W3C home > Mailing lists > Public > public-privacy@w3.org > January to March 2015

Re: indicating 'private browsing mode' over the net (was Re: Super Cookies in Privacy Browsing mode)

From: Robin Wilton <wilton@isoc.org>
Date: Fri, 30 Jan 2015 10:18:07 +0000
To: Mike O'Neill <michael.oneill@baycloud.com>
CC: Wendy Seltzer <wseltzer@w3.org>, David Singer <singer@apple.com>, "chaals@yandex-team.ru" <chaals@yandex-team.ru>, Joseph Hall Lorenzo <joe@cdt.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, Wenning Rigo <rigo@w3.org>, "public-privacy mailing list) (W3C" <public-privacy@w3.org>
Message-ID: <C9FCDDAC-E6CA-4296-97AF-E64D4BF88CEB@isoc.org>
One comment inline...

On 29 Jan 2015, at 18:10, "Mike O'Neill" <michael.oneill@baycloud.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>> Interesting mix of norms and tech -- and yes, a different privacy threat
>> model from the one many of us are accustomed to considering. Here, we're
>> trusting the server to share our interests and want to help us enforce
>> the contextual boundaries we choose, even if its knowledge could span
>> those boundaries.
>> 
>> This model is a better match with the Web Origin security model -- where
>> an origin site is presumed to have control of the web application
>> security, and the end-user must choose to trust the origin (with limited
>> user-side overrides) or not visit the site.
>> 
>> I wonder what sorts of feedback could help to reinforce to end-users
>> that their trust was in fact merited.
>> 
>> --Wendy
>> 
> 
> 
> It would have to include all the servers being accessed, third-parties also. I think David's header would be seen all of them, and it would only take one to ignore the contextual boundaries, decide to combine multiple personas with other data in a PII keyed database, then broadcast it to the world (and UA based UUIDs are far more reliably user-identifying than IP addresses which are usually ephemeral and non-unique). 
> 
> Maybe there should be an implicit web of trust that covers all the servers receiving user specific data on a page, where they all commit to a common declared level of privacy and security. The browser could then have UI to communicate that.
> 
> WebID could be used to identify all the parties (not just origins), and a manifest could define the trust relationship.

Really interesting idea. If I understand correctly, one implication of this could be that the onus is on the website,then, to ensure that the manifest fully reflects all the embedded content in the page. This would make it possible for a plug-in like Ghostery or Lightbeam to highlight any disparities (e.g. "I found a tracker here from spamserver.com, and there's no corresponding entry in the trust manifest"). This wouldn't immediately change the 'user bargain' - the user is still faced with a take-it-or-leave-it choice - but over time it could definitely force greater transparency and contribute to a reputation score.


> 
> Mike
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (MingW32)
> Comment: Using gpg4o v3.4.19.5391 - http://www.gpg4o.com/
> Charset: utf-8
> 
> iQEcBAEBAgAGBQJUyndEAAoJEHMxUy4uXm2JSeMIAMmr8UE6vjZuhQnhBfNihFsr
> Tjm9k8/l0OwywckMwFadKL/sFP2SSLP8tzWnXI87UScAJXXAM9/y3bxUKLzY88+9
> rnYRQYHGzEpIzuSN/rRvf8/EOiVfA2CrMQ0h4c+WofrqARNU2xhI7XPY2nI7v2Nl
> sCsK0y89+cKCBDe41jkWvs+vkjrlaCcMvpold6BOPFgIcKSWlDtDKek8bQ78qxi4
> sgmAr41TL6/BnBjxgUh5NDescGLh7DPDmK4/YoLjr1E3IAU2io7h1WevVzxgC+tj
> H/W2oeFlU9dLASm0aFPOfQ98zWvDen94XYFd4SNFJqYgPGwMgcM+7p+ku429n/Q=
> =lP8p
> -----END PGP SIGNATURE-----
> 
Received on Friday, 30 January 2015 10:18:39 UTC

This archive was generated by hypermail 2.3.1 : Friday, 30 January 2015 10:18:39 UTC