Re: privacy definitions -- was: WebID questions from Melvin Carvalho on 2012-10-16 (public-privacy@w3.org from October to December 2012)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 16 Oct 2012 14:26:35 +0200
To: Henry Story <henry.story@bblfish.net>
Cc: Ben Laurie <benl@google.com>, public-privacy list <public-privacy@w3.org>, public-webid@w3.org
Message-ID: <CAKaEYh+41oG-L3347ar-0ZN-s01OFJ0thtGeu2eQ=-tQJJ3HLg@mail.gmail.com>
On 16 October 2012 14:14, Henry Story <henry.story@bblfish.net> wrote:

>
> On 16 Oct 2012, at 14:06, Ben Laurie <benl@google.com> wrote:
>
> > On 16 October 2012 13:00, Melvin Carvalho <melvincarvalho@gmail.com>
> wrote:
> >>
> >>
> >> On 1 October 2012 15:36, Ben Laurie <benl@google.com> wrote:
> >>>
> >>> On 1 October 2012 14:07, Henry Story <henry.story@bblfish.net> wrote:
> >>>>
> >>>> On 1 Oct 2012, at 14:35, Ben Laurie <benl@google.com> wrote:
> >>>>
> >>>>> On 1 October 2012 13:20, Henry Story <henry.story@bblfish.net>
> wrote:
> >>>>>>
> >>>>>> On 1 Oct 2012, at 13:43, Ben Laurie <benl@google.com> wrote:
> >>>>>>
> >>>>>>> On 30 September 2012 20:22, Henry Story <henry.story@bblfish.net>
> >>>>>>> wrote:
> >>>>>>>>
> >>>>>>>> On 30 Sep 2012, at 20:46, Ben Laurie <benl@google.com> wrote:
> >>>>>>>>
> >>>>>>>>> On 30 September 2012 10:30, Henry Story <henry.story@bblfish.net
> >
> >>>>>>>>> wrote:
> >>>>>>>>>>
> >>>>>>>>>> On 29 Sep 2012, at 19:50, Ben Laurie <benl@google.com> wrote:
> >>>>>>>>>>
> >>>>>>>>>>> On 28 September 2012 15:26, Jonas Hogberg K.O
> >>>>>>>>>>> <jonas.k.o.hogberg@ericsson.com> wrote:
> >>>>>>>>>>>> At
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> http://blogs.kuppingercole.com/kearns/2012/09/25/in-search-of-privacy/?goback=.gde_3480266_member_168314336
> ,
> >>>>>>>>>>>> Dave Kearns writes:
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> There is indeed a lot of confusion about the subject, but
> there
> >>>>>>>>>>>> are two key
> >>>>>>>>>>>> phrases to remember when talking about privacy:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Privacy is not anonymity
> >>>>>>>>>>>> Privacy is not secrecy
> >>>>>>>>>>>
> >>>>>>>>>>> Quoting those out of context is not particularly helpful. But
> for
> >>>>>>>>>>> more
> >>>>>>>>>>> on why anonymity is important for privacy...
> >>>>>>>>>>>
> >>>>>>>>>>> http://www.links.org/?p=123
> >>>>>>>>>>> http://www.links.org/?p=124
> >>>>>>>>>>
> >>>>>>>>>> Looking at those two, can we agree that we agree that anonymity
> >>>>>>>>>> should be the default?
> >>>>>>>>>> I believe as you do that when I go to a web site the default
> >>>>>>>>>> should be that I not be
> >>>>>>>>>> identified, and not be tracked. I can choose later to be tracked
> >>>>>>>>>> or identified for
> >>>>>>>>>> that site for a given amount of time or until I change my mind,
> >>>>>>>>>> but the default should
> >>>>>>>>>> be anonymity.
