Re: wording for the privacy section

I am one of those in the "few others" that totally agree with Jon,  
Ian, and Aaron.

On Oct 29, 2008, at 9:52 AM, Jon Ferraiolo wrote:

> I agree with Ian and Aaron (and probably a few others) that  
> implementation of security and privacy protection should be left to  
> the "user agent", which in practice usually will consist of the  
> browser team, the device manufacturer and the operator working  
> together. All three of these organizations have strong motivation to  
> implement strong security and privacy protection (for both legal and  
> commercial reasons). Browser today already include many features to  
> address security and privacy concerns. The user agent teams will be  
> sensitive to their needs to add location support in a manner that  
> doesn't cause trouble to users or themselves.
>
> In terms of meeting the charter requirement "to define a SECURE AND  
> PRIVACY-SENSITIVE INTERFACE", my view is that it would be sufficient  
> to include fuzzy language in the specification that says that the  
> user agent MUST or SHOULD include a security manager component that  
> provides appropriate security and privacy protection to the end user.
>
> Jon
>
>
> <graycol.gif>"Aaron Boodman" <aa@google.com>
>
>
> "Aaron Boodman" <aa@google.com>
> 10/28/2008 07:39 PM
>
> <ecblank.gif>
> To
> <ecblank.gif>
> "John Morris" <jmorris@cdt.org>
> <ecblank.gif>
> cc
> <ecblank.gif>
> "Doug Turner" <doug.turner@gmail.com>, "Thomson, Martin" <Martin.Thomson@andrew.com 
> >, Jon Ferraiolo/Menlo Park/IBM@IBMUS, "Andrei Popescu" <andreip@google.com 
> >, public-geolocation <public-geolocation@w3.org>
> <ecblank.gif>
> Subject
> <ecblank.gif>
> Re: wording for the privacy section
> <ecblank.gif>	<ecblank.gif>
>
> On Tue, Oct 28, 2008 at 5:52 PM, John Morris <jmorris@cdt.org> wrote:
> > According to the charter, the objective of this WG is "to define a  
> SECURE
> > AND PRIVACY-SENSITIVE INTERFACE for using client-side location  
> information
> > in location-aware Web applications."  To simply assert in a spec  
> that any
> > implementation MUST take privacy into account while being silent  
> on HOW to
> > do so accomplishes nothing, and will do absolutely nothing to  
> change the
> > norm - which is to wholly ignore privacy.  It is crystal clear  
> from both the
> > charter and the list discussion that that the spec being proposed  
> will be
> > used in broad diversity of use cases (not just manual user input of
> > location), and simply waiving a privacy wand over the whole effort  
> does not
> > constitute a "secure and privacy-sensitive interface."  It  
> constitutes
> > business-as-usual by leaving privacy for someone else to worry  
> about (and
> > ultimately for the end user to lose out on).
>
> This spec is intended to be implemented primarily by web browsers. I
> don't see what reason there is to believe that web browser developers
> would ignore privacy. In fact, as far as I'm aware, all current
> implementations require user permission before divulging location to
> applications. This makes sense since any browser which abused users'
> privacy would quickly lose them.
>
> - a
>

Received on Wednesday, 29 October 2008 17:00:19 UTC