Re: Fwd: Browser UI, privacy, and EU law from Melvin Carvalho on 2012-10-03 (public-xg-webid@w3.org from October 2012)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Wed, 3 Oct 2012 16:38:30 +0200
To: nathan@webr3.org
Cc: Henry Story <henry.story@bblfish.net>, "public-xg-webid@w3.org XG" <public-xg-webid@w3.org>, Coralie Mercier <coralie@w3.org>
Message-ID: <CAKaEYhKD2ZGUmMafZiGJj5A-++tqwn16r4=BUvT_8TK1fKWWxA@mail.gmail.com>
On 3 October 2012 16:28, Nathan <nathan@webr3.org> wrote:

> Melvin Carvalho wrote:
>
>> On 3 October 2012 15:45, Nathan <nathan@webr3.org> wrote:
>>
>>  can web-id be folded in to RWW, and mail auto forwarded to this list?
>>>
>>
>>
>> Nathan did you mean that the XG (now expired) folded into the public-webid
>> CG
>>
>
> No :p but the XG folding in to webid cg it entails the same question :)
>

I think WebID CG is about pushing WebID towards standardization, peer
review, test suites, interoperable implementations, usability and outreach.

RWW is more about using web standards to read and write.  Tho WebID is
probably the solution best aligned to facilitating this, others may come
along in future and the web is inclusive.  So, I'd suggest keeping RWW and
WebID separate, as henry says.