> >>>>>>>>>>
> >>>>>>>>>> ( Within limits of logic of course. If I tell anonymous Y
> >>>>>>>>>> something P
> >>>>>>>>>> which has consequence Q, and some other anonymous Z does
> something
> >>>>>>>>>> with Q that would have
> >>>>>>>>>> been nearly impossible to know had they not known P, then I
> could
> >>>>>>>>>> conclude within
> >>>>>>>>>> a certain probability that  Y == Z )
> >>>>>>>>>>
> >>>>>>>>>> The web provides this. Some browsers provide it better than
> >>>>>>>>>> others, but really
> >>>>>>>>>> this is up to them. It is not perfect: ip addresses can be
> tracked
> >>>>>>>>>> and dns lookups
> >>>>>>>>>> can be tracked. But the web is not reliant on those. It could be
> >>>>>>>>>> deployed just as well
> >>>>>>>>>> on top of Tor. Had people had better memories, we could have had
> >>>>>>>>>> .onion urls plastered
> >>>>>>>>>> on bus stops since the beginning.
> >>>>>>>>>>
> >>>>>>>>>> Anonymity is important for many reasons. Among which is that it
> >>>>>>>>>> helps create a trusted
> >>>>>>>>>> public sphere. It increases my trust in the information I read
> if
> >>>>>>>>>> I know that the publisher
> >>>>>>>>>> publishes that information that can be read by anonymous
> readers.
> >>>>>>>>>> Knowing that the publisher
> >>>>>>>>>> cannot tell who is reading what he is publishing is a very
> strong
> >>>>>>>>>> guarantee that he
> >>>>>>>>>> is not adapting his message to different groups. Oddly enough
> >>>>>>>>>> anonymity has an important role
> >>>>>>>>>> therefore in public discussion.
> >>>>>>>>>>
> >>>>>>>>>> So do we agree here? I think we do.
> >>>>>>>>>
> >>>>>>>>> So far.
> >>>>>>>>
> >>>>>>>> ok. So let's see if we can agree further, from here :-)
> >>>>>>>>
> >>>>>>>> There are a number of identification options available.
> >>>>>>>> Let me list some of them:
> >>>>>>>>
> >>>>>>>> - anonymous ( 0 identification )
> >>>>>>>> - cookies   ( site bound )
> >>>>>>>> - TLS-Origin-Bound-Certificates ( unforgeable cookies )
> >>>>>>>> - Self-Signed certificates with an .onion WebID
> >>>>>>>>      ( I promised Appelbaum to work on that. This gives you an
> >>>>>>>> identity, but nobody knows
> >>>>>>>>        where you or your server are located )
> >>>>>>>> - Self-Signed certificates with a http(s) WebID
> >>>>>>>> - CA Signed Certificates
> >>>>>>>> - DNSSEC Signed Certificates
> >>>>>>>> - ...?
> >>>>>>>>
> >>>>>>>> We agree that anonymous should be the default.
> >>>>>>>> I think we can agree as a matter of simple fact that none of the
> >>>>>>>> browsers show
> >>>>>>>> you which of those modes you are in when looking at a web page.
> You
> >>>>>>>> cannot
> >>>>>>>> as a user therefore tell if you are anonymous or not. You cannot
> >>>>>>>> therefore tell
> >>>>>>>> if the page you are looking at has been tweaked for you or if it
> >>>>>>>> would appear
> >>>>>>>> differently to someone else in the same mode as you. You cannot
> tell
> >>>>>>>> if the
> >>>>>>>> agent on the other side can tie you to a browsing history or not.
> >>>>>>>>
> >>>>>>>> Well let me put this in a more nuanced way: you can tell the above
> >>>>>>>> from the
> >>>>>>>> side-effects - say if they should you your profile on a google+
> page
> >>>>>>>> with edit mode
> >>>>>>>> allowed - but that is up to the server to show you that. We both
> >>>>>>>> want it to be
> >>>>>>>> up to the user. We don't want it to be up to the user in some
> >>>>>>>> complicated conf file
> >>>>>>>> hidden away somewhere. We both want it to be in your face,
> >>>>>>>> transparent. I should
> >>>>>>>> in an eyeblink be able to tell if I am anonymous or not, and I
> >>>>>>>> should be able
> >>>>>>>> to switch from one mode to the next if and when I want to in a
> >>>>>>>> simple easy gesture.
> >>>>>>>>
> >>>>>>>> Just as in real life when we put on a mask we know that we are
> >>>>>>>> wearing the mask,
> >>>>>>>> so on the web we want to know what mask we are wearing at all
> times.
> >>>>>>>>
> >>>>>>>> These are the improvements I have been fighting ( not alone ) to
> get
> >>>>>>>> browsers to
> >>>>>>>> implement. Are we fighting on the same side here?
> >>>>>>>
> >>>>>>> I agree that it is desirable to know how your browser is
> identifying
> >>>>>>> you and to be able to switch between users. So, I guess Chrome
> would
> >>>>>>> claim that the facility to have multiple users provides this. Do
> you
> >>>>>>> disagree?
> >>>>>>
> >>>>>> I looked up multiple Users and found this:
> >>>>>> http://support.google.com/chrome/bin/answer.py?hl=en&answer=2364824
> >>>>>> I had not seen this before.
> >>>>>>
> >>>>>> So it seems to work for certificates. I created a new user Tester,
> and
> >>>>>> noticed the following as that Tester:
> >>>>>>
> >>>>>> 0. It did not have any of my bookmarks ( I suppose that's useful,
> >>>>>> cause your
> >>>>>>  bookmarks could identify you )
> >>>>>> 1. When I went to Google+ it did not know I was
> >>>>>> 2. Having signed in to https://my-profile.eu/ as the old user, I
> tried
> >>>>>> as the
> >>>>>>   new user Tester, and had to select a certificate again. Good.
> >>>>>>
> >>>>>> So that seems like one way to separate one's personalities. I'd
> still
> >>>>>> like to
> >>>>>> have the url bar show me for each tab:
> >>>>>>
> >>>>>> [anonymous] when I am not logged in
> >>>>>> [cookie] when I am tracked on that site
> >>>>>> [henry story] for a local site identity
> >>>>>> [bblfish@home] when I am using a certificate
> >>>>>>
> >>>>>> With the option of logging out from that site (ie checking x ->
> >>>>>> anonymous ). Because
> >>>>>> currently I could forget that I had chosen a certificate on a site,
> >>>>>> and it
> >>>>>> would continue sending it. Or I could mistakenly choose a
> certificate
> >>>>>> as one user,
> >>>>>> and then decide that was the wrong user for that persona, and not be
> >>>>>> able to choose
> >>>>>> the certificate again, without closing my browser completely. That
> >>>>>> would allow, on
> >>>>>> browser startup, the browser to remember the last identity choice
> for
> >>>>>> a site. Without
> >>>>>> logout capability that is not possible, because then it would be
> >>>>>> impossible to repair
> >>>>>> an identity mistake without creating a new user. (And it makes
> testing
> >>>>>> tedious).
> >>>>>>
> >>>>>> Currently when I close my browser, on restart the servers ask me for
> >>>>>> my certificate again.
> >>>>>>
> >>>>>> So it looks like this is going generally in the right direction. It
> >>>>>> still does not provide
> >>>>>> the transparency we are looking for at the UI level above. But
> thanks
> >>>>>> for pointing this out.
> >>>>>>
> >>>>>> So I think we agree that what is missing is the transparency at the
> UI
> >>>>>> level of which identity
> >>>>>> one is using at each site. That is what I was hoping the following
> bug
> >>>>>> report would achieve.
> >>>>>>
> >>>>>> http://code.google.com/p/chromium/issues/detail?id=29784
> >>>>>>
> >>>>>> So perhaps by putting this forward under the term transparency, that
> >>>>>> would help that bug report
> >>>>>> progress, since otherwise they could thing that the issue had
> already
> >>>>>> been completely solved.
> >>>>>>
> >>>>>> So that's what I make of that. But have I missed something? Or do we
> >>>>>> agree there too?
> >>>>>
> >>>>> I don't think so
> >>>>> . As I said, I think that Chrome would claim that the
> >>>>> users facility provides everything you need - if you want to know
> >>>>> which cert you're using, then have a user per cert. As for cookies
> and
> >>>>> "local site identities", this would require information the browser
> >>>>> does not currently have, so I think you would first have to explain
> >>>>> how it is going to get that information.
> >>>>
> >>>> Well the browser knows when it sends a cookie. So showing a [cookie]
> >>>> icon would be easy there. When you are in anonymous mode it does not
> >>>> send a cookie. (perhaps a no-cookie/cert icon - would be more precise)
> >>>> As for per site identity that is what the Mozilla folks were working
> >>>> with Aza Raskin
> >>>>
> >>>> http://www.azarask.in/blog/post/identity-in-the-browser-firefox/
> >>>>
> >>>> But until a standard is agree to there, one could already have
> >>>> a [cookie] icon...
