Re: indicating 'private browsing mode' over the net (was Re: Super Cookies in Privacy Browsing mode) from David Singer on 2015-01-26 (public-privacy@w3.org from January to March 2015)

From: David Singer <singer@apple.com>
Date: Mon, 26 Jan 2015 19:49:24 +0100
To: Joe Hall <joe@cdt.org>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, Rigo Wenning <rigo@w3.org>, public-privacy@w3.org
Message-id: <4D211EE8-4AA8-4302-84EB-BD479FEEC481@apple.com>
> On Jan 26, 2015, at 19:38 , Joe Hall <joe@cdt.org> wrote:
> 
> On Mon, Jan 26, 2015 at 4:33 AM, David Singer <singer@apple.com> wrote:
>> Oh dear, I am clearly explaining this badly.
> 
> Thanks much for this, David. I definitely see it clearly now.
> 
>> I think it’s interesting in a number of respects:
>> 
>> a) it’s an improvement on the status quo, where servers are completely unaware of any attempt to be private
> 
> I guess traditional client privacy tools see the servers as potential
> adversaries, so leaking an indication of intent in terms of private
> browsing could be a risk (e.g., server says, "ooooh, this session I
> would have associated with another session seems to want me not to
> link those two sessions... in fact, I'll label it as 'stuff this
> person really doesn't want people to know about'"). Here I guess this
> isn't clearly a leak of "I'm trying to be private, mom!!!" since it
> could very well be just a different person's session using essentially
> the same UA/env as a previous person. This makes me wonder if existing
> tools to segregate "persona"-like elements (accounts on an OS,
> profiles for something like Mozilla products) don't do that enough? or
> maybe they're too heavy?

yes, it would be a real pain for the same user to log out and log in again to a different account. also, the server might still conclude (wrongly) it’s the same person, if they are doing it on heuristics like IP address and didn’t set or change cookies on the first visit.

> 
> Do you see a need for a server-side personae compliance spec, David?
> (Or am I thinking too far ahead or making this too complicated?)

I am not opposed to or proposing such. I have a hard time imagining what it would say, though.  The ways in which a server might expose the fact that it thinks these two actions form part of the same person’s history are myriad, and it’s about exposing that.

> 
>> b) it’s not asking for *secrecy* at all; servers are at liberty to remember as much as before; there are very few privacy proposals that don’t slide into trying to be secret, and this is one. Privacy is also about where information is exposed, what it is linked to, and so on.
> 
> Interesting, would servers be at liberty to simply link all the
> personas they identify as likely the same user? (e.g., using fancy
> analytics like typing analysis, etc. to tell if two different persona
> are in fact the same person) That would seem to be a good part of the
> bargain to have here... and perhaps this isn't as complicated in terms
> of server compliance as TPWG/DNT?

yes, the bargain to the server is sort-of “YOU can know this is all me; just please segregate it so that that is not evident externally”. It’s all about being nice about who you expose the data to, not what you record in the first place.

> 
>> c) it recognizes that privacy is not a binary state — it’s not an either-or (you have it or you don’t); it’s a spectrum, and it’s about perception and control and exposure as much as it is about recording and so on.
> 
> Forgive me again... are you saying that by being able to have as many
> persona as I can keep track of that I'm "articulating" (a social
> science term of art, sorry) different aspects of my being that I'd
> rather servers not link together? That is rather interesting. For
> example, you could have a persona for activities that you want privacy
> of a certain level (say me looking at job candidate websites online)
> and another persona for activities of a higher level (say, if I'm
> looking at content online that I'd rather not have linked to my
> not-so-private self)?

yes, indeed.  you do a job search, you don’t want ads for open positions appearing when you are at work. and so on.

I think we fall into either/or traps too much in privacy thinking.  either the server doesn’t keep the data … or it can do whatever it likes with it.  if a single event can be recorded…then everything can be. either something is secret…or it’s completely public.  if I am OK with someone taking a holiday snap that includes me…then I am OK with someone following me around with a video camera.  and so on.  I am increasingly thinking that none of these are true.  things you are happy to share with your spouse and doctor are still ‘private’. privacy is not always, or even mostly, secrecy; it’s about awareness, about control, about boundaries.

> 
> thanks again, Joe

my pleasure!  thanks for pushing me.

David Singer
Manager, Software Standards, Apple Inc.
Received on Monday, 26 January 2015 18:50:18 UTC