>
>
>>> Henry Story wrote:
>>>
>>>  Since our community is a bit split on the mailing list still, I thought
>>>> I's forward this to the
>>>> XG list.
>>>> Begin forwarded message:
>>>>
>>>>  Resent-From: public-webid@w3.org
>>>>
>>>>> From: "Dr Ian Walden" <i.n.walden@qmul.ac.uk>
>>>>> Subject: RE: Browser UI, privacy, and EU law
>>>>> Date: 1 October 2012 13:36:05 CEST
>>>>> To: "'Henry Story'" <henry.story@bblfish.net>, <public-webid@w3.org>,
>>>>> "'Ben Laurie'" <benl@google.com>
>>>>>
>>>>> Dear All,
>>>>>
>>>>> The answer is, of course, it depends!
>>>>>
>>>>> The relevant legislative measure, Directive 02/58/EC, as amended in
>>>>> 2009,
>>>>> states the following, at article 5(3):
>>>>>
>>>>> "Member States shall ensure that the storing of information, or the
>>>>> gaining of access to information already stored, in the terminal
>>>>> equipment of a subscriber or user is only allowed on condition that
>>>>> the subscriber or user concerned has given his or her consent, having
>>>>> been provided with clear and comprehensive information, in accordance
>>>>> with Directive 95/46/EC, inter alia, about the purposes of the
>>>>> processing. This shall not prevent any technical storage or access for
>>>>> the sole purpose of carrying out the transmission of a communication
>>>>> over an electronic communications network, or as strictly necessary in
>>>>> order for the provider of an information society service explicitly
>>>>> requested by the subscriber or user to provide the service."
>>>>>
>>>>> The references to 'consent' and 'clear and comprehensive information'
>>>>> suggest that a user should be informed what identity he is giving to a
>>>>> web
>>>>> site, since meaningful consent cannot be given unless the individual
>>>>> knows
>>>>> what personal data is being disclosed. However, the last sentence of
>>>>> the
>>>>> article is a get-out provision for data controllers, which means that
>>>>> consent is not required in all circumstances.
>>>>>
>>>>> Kind regards,
>>>>>
>>>>> Ian
>>>>>
>>>>> Professor Ian Walden
>>>>> Professor of Information and Communications Law
>>>>> Head, Institute of Computer and Communications Law
>>>>>
>>>>> Centre for Commercial Law Studies
>>>>> Queen Mary, University of London
>>>>> 67-69 Lincoln's Inn Fields
>>>>> London WC2A 3JB
>>>>>
>>>>> Tel: +44-(0)20-7882-8086
>>>>> Mobile: +44-(0)7968-612-581
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: Henry Story [mailto:henry.story@bblfish.****net<
>>>>> henry.story@bblfish.net>]
>>>>> Sent: 27 September 2012 14:29
>>>>> To: Ian Walden; public-webid@w3.org; Ben Laurie
>>>>> Subject: Browser UI, privacy, and EU law
>>>>>
>>>>> Let me introduce Ian Walden, Professor of Information and Communication
>>>>> Law
>>>>> [1], who gave perhaps one of the most entertaining presentations at
>>>>> IETF
>>>>> 83
>>>>> at the behest of the Security Area Advisory Group [2] in Paris earlier
>>>>> this
>>>>> year on the effect of new EU legislation on software development
>>>>> relating to
>>>>> privacy.
>>>>> It has been a long time since then, and I was not expecting such a
>>>>> talk,
>>>>> so
>>>>> I did not take notes. But I am pretty sure this  has some relevance to
>>>>> the
>>>>> topic at hand here.
>>>>>
>>>>> What I would like to know is if we can start arguing from a legal
>>>>> perspective now for enhancements to user interfaces in browsers to help
>>>>> the
>>>>> user see what identity (s)he is showing to a web site. I am asking this
>>>>> because in a discussion with Ben Laurie, who works as security
>>>>> specialist at
>>>>> Google among many other things [3], Ben seemed to think there was no
>>>>> requirement in EU law for this. But my take from the talk at IETF in
>>>>> Paris
>>>>> was quite the opposite, or at the very least that things were about to
>>>>> seriously change.
>>>>>
>>>>> So let me summarise the UI improvement that I ( and others ) have been
>>>>> arguing for. Client side certificates - with WebID - allows one to
>>>>> authenticate ( if one desires to ) to a number of web sites in one
>>>>> click.
>>>>> This is shown in the short video "WebID & Browsers" [4]. As I point out
>>>>> at
>>>>> the end of the video current browsers allow one to log into different
>>>>> sites
>>>>> with a client certificate but:
>>>>>
>>>>>  1. Fail to make it obvious at all times that one is logged in, or
>>>>> under
>>>>> what identity
>>>>>
>>>>>    So, for example if in Safari one has chosen an identity to log in
>>>>> one
>>>>> cannot change it, or even ever see that this is the
>>>>> identity/certificate
>>>>> one
>>>>> has chosen.
>>>>>    All the other browsers ask one again on accessing a web site, but
>>>>> still
>>>>> don't show the identity used.
>>>>>  2. Don't make it easy to logout
>>>>>
>>>>>     There is a bit of javascript that works on Netscape to log out, but
>>>>> the
>>>>> server must present that option. In my view the user should be in
>>>>> control.
>>>>> One has to close the whole browser to change identity.
>>>>>     ( Safari does not allow one to logout at all, ever! )
>>>>>
>>>>>  3. Don't make it obvious when one is anonymous
>>>>>
>>>>>  Aza Raskin a designer at Mozilla presented a design that in my view
>>>>> would
>>>>> solve this and user interaction problems very neatly and put the user
>>>>> in
>>>>> control of his identity
>>>>>
>>>>>      http://www.azarask.in/blog/****post/identity-in-the-browser-****<http://www.azarask.in/blog/**post/identity-in-the-browser-**>
>>>>> firefox/<http://www.azarask.**in/blog/post/identity-in-the-**
>>>>> browser-firefox/<http://www.azarask.in/blog/post/identity-in-the-browser-firefox/>
>>>>> >
>>>>>
>>>>>
>>>>> Aza did not apply it to https client authentication (TLS) but the
>>>>> design
>>>>> would clearly work just as well there too. I opened a bug report on
>>>>> Chrome
>>>>> for something like this to be implemented
>>>>>    http://code.google.com/p/****chromium/issues/detail?id=****29784<http://code.google.com/p/**chromium/issues/detail?id=**29784>
>>>>> <http://code.google.com/**p/chromium/issues/detail?id=**29784<http://code.google.com/p/chromium/issues/detail?id=29784>
>>>>> >
>>>>>
>>>>>
>>>>> And similarly to other open source and closed source browsers.
>>>>>
>>>>> So the WebID protocol is here to try to create a global distributed
>>>>> social
>>>>> network so that we can have more privacy by working in distributed
>>>>> social
>>>>> networks [5] and not have to all interact on one huge mega-server (or
>>>>> at
>>>>> least allow people to not have to do that without suffering a large
>>>>> penalty)
>>>>> We can get going as is now, but we would like the browsers to put the
>>>>> user
>>>>> more in control of his identity.
>>>>>  So I was wondering if this is now a legal requirement :-)
>>>>>
>>>>>
>>>>>  Henry
>>>>>
>>>>>
>>>>> [1] http://www.law.qmul.ac.uk/****staff/walden.html<http://www.law.qmul.ac.uk/**staff/walden.html>
>>>>> <http://www.**law.qmul.ac.uk/staff/walden.**html<http://www.law.qmul.ac.uk/staff/walden.html>
>>>>> >
>>>>> [2] http://www.ietf.org/mail-****archive/web/saag/current/****
>>>>> msg03614.html<http://www.ietf.org/mail-**archive/web/saag/current/**msg03614.html>
>>>>> <http://www.ietf.**org/mail-archive/web/saag/**current/msg03614.html<http://www.ietf.org/mail-archive/web/saag/current/msg03614.html>
>>>>> >
>>>>> [3] http://en.wikipedia.org/wiki/****Ben_Laurie<http://en.wikipedia.org/wiki/**Ben_Laurie>
>>>>> <http://en.**wikipedia.org/wiki/Ben_Laurie<http://en.wikipedia.org/wiki/Ben_Laurie>
>>>>> >
>>>>> [4] http://bblfish.net/blog/2011/****05/25/<http://bblfish.net/blog/2011/**05/25/>
>>>>> <http://bblfish.net/**blog/2011/05/25/<http://bblfish.net/blog/2011/05/25/>
>>>>> >
>>>>>
>>>>> [5] I have a three minute interview at Oxford internet institute by
>>>>> Prof
>>>>> William Dutton that covers this
>>>>>    http://webcast.oii.ox.ac.uk/?****view=Webcast&ID=20100524_323<http://webcast.oii.ox.ac.uk/?**view=Webcast&ID=20100524_323>
>>>>> <**http://webcast.oii.ox.ac.uk/?**view=Webcast&ID=20100524_323<http://webcast.oii.ox.ac.uk/?view=Webcast&ID=20100524_323>
>>>>> >
>>>>>
>>>>>
>>>>> Social Web Architect
>>>>> http://bblfish.net/
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>  Social Web Architect
>>>> http://bblfish.net/
>>>>
>>>>
>>>>
>>>
>>
>
Received on Wednesday, 3 October 2012 14:39:03 UTC