What "info" does WWT want permission to "see and update...even when you're not using this app". Note outdated links also

[nealmcb]

When I visit https://worldwidetelescope.org/webclient/ and "Sign in", I get a popup from Microsoft:

"WorldWide Telescope will be able to see and update your info, even when you're not using this app."

What on earth does that mean? There is mention below of seeing my Microsoft profile email address, but the message explicitly says that it will be able to update my info. Update my email address? Nonsense.

The "details" say:

Only accept if you trust the publisher and if you selected this app from a store or website you trust. Microsoft is not involved in licensing this app to you

Trust them for what?

There are links to docs for more information. The link to https://privacy.microsoft.com/en-us/default.mspx is broken:

The resource you are looking for has been removed, had its name changed, or is temporarily unavailable.

The other link is to a document which says:

This page reproduces the historical terms of use from when WorldWide Telescope was a Microsoft Research project. Updated February 20, 2008.

So it doesn't even seem to apply anymore.

None of this engenders much trust....

[pkgw]

This is all happening because the WWT clients use a very old authentication framework for Microsoft's Live account service. So (1) the login user experience, which is controlled by Microsoft, is unmaintained, and apparently contains confusing language and broken links, and (2) the permissions requested by the app are probably coarser-grained than what we could specify with a more modern framework. (I also don't understand what "update your info" means in this warning dialog, but I'd be shocked if that included changes to core metadata such as email address.)

Regarding what's actually going on, the "Log in" feature allows you to upload images, tours, and other data to the WWT "Communities" sharing service. Microsoft Live account information is only used to uniquely identify users in this system. But we don't encourage people to use this service because it has low usage and we don't have the capacity to maintain its other components, besides the login mechanism, very well either. It dates back to the 2008 Microsoft Research Terms-of-Use document. So to be honest, there is not much reason to log in right now. Given that, we haven't put engineering resources towards an update to a newer authentication system.

That being said, WWT is operated by the non-profit American Astronomical Society, and all of our code, including both the web client and the web server and the cloud services configuration is freely available, so you can see exactly what we're doing with the login information. (I can't prove that we're not running some kind of nefarious, secret server-side code, but I think the available evidence will make it clear that WWT/AAS have neither the desire nor the engineering capacity to do something like that.)

I'm going to close this issue to keep our tracker clean, but I think you should be able to add more questions or comments if there are further points you'd like to discuss, and I'm happy to explain more as needed.

[nealmcb]

Excellent, model response - thank you for nicely clarifying these odd glitches! And great comment about what you can't prove. :smile: Yeah, I understand the challenges of actually getting such amazing stuff done with limited resources.... :1st_place_medal: