Re: Suggestion for sensitive online content from Joseph Alhadeff on 2015-08-15 (public-privacy@w3.org from July to September 2015)

From: Joseph Alhadeff <joseph.alhadeff@oracle.com>
Date: Sat, 15 Aug 2015 08:58:14 -0400
To: François Légaré <flegare@gmail.com>
Cc: Nick Doty <npdoty@w3.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <9AF71C55-B097-4AC4-82D1-D0DA0C16DE4B@oracle.com>
  I have not followed this entire thread (apologies if this is a bit off topic) but I would think that for some disabled (limit keystrokes for those with impaired motor coordination) or other populations with special requirements (impaired memory...) we may want to make sure that they can preserve convenience functions with alternative security and policy controls for assurance...

Jor

Sent from my iPad

> On Aug 14, 2015, at 9:50 PM, François Légaré <flegare@gmail.com> wrote:
> 
> Hi Nick, 
> 
> Yes sensitive is the word, sensible is the french version of the word my bad ;) I stay tuned to see if browser leaders are interested in this behaviour.
> 
> Regards,
> 
> Francois
> 
> 
> 
>> On Thu, Aug 13, 2015 at 4:56 PM, Nick Doty <npdoty@w3.org> wrote:
>> Hi François,
>> 
>> That's an interesting privacy problem and proposal. (I've changed the subject line, because I believe you're primarily talking about sensitive content, rather than sensible content.)
>> 
>> Work has begun recently in the WebAppSec group on a mechanism (HTTP response header) for sites to clear all local content (like cookies and localStorage) for their origin, as a security and privacy measure:
>> http://www.w3.org/TR/clear-site-data/
>> 
>> I'm not sure they're specifically considering the use case of wanting to clear browser history for a potentially sensitive website, but it sounds not dissimilar from their set of goals, so it would be worth considering.
>> 
>> The other existing technology that could be used would be declarative mechanisms for content selection, like PICS (deprecated) and POWDER:
>> http://www.w3.org/2007/powder/
>> 
>> That would be an existing mechanism to declare a value like, "sensitive-anonymous", which supporting user agents could interpret as a sign that they should use private browsing mode (no local cache).
>> 
>> It sounds like the site you're working with would be willing to spend the minor resources to implement this kind of flag. We would need to check whether prominent browser vendors are interested in implementing the client-side version.
>> 
>> Hope this helps,
>> Nick
>> 
>>> On Aug 12, 2015, at 10:42 AM, François Légaré <flegare@gmail.com> wrote:
>>> 
>>> Hi
>>> 
>>> I work for a big telecom company in Canada that currently give various sponsorship for mental health organisations. Part of the sponsorship is making sites and mobile applications to help individual get online help and access information and resources that are often sensible. 
>>> 
>>> One example is  http://www.kidshelpphone.ca/ they provide anonymous phone line for kids that may have issue or problem in their family. This lead to a sensitive problem, a kid visiting this site need to know how to clean browsing history since a adult seeing the browsing history might challenge the kids about the visit and lead to more stress or bigger problems. They did explain on the site header how to flush history and train visitor about the anonymous tab, this isn't perfect at all, because it really entirely on the user actions and the assumption that he read and understood the section. 
>>> 
>>> Since not all internet user are tech savvy and are aware of the anonymous tabs, so my suggestion for the W3C would be the following:
>>> 
>>> A head meta tag that could help define sensitivity level of the online html content. This tag once detected by the browser could apply various policy to increase anonymity and reduce potential problems, ideally default policies would implicitly insure higher privacy for the end users.
>>> 
>>> For instance browser that detect the meta tag could automatically go in "anonymous mode" and don't track browsing history, remove cached content, etc. This will insure a more anonymous browsing experience for such site for users that are less aware of the already available privacy features. Content rating meta tag to some extends could be used but this is a bit far fetch but could be less involving since tags already exist. 
>>> 
>>> Of course I'm quite sure, site with adult content would also be like such features but this is not really the issue I'm trying to resolve at this point.
>>> 
>>> According to some of the W3C members this is a valid place to submit this suggestion, I hope this will be well received.
>>> 
>>> Regards,
>>> 
>>> Francois
>
Received on Saturday, 15 August 2015 13:01:29 UTC