W3C home > Mailing lists > Public > www-tag@w3.org > February 2010

RE: ACTION-278 Hiding metadata for security reasons

From: Dan Connolly <connolly@w3.org>
Date: Thu, 11 Feb 2010 13:52:31 -0600
To: Larry Masinter <masinter@adobe.com>
Cc: Tyler Close <tyler.close@gmail.com>, Tim Berners-Lee <timbl@w3.org>, John Kemp <john@jkemp.net>, "ashok.malhotra@oracle.com" <ashok.malhotra@oracle.com>, Jonathan Rees <jar@creativecommons.org>, "www-tag@w3.org" <www-tag@w3.org>, "Mark S. Miller" <erights@google.com>
Message-ID: <1265917951.3812.1199.camel@pav.lan>
On Wed, 2010-02-10 at 15:05 -0800, Larry Masinter wrote:
> >   A user-agent
> > MUST NOT disclose representations or URIs, unless either explicitly
> > instructed to do so by the user or as legitimately directed to by
> > presented content. Since the user may wish to keep this information
> > confidential, the user-agent must not assume it can be revealed to
> > third-parties.
> 
> While I'm sympathetic to the intent, this leaves undefined
>  the scope of "user agent" here, referent of "the user", 
> and the meanings of "disclose", "legitimately", "confidential",
> "assume" and "third-parties".

Those are all sufficiently well-defined for me.

>   Does "user agent" apply to,
> say, archive.org (which might pick up a mailing list archive
> of an email and scan what is supposed to be a 'private'
> URL)?

Yes; if the URI was supposed to be private, someone
made a mistake in putting it somewhere that archive.org
can get at it.

>  Does it apply to, say, news.google.com, which seems
> to aggregate news from newspapers that have a "news reader"
> registration and login requirements?

Yes, "legitimately directed" is a term of art that is
ground in normal social conventions; in this case, the
normal social conventions aren't clear (the parties
are suing each other) so we shouldn't be surprised
that the term of art doesn't have a clear referent.


> I don't think this is an effective path to pursue. There are
> agents that use URIs, including browsers, crawlers, scanners, 
> aggregators, portals, bookmark sharing tools, translation
> gateways, Internet Archive services. These agents, for better
> or worse, have widely varying properties where information
> retrieved by them is distributed further, including using
> Referer, publishing access logs, peer sharing of cached 
> retrieved results, etc.  Many of those deployed web agents
> make the presumption that any material they access without
> going through any particular access control mechanism may
> be shared further without particular restriction,

I don't believe that. On the contrary: the presumption
is that the content provider has copyright and very limited
rights are granted; in particular, right to redistribute/republish
is not assumed.



>  although
> in practice the distribution that happens is not widespread,
> there are no guarantees.
> 
> While "secret URLs" provide the appearance of adding some
> amount of confidentiality to the results, in fact, there
> are many circumstances where such URLs are disclosed,
> by agents that are not browsers and whose update to follow
> recommendations in _this_ document is unlikely.

I find this claim hard to believe; if there are many
agents that go spreading links around without being
legitimately directed by their user, would you please
give an example or two?


> A false sense of security is worse than no security,
> in many circumstances. 
> 
> If users wish to make material available to "anyone who
> has the URL", that's fine, but don't make any promises
> that this is a "security" mechanism, because it's not.

Argument by assertion, in the face of tremendous
evidence to the contrary. I'm not persuaded.

> There is a kind of "security" I've heard called "yellow
> ribbon security", which functions like the "yellow ribbon"
> banner sometimes put up:
> 
> "POLICE LINE DO NOT CROSS".
> 
> Now, the yellow ribbon doesn't actually prevent anyone
> from crossing it, it just puts the crosser on notice
> that they are actually crossing a line someone (perhaps
> even the police) do not want them to cross.
> 
> It *might* be possible to make secret URLs into a 
> "yellow ribbon" security mechanism, if, for example,
> the "unguessable" part of the URL were clearly 
> unguessable.  (Random jumble of letters rather than,
> say, random quotes from literature, which might not
> look random.)

What has that got to do with anything? The word
"unguessable" is quite clear; we could slot in the
actual information-theoretic definition, but I
think it's quite clear from context.

> Larry
> --
> http://larry.masinter.net
> 
> 
> 
> 


-- 
Dan Connolly, W3C http://www.w3.org/People/Connolly/
gpg D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E
Received on Thursday, 11 February 2010 19:52:34 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 26 April 2012 12:48:19 GMT