing to output channels, you can grant the scripts
the ability to use anonymized or real information. Anonymized information means that TouchDevelop will
replace your real information with anonymized information, such as a fixed location instead of your real location,
so that your real location remains secret.
In this way, you can try out scripts before granting access to any real private information.
default of anonymized vs. private information
To ensure that no private information escapes your phone without without your knowledge,
TouchDevelop provides a default setting based on an automated script analysis,
in which TouchDevelop inspects the possible informationn flow as follows:
- If private information only flows into vetted sinks without modification, then the default is to use your real information.
- Otherwise, if private information might flow to an unvetted sink, or if the information is modified and flows to any sink, then the TouchDevelop default is to use anonymized information.