Read-only events should require authentication #384
Labels
needs discussion
privacy-tracker
Group bringing to attention of Privacy, or tracked by the Privacy Group but not needing response.
Profile-1.0
Comments
pes10k
added
the
privacy-tracker
|
cc @NalaGinrut (though please let me know if i can help with discussion or handling this issue) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue is being filed as part of the requested PING review, and on behalf of @NalaGinrut who did the review (who i hope will correct me if I've misstated their concerns).
There is a concern that even read-only requests in the API should require authentication, since read-only requests like "is the lamp turned on," can reveal and / or contribute to identifying an individual. This concern is with both the "HTTP Basic Profile", but also other read-only descriptive actions (e.g., queryallactions, etc)
Are there reasons to not require authentication for these kinds of actions? Is authentication already required but we missed it?
The text was updated successfully, but these errors were encountered: