Re: Browser UI & privacy - a discussion with Ben Laurie from Kingsley Idehen on 2012-10-04 (public-identity@w3.org from October 2012)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Thu, 04 Oct 2012 08:40:24 -0400
To: Henry Story <henry.story@bblfish.net>
CC: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "public-webid@w3.org" <public-webid@w3.org>, public-identity@w3.org, "public-philoweb@w3.org" <public-philoweb@w3.org>, Ben Laurie <benl@google.com>
Message-ID: <506D83B8.4010208@openlinksw.com>
On 10/4/12 7:12 AM, Henry Story wrote:
> On 4 Oct 2012, at 12:12, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>
>> Hi Henry,
>>
>> I am not sure I am able to put your mail and your contribution into the right context.
>>
>> Are you suggesting some terminology for privacy? If so, where is it?
>>
>> Ciao
>> Hannes
>>
>> PS: You may want to have a look at the privacy terminology in
>> http://tools.ietf.org/html/draft-iab-privacy-considerations-03
>>
>> It took us some time to find the right level for engineers.
> Thanks that is very useful.
>
> We were not trying to come up with a privacy vocabulary. (sorry for the misnamed
> pdfs) Just having a minimal working definition did make things a lot easier :-)
>
> Thinking of it now I'd say our discussion started in the reverse logical
> order from where it should have. So if I'd do it again I'd now start from
> where we have clear agreement, and then move on to the more counterintuitive
> arguments.
>
> Let me try to summarise and rephrase using IETF privacy language, starting in
> logical order now.
>
> 1) Basic Principle:
>     The _Identity_ used by the _Individual_ _Initiator_ of a web transaction should at
>     all times be transparent to him, whether the _Identity_ be _Anonymous_ (level 0),
>     Cookie based, _Pseudonymous_, or other.  It should also be within the
>     _User's control_ to change it. This should be put together with Dr Ian Walden's
>     remarks on EU law [3]. ( see misnamed privacy-definitions-1Oct.pdf )
>
> 2) Practical applications in browser ( see misnamed privacy-definition-final.pdf )
>
>     a) It is difficult to associate interesting human information with cookie based
>     identity. The browser can at most tell the user that he is connected by
>     cookie or anonymous.
>
>     b) With Certificate based identity, more information can be placed in the
>      certificate to identify the user to the site he wishes to connect to whilst
>      also making it easy for the browser to show him under what identity he is
>      connected as. But one has to distinguish two ways of using certificates:
>
>        + traditional usage of certificates
>        Usually this is done by placing Personal Data inside the certificate. The
>     disadvantage of this is that it makes this personal data available to any web
>     site the user connects to with that certificate, and it makes it difficult to
>     change the _Personal_Data (since it requires changing the certificate). So here
>     there is a clash between Data Minimization and user friendliness.
>
>        + webid usage:
>        With WebID ( http://webid.info/spec/ ) the only extra information placed in the
>     certificate is a dereferenceable URI - which can be https based or a Tor .onion
>     URI,... The information available in the profile document, or linked to from that
>     document can be access controlled. Resulting in increasing _User Control_ of whome
>     he shares his information with. For example the browser since it has the private key
>     could access all information, and use that to show the as much information as it
>     can or needs. A web site the user logs into for the first time may just be able
>     to deduce the pseudonymous webid of the user and his public key, that is all. A
>     friend of the user authenticating to the web site could see more information.
>         So User Control is enabled by WebID, though it requires more work at the
>     Access control layer http://www.w3.org/wiki/WebAccessControl
>
> 3) The importance of Linekability to privacy.
>
>     This is what is unintuitive. and which I develop in
>     http://lists.w3.org/Archives/Public/public-webid/2012Oct/att-0022/privacy-def-1.pdf
>
>     The ability to have global identifiers is what allows me to put information on my
>   web server and share it with only a limited number of people. This is not the same
> useage of unlinkeability as you defined it. So one has to be careful.  I think one
> needs linkeable identities to create a social web that is not centralised. One just
> does not want them to be KNOWN by people who have no business knowning them.
>
>     So I'd suggest thinking more carefully about the linkeable vocabulary. It
> can be used to hide some very important ideas, that we really need if we want
> privacy to succeed.
>
> 	Henry

For the record: +1

Kingsley
>
>
>> On 10/04/2012 12:54 PM, Henry Story wrote:
>>> The identity groups are currently split up between public-webid, public-xg-webid
>>> (which will now receive all mails from public-webid) and the public-identity
>>> mailing list.
>>>
>>> On the public-webid mailing lists we recently had a very lengthy
>>> and detailed discussion with Ben Laurie [1], which I think is of interest
>>> to members of these other groups. The archives are quite difficult to read [2]
>>> so I am sending here a resume of some of the highlights. I also attached
>>> the pdf as printed from my e-mail client as it gives color syntax highlighting,
>>> making it much easier to follow.
>>>
>>> First we spent quite a lot of time I think beating around the bush of
>>> misunderstandings. The first e-mail where things started clearing up
>>> was when I proposed a simple working definition of privacy after a
>>> philosopher friend of mine suggested that our misunderstandings might be
>>> related to an ambiguous and vague use of the terms. The working definition
>>> I proposed was:
>>>
>>> "A communication between two people is private if  the only people who
>>> have access to the communication are the two people in question. One
>>> can easily generalise to groups: a conversation between groups of people
>>> is private (to the group) if the only people who can participate/read the
>>> information are members of that group..."
>>>
>>>
> http://lists.w3.org/Archives/Public/public-webid/2012Oct/att-0022/privacy-def-1.pdf
>>>
>>>
>>> We then made big strides by working out where we agreed. We agree that
>>> transparency of identity is important at all times (which seems
>>> to be a potentially EU legal requirement [3]) I discover some new information
>>> about how Google Chrome works, and argue that it still does not satisfy the
>>> original transparency principles we agreed to.
>>>
>>>
>>>
> http://lists.w3.org/Archives/Public/public-webid/2012Oct/att-0022/privacy-definitions-1Oct.pdf
>>>
>>> After a few more exchanges I show using WebID certificates could
>>> lead to enhanced transparency in identity usage for browsers in the future
>>>
>>>
>>>
> http://lists.w3.org/Archives/Public/public-webid/2012Oct/att-0022/privacy-definition-final.pdf
>>>
>>> I hope this helps. Btw. The WebID Incubator group will be meeting at TPAC [4],
>>> so see you there for further detailed discussions.
>>>
>>> 	Henry
>>>
>>>
>>> [1] http://en.wikipedia.org/wiki/Ben_Laurie
>>> [2] http://lists.w3.org/Archives/Public/public-webid/2012Sep/thread.html
>>> [3] http://lists.w3.org/Archives/Public/public-webid/2012Oct/0021.html
>>> [4] http://www.w3.org/2012/10/TPAC/
>>> [5]
>>>
> Social Web Architect
> http://bblfish.net/
>


-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Thursday, 4 October 2012 12:40:50 UTC