Monday, June 21st, 2010

From zero-install to instant-install

Category: Editorial

<p>

Aaron has a nice editorial piece on going from zero-install to instant-install in which he discusses the notion of web apps:

Bringing back a lightweight notion of installation offers an interesting way out of Web constraints. If an author uses APIs like window.open() and desktop notifications in an annoying way, his app will be uninstalled. The UA can make it easy for the user to discover the uninstall button, so there’s a strong incentive for authors to not be assholes. Since there are a manageable number of apps installed at any one time (by definition, since they were manually installed), UAs can offer permanent storage to apps. If the apps abuse the privilege, the user can easily scan a list, see which one is doing it and uninstall it.

He discusses the revolution of the “zero install” Web. We pass people URLs. We link to things. We don’t think of this as “running apps”. He then brings up the issues of this freedom. Since my mum doesn’t think of this as running apps, we shouldn’t grant access to these URLs, and we end up with a strong sandbox, which limits functionality.

With “installable web apps” we get some of the best of both worlds, but it doesn’t quite feel like we have matched a perfect equilibrium yet. As a power user, I am excited about taking a strong sandboxed model and opening it up with APIs that all go through the sandbox. This means that I can monitor everything that is going on. Add to this social monitoring (so if something bad happens it quickly moves through the social network to be fixed and blocked) and I look forward to a blended world of permissions. We have long had the ability to break through the sandbox in browsers. Unfortunately, these methods are browser specific, and result in annoying prompts that drive you nuts. As we scale out the permissions, this becomes more annoying. To get around this, some platforms are asking the user to accept permission at install time. You have the advantage that: a) the user has to agree before anything is even downloaded; b) one click, at the time of install, and you are off to the races.

However, there are huge problems: When prompted at this time, there is a strong likelihood that the user is trying to do something and will thus say YES YES YES no matter what. Some may question an 8-ball app that asks for deep permissions, but even then…. we run into the same prompty neglect that we get on the desktop. Have you ever downloaded a Mac app, ran it, and then when the “this app came from the Internet” dialog showed up…. said “you know what. Naaaah”? And what about nuance? Weather apps ask for access to the GPS. What if you want to use the app (and search for an area) but don’t want to give location information? Some systems won’t let you download the app (this is where the Web Geolocation API is great!)

Installable == special powers. Uninstalled == less powers. I still have hope that after these first steps we get the right metaphors that offer simplicity for users, but nice fine grained control and awareness.

Related Content:

Posted by Dion Almaer at 5:44 am
7 Comments

++++-
4.5 rating from 2 votes

7 Comments »

Comments feed TrackBack URI

Nice article, but there’s one thing I definitely don’t agree with: That we have never tried this. The future is already here :)

Read through your own post again and compare it in your mind with what a Firefox addon does and you’ll find that your “instant install” almost matches the Firefox addon system to a T. Except of course, that the majority of addons currently still requires a restart (JetPack addons don’t), but that’s a minor difference.

The idea of users watching for “privilege abuse” is nice, but unfortunately not realistic. You have to be happy if your typical user is able to install something, you can’t expect them to monitor anything. Whether you like it or not, you need a walled garden like Firefox AMO or Apple’s AppStore for that matter in order to not put the 99% percent of the population who do not read Ajaxian at risk. Of course, you don’t have to run it like Apple runs its AppStore.

Comment by hansschmucker — June 21, 2010

Dion,

The term you’re looking for is “elevated privilege” and has exactly nothing to do with installation. In fact, installation is a metaphor so far from relevant that it would probably promote tremendous confusion: imagine a user “installs” an elevated privilege application, then goes offline, and wonders why the application stops working. “Why can’t I access the app,” the user asks, “I just installed it!” One of your own examples belies this problem, where you point out the prompt that a Mac application was downloaded from the Internet: this application was very likely never installed, simply downloaded.

I think a more apt term would be “trust”, and unfortunately (from a usability perspective) it will be quite a hard thing to encourage proper use of a “trust” system. As you point out (and is quite obvious), most users will simply click “yes” and move on. That said, there are ways to mitigate this problem.

