[Fwd: Re: HTTPS and Transcoding] from Luca Passani on 2009-01-22 (public-bpwg@w3.org from January 2009)

From: Luca Passani <passani@eunet.no>
Date: Thu, 22 Jan 2009 11:27:58 +0100
To: MWI BPWG Public <public-bpwg@w3.org>
Message-ID: <49784A2E.8040604@eunet.no>
FYI,  Rigo Wenning's answer to my query on whether HTTPS can be 
legitimately broken by proxies.

Among other things, I suspect that Rigo's point does not consider the 
fact that, in order to read the no-transform, proxies must break HTTPS, 
which is exactly what they may not be allowed to do, but this I will 
keep for another thread.

Luca

PS: I am not sure what inspires some much confidence and trust in Telcos :)

-------- Original Message --------
Subject: 	Re: HTTPS and Transcoding
Date: 	Thu, 22 Jan 2009 10:51:13 +0100
From: 	Rigo Wenning <rigo@w3.org>
Organization: 	W3C
To: 	Luca Passani <passani@eunet.no>
CC: 	Francois Daoust <fd@w3.org>
References: 	<49732312.6070800@eunet.no> 
(sfid-20090119_114343_891039_EF1AC92B)



Dear Luca, 

you are -IMHO unintentionally- misrepresenting the opinion I gave. I 
haven't said that ignoring the headers is infringing copyright. I 
also do not think that a site is telling people "do not transcode" 
just by using https. 

So let me re-iterate: What I said is that it would be good for the 
BPWG to provide a means to site owners and content providers to 
express their will to oppose transcoding. The transport issue (https) 
is a red herring to this discussion. So part of the heat in your 
discussion comes from the fact that there is a criss-cross of 
assumptions made that do not fit the legal relations between the 
parties. 

Back in 2001, I discussed with Johan Hjelm about location based 
services and privacy. Johan made the assumption that there is 
the "internet" in one basket and the "telco+user" in the other 
basket. All solutions he described were making this 
assumption. "telco+user" was one trusted entity. But this is not the 
case and at the core of your discussion. So if the transcoding proxy 
is NOT running on the mobile phone, the last mile is not secured. 
Consequently, the assumption of the content provider (e.g. a bank) 
and the user, that they enjoy un-watched communication, is wrong. 
This is the core issue and this has nothing to do with copyright or 
breaking copyright by transcoding.

IMHO, the copyright question is solved by providing a header that 
expresses the will to disallow transcoding. This header has no strong 
(read crypto) technical enforcement and may thus be ignored by a 
proxy. But in this case, this is a relation between the content 
provider and the proxy-manufacturer. W3C and the Tech community, in 
this case, have done everything to provide clear means (with the 
headers) to deal with the issue. If some actors in the market do not 
respect it, our legal system has means to deal with this scenario. 
There is nothing W3C could do about it. And this is the same for 
http, https or IP over pigeons. So the whole discussion is IMHO a 
waste of time as a content provider could provide a non-transcoding 
header with the HTTPS headers. And this is the right solution as 
there may be cases, where the content provider (e.g. our bank) wants 
the content to be available on phones via transcoded https, because 
he simply trusts the last mile operated by some GSM provider and also 
wants his content to be available on older phones. 

IMHO we should not replace the preferences of people out there by our 
own. We should rather give them the means to express their will.

Best, 

Rigo Wenning
W3C Legal Counsel

On Sunday 18 January 2009, Luca Passani wrote:
> Hello Mr. Wenning,
>
> Happy New Year
>
> The discussion about transcoders is still lively. Based on your
> previous clarification on copyrights and use of "no-transform" as a
> way to avoid that transcoders create a derivative work from content
> they have no rights to, I took the freedom of stating that this
> must obviously extend to HTTPS, in the sense that if a content
> owner decides to use HTTPS to allow access to their own content, it
> is because they are looking for secure end-2-end communication with
> the client and nothing else. I argued that there cannot be a
> legitimate way to break third-party HTTPS end-2-end communication
> without infringing heavily on the rights of the content owner,
> unless the content owner has allowed for it explicitly in another
> way. In fact, I even went further and attributed this opinion to
> W3C legal counsel on this public W3C list:
>
> http://lists.w3.org/Archives/Public/public-bpwg/2009Jan/0026.html
>
> Someone made me promptly notice that mine was an "inference" and
> there was no legal statement from W3C specifically about HTTPS that
> we are aware of. Please accept my apologies if you also think that
> I went too far in inferring.
>
> To make a long story short, I (and others on the BPWG public list)
> would like to know whether, in your opinion, HTTPS can legitimately
> be tampered with by a third party without the knowledge/approval of
> the content owner.
>
> Thank you
>
> Luca Passani
Received on Thursday, 22 January 2009 10:28:44 UTC