W3C home > Mailing lists > Public > www-talk@w3.org > July to August 1995

Re: 3 Proposals: session ID, business-card auth, customer auth

From: James Pitkow <pitkow@cc.gatech.edu>
Date: Wed, 19 Jul 1995 00:58:48 -0400 (EDT)
Message-Id: <199507190458.AAA25051@hapeville.cc.gatech.edu>
To: fielding@beach.w3.org (Roy Fielding)
Cc: connolly@beach.w3.org, www-talk@w3.org

Hello,

Roy wrote:

>Henrik and I talked about that as well.  The From header can indeed
>include this information in the form of a comment (keeping in mind
>that it may already include a comment.  Thus,
>
>   From: (#342%33a4d443 12)

This point was raised back in April in response to the "cookie" header
proposed by Netscape. It seemed clear then and it still seems clear now that no 
extension needs to be made made to the current protocol to support session ids (use 
the From: field).  But again, this misses the point. Session Id and other
meta & profiling information are rightfully first class data objects and ought to be
treated as such.  HTTP does not currently do this and it would really enable 
a lot if it did.  

[business cards]
>>The server could take the business card auth data and fill in the
>>form fields in advance. So my proposal covers your needs. Your
>>proposal _doesn't_ allow for the no-user-interaction case, which
>>I think is critical.
>
>The user would then have complete control of the content, including
>whether or not to press the submit button, and the information is
>only transmitted once.  The content provider can also make it optional,
>only ask for specific standard names (like zipcode), or request
>additional information within the same form.

The UI fields of adaptive interfaces, user modeling and profile building 
all agree with the notion of making sure the user has complete control
over their profile, including to whom this information is being made known to,
Do we really want to make the Web a place we you have to drop a business
card that contains personal information to get information?  I think
that imposing the barrier that the user has to perform an action to broadcast
their profile information is the correct default mode, not the other way around.
In no way is the no-user-interaction method in agreement with previous
research in the area.  Critical to whom anyway?  Companies that will only
let you see their pages if you give them demographic info?  Sounds like blackmail 
- some pay, others don't.

Earlier Dan wrote:

>>Again, this really gets into the notion of user profiling and profile
>>maintainence.  I'm extremely wary of systems that enable log files to
>>be collated and intelligent algorithms applied.
>
>If it ends up in higher quality of service, why are you so worried?

Because I personally place privacy above quality of service.  Though I 
was not at the discussions, this line of argumentation was used for
the formation of financial data collectors like TRW. "But we are providing
a valuable service to customers and business who want to be able to
determine credit history..."  Credit history - Information access history.
Do we really want to end up having to struggle to get our basic rights back
from companies that hold terabytes of information about us in a few years 
or do we deal with the issue now?  I think that there is a real need to
be concerned about the what models and policies we adopt as we move into
this new era and that this is not spreading Fear, Uncertainty, and Doubt.

Jim.
Received on Wednesday, 19 July 1995 01:01:10 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:17 GMT