W3C home > Mailing lists > Public > public-webid@w3.org > September 2012

Browser UI, privacy, and EU law

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 27 Sep 2012 15:29:06 +0200
Message-Id: <8D5B1BF7-8EFA-40E8-B7D3-641B44E75731@bblfish.net>
To: Ian Walden <i.n.walden@qmul.ac.uk>, "public-webid@w3.org" <public-webid@w3.org>, Ben Laurie <benl@google.com>
Let me introduce Ian Walden, Professor of Information and Communication Law [1], who gave perhaps one of the most entertaining presentations at IETF 83 at the behest of the Security Area Advisory Group [2] in Paris earlier this year on the effect of new EU legislation on software development relating to privacy. 

It has been a long time since then, and I was not expecting such a talk, so I did not take notes. But I am pretty sure this  has some relevance to the topic at hand here.

What I would like to know is if we can start arguing from a legal perspective now for enhancements to user interfaces in browsers to help the user see what identity (s)he is showing to a web site. I am asking this because in a discussion with Ben Laurie, who works as security specialist at Google among many other things [3], Ben seemed to think there was no requirement in EU law for this. But my take from the talk at IETF in Paris was quite the opposite, or at the very least that things were about to seriously change.

So let me summarise the UI improvement that I ( and others ) have been arguing for. Client side certificates - with WebID - allows one to authenticate ( if one desires to ) to a number of web sites in one click. This is shown in the short video "WebID & Browsers" [4]. As I point out at the end of the video current browsers allow one to log into different sites with a client certificate but:

  1. Fail to make it obvious at all times that one is logged in, or under what identity

    So, for example if in Safari one has chosen an identity to log in one cannot change it, or even ever see that this is the identity/certificate one has chosen.
    All the other browsers ask one again on accessing a web site, but still don't show the identity used. 

  2. Don't make it easy to logout

     There is a bit of javascript that works on Netscape to log out, but the server must present that option. In my view the user should be in control. One has to close the whole browser to change identity.
     ( Safari does not allow one to logout at all, ever! )

  3. Don't make it obvious when one is anonymous

  Aza Raskin a designer at Mozilla presented a design that in my view would solve this and user interaction problems very neatly and put the user in control of his identity

      http://www.azarask.in/blog/post/identity-in-the-browser-firefox/

Aza did not apply it to https client authentication (TLS) but the design would clearly work just as well there too. I opened a bug report on Chrome for something like this to be implemented 

    http://code.google.com/p/chromium/issues/detail?id=29784

And similarly to other open source and closed source browsers.

So the WebID protocol is here to try to create a global distributed social network so that we can have more privacy by working in distributed social networks [5] and not have to all interact on one huge mega-server (or at least allow people to not have to do that without suffering a large penalty) We can get going as is now, but we would like the browsers to put the user more in control of his identity. 

  So I was wondering if this is now a legal requirement :-)


  Henry 



[1] http://www.law.qmul.ac.uk/staff/walden.html
[2] http://www.ietf.org/mail-archive/web/saag/current/msg03614.html
[3] http://en.wikipedia.org/wiki/Ben_Laurie
[4] http://bblfish.net/blog/2011/05/25/
[5] I have a three minute interview at Oxford internet institute by Prof William Dutton that covers this
    http://webcast.oii.ox.ac.uk/?view=Webcast&ID=20100524_323

Social Web Architect
http://bblfish.net/
Received on Thursday, 27 September 2012 13:29:51 UTC

This archive was generated by hypermail 2.3.1 : Sunday, 31 March 2013 14:40:59 UTC