> >>>
> >>> Sure, but it would be pretty pointless: I just checked and every
> >>> single tab I have open has some cookies associated.
> >>
> >>
> >> Re cookies: I thought it was interesting new the launch of
> >>
> >> http://data.gov.uk/
> >>
> >> When you first load the site they give you an option of accepting
> cookies or
> >> not.
> >>
> >> If you say yes, you get a little "thank you", and an optional
> explanation of
> >> what that means.
> >>
> >> It's interesting to see a site that takes privacy seriously, is today,
> in
> >> the minority.
> >
> > Lots of sites do it now, actually - its a legal requirement.
>
> yes, I saw a few of those recently.
>
> It's a pitty they we end up pushing the sites to do so much work, when the
> browsers could make the same visible and clear from the chrome, in a way
> that the user would not need to trust the web site owner to do it
> correctly.
> Currently of course only nice web sites will tell users, all the others
> won't.
>

Yes, definitely.  Some folks in the CCC community, used to advocate using
Opera browser for this reason.

There's an option: 'Ask me before accepting cookies'.  And you can accept
cookies only for the site you visit.


>
>
>
> >
> >>
> >>>
> >>>>> For anonymous, Chrome already has an anonymous mode (though note that
> >>>>> you don't really stay anonymous for long once you enter it, since it
> >>>>> must still use cookies or the 'net stops working - also bookmarks are
> >>>>> still available in anon mode).
> >>>>
> >>>> As above the browser knows when it sends cookies: and so it can show
> >>>> the user that it is doing that.
> >>>>
> >>>>>
> >>>>> I believe that Chrome experimented with per-tab personas and found
> >>>>> that it was a terrible user experience, btw.
> >>>>
> >>>> It does not look that bad in Aza Raskin's proposal, and the Account
> >>>> Manager work at Mozilla
> >>>>
> >>>> https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager
> >>>>
> >>>> My guess is that the project to create the multiple user work
> >>>> at Chrome trumped the development of good identity transparency
> >>>> solutions. That often happens in engineering: one good idea
> >>>> hides another one for a while.
> >>>
> >>> Or, as I said, it turns out to not work very well. That happens even
> >>> more often, and apparently has happened in this case. Saying it
> >>> doesn't look that bad to you doesn't change it!
> >>>
> >>>> In any case there is a lack of transparency in the multiple user
> >>>> set up that still needs to be rectified. How that is done I'll leave
> >>>> to UI experts. But I'll recognise a good solution whatever form it
> >>>> takes.
> >>>>
> >>>> Now here with WebID we are assuming such a solution will be found
> >>>> by one of the browser vendors in good time, and then adopted by the
> >>>> others. The current interface  we can agree is not good enough for
> >>>> sure, but the problems we are trying to  solve are  important enough
> >>>> that we can work with the current limitations of browser.
> >>>
> >>> Who is the "we" that can agree it? And why is it not good enough? You
> >>> have not explained that at all.
> >>>
> >>>> That leaves us with the importance of cross site identity. I think
> >>>> I have a very powerful argument in favour of its importance. It is
> >>>> important for a certain kind of privacy to be possible: that between
> >>>> two people or groups of people wishing to exchange documents that
> >>>> should only be visible to certain people and no others. This is the
> >>>> case when someone wishes to discuss something with a doctor, or when
> >>>> someone wishes to publish photos of people at a party without making
> >>>> it fully public, and in many many other circumstances.  It is
> important
> >>>> for creating a distributed social network, which I will call the
> >>>> Social Web.  The Web and the internet have always been about
> >>>> distribution
> >>>> and decentralisation of information. We want to do that using WebID in
> >>>> a manner that increases privacy. I will be working on showing how
> >>>> this can be done on the Web, and on the Web running over Tor.
> >>>>
> >>>> Henry
> >>>>
> >>>> Social Web Architect
> >>>> http://bblfish.net/
> >>>>
> >>
> >>
>
> Social Web Architect
> http://bblfish.net/
>
>
Received on Tuesday, 16 October 2012 12:27:06 UTC