Re: Suggestion for sensitive online content from Nick Doty on 2015-08-16 (public-privacy@w3.org from July to September 2015)

From: Nick Doty <npdoty@w3.org>
Date: Sat, 15 Aug 2015 18:55:03 -0700
To: Joseph Alhadeff <joseph.alhadeff@oracle.com>
Cc: François Légaré <flegare@gmail.com>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <D15884DE-19F9-4151-A683-314F32E5883E@w3.org>

On Aug 15, 2015, at 5:58 AM, Joseph Alhadeff <joseph.alhadeff@oracle.com> wrote:
> 
>   I have not followed this entire thread (apologies if this is a bit off topic) but I would think that for some disabled (limit keystrokes for those with impaired motor coordination) or other populations with special requirements (impaired memory...) we may want to make sure that they can preserve convenience functions with alternative security and policy controls for assurance...
> 
> Jor

This is an interesting point. There might be some situations where a site indicates "this is a sensitive site, you probably don't want to cache it or keep it in your history" but where the user really does want to keep it.

I'd want to think through the accessibility case in a little more detail, but maybe there are users who really need to keep a record, because of impaired memory or cognitive function such that they need someone else who uses the machine to be able to see where they've been. Though it could conflict with François's original use case, parents of young children might be one example of that.

There might be security cases where a malicious website used for phishing might abuse these headers to make it harder for someone to see after the fact that they visited a site that was pretending to be yourbank.com <http://yourbank.com/> but was actually evil.com <http://evil.com/>.

And there might be performance/network-incapacity cases; you're visiting a sensitive website, but you want the content cached for offline access later because you have control over your own device but don't have reliable network access. (E.g. the calendar of protests is marked sensitive, but you want to make sure you have it even if the local ISP slows access to that site later.)

I think in all such cases, it should be clear that it's the user who ultimately decides whether history/content is cached. But a *hint* from the site that the UA can expose to the user ("This site may host sensitive content; we're going to erase it from your browser history after you leave the page, okay?") might be useful. The indicator might also prompt different things for different users with different threat models. If you're in a certain country, you might want to conduct further traffic to that site through a proxy/routing service. If you indicate that you're worried about future access being blocked, you could instruct your user agent to cache sensitive content for offline access.

—Nick

Received on Sunday, 16 August 2015 01:55:17 UTC