One such way, which Aza Raskin (Mozilla) is pushing, is to encourage users to rely on network effects for trust, particularly coming from their own social network. This proposal involves building into the browser both a trust system and an awareness of social networks and contacts. This still fails to the problem that none of us can be as dumb as all of us. Get a particularly unsavvy social network with particularly unsavvy “leaders” (in the sense of literal trust placed in them) together and you’ve got yourself an abuse target openly parading itself on the Internet.

Another way to mitigate this comes in two parts: first, that trust be more granular and applications ask only for the trust they explicitly need; second, that developers be aware of this granularity and be as conservative as they can in what they request. This would allow browser vendors to differentiate how they present users with trust choices: different permissions have different gravity, and one way to minimize the tendency of users to automatically accept any prompt is to minimize the number of prompts. The less ordinary the prompts are, the more important they seem.

Positive user behavior can be encouraged, it just requires more creativity by system vendors, and more discipline by developers. The ideas above are far from exhaustive, but at least it’s a start.

Comment by eyelidlessness — June 21, 2010

@eyelidlessness, I think you misunderstood the example of Mac apps displaying the ‘downloaded from internet’ dialog. This dialog appears the first time you RUN an app, not on installation or anything else. Typically, ‘installation’ of a mac app just means unzipping it or dragging it from a disk image to you hard drive anyway.

@Dion, you may have missed the point of that dialog as well. It is not meant to deter you from running an app that you have knowingly downloaded. It’s there to give you a last chance to back out in case you have accidentally run some malicious app. It would be pretty silly for Apple (or anyone) to insinuate that ‘because an app came from the internet, you’d better not run it’.

Comment by okonomiyaki3000 — June 21, 2010

hansschmucker – yes, it’s already been tried. Google Gears failed, as can be expected, for the same obvious reasons that this project should never be started. Look:
http://gears.google.com/

Unsupported platform
By installing you agree to the Gears
Terms of Service and Privacy Policy.
Your browser is not supported.
Please check the list of supported browsers below.

And in contrast to that vile message, a nice quote from Tim Berners-Lee:

“Anyone who slaps a ‘this page is best viewed with Browser X’ label on a Web page appears to be yearning for the bad old days, before the Web, when you had very little chance of reading a document written on another computer, another word processor, or another network.”

Comment by dhtmlkitchen — June 21, 2010

dhtmlkitchen, that’s not exactly what I meant (although I agree, I just don’t see the relevance of GoogleGears here)… The architecture for such a “installation system” could be an open standard, so that any user agent could add support for it.

What I was trying to say was more along the lines “Firefox & Firefox AMO can be seen as a open-yet-controlled example of exactly this system since a lot of Firefox addons (not all) use an addon primarily to get privileges for their web counterparts”. Maybe I should have made that more clear.

Comment by hansschmucker — June 22, 2010

@okonomiyaki3000, I didn’t misunderstand it. I said the same thing you said. I was pointing out that it’s orthogonal to “installation”—the user never *installs* anything—just like the issue of elevating privileges in web apps.

Anyway I think the rest of my post was probably more compelling than that possible nitpick. It certainly still stands regardless of how Mac OS X behaves with downloaded files (and here, let’s be clear, it treats some non-application files the same way; it will prompt exactly the same way for Javascript files if you download them in a browser then open them in a text editor).

Comment by eyelidlessness — June 22, 2010

dhtmlkitchen, that’s not exactly what I meant (although I agree, I just don’t see the relevance of GoogleGears here)… The architecture for such a “installation system” could be an open standard, so that any user agent could add support for it.

What I was trying to say was more along the lines “Firefox & Firefox AMO can be seen as a open-yet-controlled example of exactly this system since a lot of Firefox addons (not all) use an addon primarily to get privileges for their web counterparts”. Maybe I should have made that more clear.

Comment by talkpc — June 23, 2010

Leave a comment

You must be logged in to post a comment.