RE: indicating 'private browsing mode' over the net (was Re: Super Cookies in Privacy Browsing mode) from Mike O'Neill on 2015-01-30 (public-privacy@w3.org from January to March 2015)

From: Mike O'Neill <michael.oneill@baycloud.com>
Date: Fri, 30 Jan 2015 12:26:45 -0000
To: "'Robin Wilton'" <wilton@isoc.org>
Cc: "'Wendy Seltzer'" <wseltzer@w3.org>, "'David Singer'" <singer@apple.com>, <chaals@yandex-team.ru>, "'Joseph Hall Lorenzo'" <joe@cdt.org>, "'Bjoern Hoehrmann'" <derhoermi@gmx.net>, "'Wenning Rigo'" <rigo@w3.org>, "'public-privacy mailing list\) \(W3C'" <public-privacy@w3.org>
Message-ID: <453801d03c88$0af8a2f0$20e9e8d0$@baycloud.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> > Maybe there should be an implicit web of trust that covers all the servers
> receiving user specific data on a page, where they all commit to a common
> declared level of privacy and security. The browser could then have UI to
> communicate that.
> >
> > WebID could be used to identify all the parties (not just origins), and a manifest
> could define the trust relationship.
> 
> Really interesting idea. If I understand correctly, one implication of this could be
> that the onus is on the website,then, to ensure that the manifest fully reflects all
> the embedded content in the page. This would make it possible for a plug-in like
> Ghostery or Lightbeam to highlight any disparities (e.g. "I found a tracker here
> from spamserver.com, and there's no corresponding entry in the trust
> manifest"). This wouldn't immediately change the 'user bargain' - the user is still
> faced with a take-it-or-leave-it choice - but over time it could definitely force
> greater transparency and contribute to a reputation score.

Content Security Policy https://w3c.github.io/webappsec/specs/content-security-policy/ already lets top-level site declare what other-origin resources get loaded. But this is about domains not actual legal entities. If we also leverage WebID we could associate the domains with the actual companies, for example Google Inc  might have doubleclick.com, youtube.com, google-analytics.com etc. on the same webpage. WebID-TLS https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html lets you use certificates to validate the identity also.

Mike


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (MingW32)
Comment: Using gpg4o v3.4.19.5391 - http://www.gpg4o.com/
Charset: utf-8

iQEcBAEBAgAGBQJUy3iEAAoJEHMxUy4uXm2JJCEH/Rq6+NzW1CWNEm7cl/wj1yPs
VKTqhp1tIZ5PUQSybWK2V/mdgKazUR5wbUEmksi2Umll3vd8c2Zo2af1Htpz1s7w
e6v8U4VRTihpQHMtSN/jJXBk37bIFym0cT87jEldjvIwPoEtLELR78JDERS/Mr9S
dCw8lP1jYuGlI8TTjL+MwqMthg1lZzfSRMezaVQdSc6+iYttyq9zsZlqeyjbMKbk
vULkIEpfLW7CA87I6EUBPIxavh2WArZgH6iwtNfSSbOpqny6ahCYGPyEJ+Vl9D/6
f1MqeWtMwAOD8I2QR2syYBUeo3VVR6pzpp7gc1Eur7WuNrkgE/0GKwnLjjL8XA0=
=d/ru
-----END PGP SIGNATURE-----

Received on Friday, 30 January 2015 12:28:57 UTC