Re: Automatic Entry and Forms

Robert Hazeltine (rhazltin@bacall.nepean.uws.edu.au)
Sun, 25 Feb 1996 12:33:12 +1100 (EST)


Date: Sun, 25 Feb 1996 12:33:12 +1100 (EST)
From: Robert Hazeltine <rhazltin@bacall.nepean.uws.edu.au>
To: Murray Altheim <murray@spyglass.com>
Cc: hallam@w3.org, www-html@w3.org
Subject: Re: Automatic Entry and Forms
In-Reply-To: <v02110103ad52dd1bf63f@[140.186.34.50]>
Message-Id: <Pine.SUN.3.91.960225111038.18199D-100000@bacall.nepean.uws.edu.au>

Murray,

On Fri, 23 Feb 1996, Murray Altheim wrote:

> No question here. But there's no need to standardize *all* fields, just
> commonly-used ones, such as name, address, phone, PGP key, etc. Several
> dozen at most.

I can see why people are attracted to this idea actually.  However, I am 
starting from a different premise.

Maybe people two generations hence might find the ideas of transferring
data - both personal and business - without human intervention acceptable
as a principle.  I do not. 

I have already had enough to do with online government and business 
systems to know that I cannot accept the proposal as a wise one, as 
distinct from a good technical one.

I guess I do not want to see the thin edge of the wedge become the block. 
Once this princple is accepted, there will be no constraints, especially
in the hands of private enterprise (which is even more scary than
government's intrusion into our private lives).  For whatever its worth,
government is at least subject to political scrutiny. 

There are plenty of examples of failed regulatory control of companies -
telecommunication and credit reference companies are but some. (No
aspersions on Spyglass, Inc. as I am unaware of your business - being from
"out of town" so to speak :-) )

Put this in the context of a lot of computer users who are not exactly 
computer literate, there is a volatile mix of technology and ignorance.
The prime example is the so called "Registration Wizard" of Microsoft Win95.
People tend to push buttons without realising the consequences: I witness 
it all the time and in earlier days have probably fallen victim to it myself.

Add the automatic downloading of information (ie without human 
intervention) to the current environment and implicitly we are surrendering 
our privacy without a fight.  What if we add to this scenario, a few 
unscrupulous players?  Where are the guarantees?  The control features in 
the proposals are not strong enough.

I guess I see it pretty much as the engineers' failure to meet the 
systems demands of the nuclear industry, but with the added proviso that, 
if privacy goes, so does a lot of other rights.  Why shouldn't this group 
promote some human values as well as technological excellence?

> I've been on the Internet since the early 1980's, and neither have I. 
> But perhaps you haven't thought about where this might be a real benefit.
> We as users aren't currently using the Internet in ways that have been

I cannot claim to have been on the Internet for that long but have had a 
long association with computers (and some pretty lousy systems along the 
way) since the late '60s in fact.  I think I have a reasonable 
understanding of the impact of the technology even better than I 
understand computers themselves.
> 
> envisioned. Let's remember that once secure transactions are commonplace,

Secure transaction will overcome some of my current reservations about 
networked systems but it does not follow that secure transactions should 
be linked with this sort of proposal that allows another systems to 
probe for information on a particular workstation.

As a sysop, people set up some pretty tight restrictions on accessing 
machine information but are not prepared to accord the same safeguards to 
people.
  
> shopping and other types of financial and information transfer transactions
> will occur regularly, maybe many times per day. This won't just be from
> your home or office computer, but from qiosks and other venues. You
> certainly won't want to be hand-entering data each time you use a service.

I have developed systems that transfer financial and other sensitive 
business data across networks.  So what you are talking about to me is a 
trivial extension of that.

Nothing in these proposals, and some of the comments on my original 
posting, inspires confidence that proper weight has been given to concerns 
for the integrity of privacy.

> I would make a recommendation: make it an registration scheme (possibly
> through IANA), where a registered field name would be accompanied with a
> text description. If the form designer agreed that the text description
> matched the input requirement, they'd use the registered field name. The
> repertoire of registered names will always be smaller than the need, but
> for commonly-used field names (which is really your scope anyway), this
> might serve very well. This would also serve as a central point for both
> form designers and users to understand the field definitions.

For the reasons I outlined above, I would not think this compromise 
viable as utimately the data set would be used at large (if ever there 
was agreement on what could be part of it).
 
> Specialized application areas might register fields used within their
> discipline, so perhaps a registration field called 'scope' or 'application
> area' might be helpful, with 'General' being default for things like name,
> address, phone, etc.
> 
> There is obviously a question of centralization vs. decentralization here,
> but for purposes of commonality of input, centralization seems preferably
> IMO. The template URI could in either case reside with IANA (or its
> location could be registered) or on a local system, and if so we'd probably
> just want some flag in the field name or template designation.

There are many type of businesses on the Internet already - each has its 
own data requirements and this is compounded further as you will realise 
if you have been through but one application development cycle.

> I think I share your concern with this proposal that a particular UA or
> server combination might be able to auto-generate a response containing
> user information on simply viewing a page. I'd hate to devise a feature
> capable of allowing servers or external agents to capture unencrypted
> private information without the user's knowledge. Given that some scenarios
> visage each workstation also becoming a server, it seems possible that a
> robot could query each workstation for that personal data. Some privacy
> safeguards would seem absolutely necessary.

Precisely my point.

It wouldn't be long before there were gaping holes through which to 
access information contrary to an individual's wishes.

> > Just some spurious thoughts on a Friday... > 

Quite the contrary.

Rob...

Robert Hazeltine                    r.hazeltine@nepean.uws.edu.au
Library Web Support                 http://www.nepean.uws.edu.au/library/