It is common today for users to store a variety of information in network-accessible storage. In the future, the scope and depth of information that users store in network-accessible storage is expected to increase dramatically. Such information can include contact lists, other user personal data, documents, images, songs, and so on. A user may occasionally wish to share parts of this information with others. For example, a user may wish to share contact information with a network-accessible application, e.g., so that various services provided by the application can be extended to the user's contacts. One way of manually performing this task is for the user to copy the information from storage and send this information to the application. Another way of performing this task is to grant the application permission to directly retrieve, now and in the future, the information from the storage on behalf of the user.
The latter scenario—in which an application is granted rights to retrieve a user's private information—is fraught with risks. In many cases, an application can be expected to behave as promised, e.g., by retrieving information from the user's storage for the narrowly focused purpose authorized by the user. In other cases, an application may retrieve information for other purposes that were not envisioned by the user. For example, the application may use the access rights granted by the user to “rummage around” in the user's storage for an extended period of time, perhaps mining the user's information for advertising purposes or some other self-serving end. In a potentially more dangerous scenario, the user may have granted the application access rights while controlled by a first entity, but the application has since been taken over by a second entity. The second entity may be a malicious actor which attempts to access the user's information for a purpose that is distinctly at odds with the interests of the user. In general, the ultimate risk presented by this type of access activity is that the user's personal information may be compromised.