a philoweb example - Fwd: privacy definitions -- was: WebID questions

I am forwarding this exchange to the philoweb mailing list as it gives a good example of how philosophy starts penetrating discussions in engineering at the W3C. This exchange was one of the last ones in a 2 day debate [1] on the WebID community group with Ben Laurie [2], who is a founding member of the Apache Software Foundation, cryptographer, working at Google and on the advisory board of Wikileaks. Ben Laurie was taking the skeptical position on WebID throughout. I am not sure we managed to convince him, but the debate ended up turning when I realised that we might have been speaking past each other, and I introduced a working definition of privacy. That is the fundamental problem was one of distinguishing anonymity from privacy, and showing how linkeability may be essential to creating distributed social networks that can enhance privacy as well as community.

The debate had previously gotten stuck a lot on user interface issues, so I split this up with an e-mail to Ian Walden [3], professor of Information and communication Law at Queen Mary at the University of London. I am not sure if he'll be able to respond to the question, but at least by asking the question we could concentrate on the issue of autonomy and privacy. 

For those of you on this list studying philosophy I hope this gives some insight on how philosophy touches engineering, and can have a real impact on a debate. I know that I was often wondering how philosophy had an impact on reality when I was studying :-)

Henry Story

[1] http://lists.w3.org/Archives/Public/public-webid/2012Sep/thread.html
[2] http://en.wikipedia.org/wiki/Ben_Laurie
[3] http://lists.w3.org/Archives/Public/public-webid/2012Sep/0148.html

Begin forwarded message:

> From: Henry Story <henry.story@bblfish.net>
> Subject: Re: privacy definitions -- was: WebID questions
> Date: 28 September 2012 10:22:00 CEST
> To: Ben Laurie <benl@google.com>
> Cc: public-webid@w3.org, Tim Berners-Lee <timbl@w3.org>, Ian Jacobi <pipian@MIT.EDU>, Oshani Seneviratne <oshani@mit.edu>
> Bcc: Romain BLIN <romain.blin@etu.univ-st-etienne.fr>, Pierre Maret <pierre.maret@univ-st-etienne.fr>
> 
> Extending this to some members of the Distributed Information Group at MIT, 
> who are not members of the WebID Community Group 
>   http://www.w3.org/community/webid/
> 
> 
> On 27 Sep 2012, at 22:42, Ben Laurie <benl@google.com> wrote:
> 
>> On 27 September 2012 20:09, Henry Story <henry.story@bblfish.net> wrote:
>>> I think we have a problem with divergent understandings of what privacy amounts to,
>>> and we should clarify this divergence. More below.
>>> 
>>> On 27 Sep 2012, at 14:45, Ben Laurie <benl@google.com> wrote:
>>> 
>>>> On 27 September 2012 13:11, Henry Story <henry.story@bblfish.net> wrote:
>>>>> 
>>>>> On 27 Sep 2012, at 13:10, Ben Laurie <benl@google.com> wrote:
>>>>> 
>>>>>> On 27 September 2012 12:01, Henry Story <henry.story@bblfish.net> wrote:
>>>>>>> I forgot to reply to this comment:
>>>>>>> 
>>>>>>> On 27 Sep 2012, at 12:13, Ben Laurie <benl@google.com> wrote:
>>>>>>> 
>>>>>>>> The W3C does not seem to agree -
>>>>>>>> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html claims
>>>>>>>> that some people do not want to be correlated across sites.
>>>>>>> 
>>>>>>> Yes. We are not saying they MUST be  correlated across sites, and we are not
>>>>>>> removing the freedom of people who wish not to be correlated.
>>>>>>> 
>>>>>>> When I go to a web site I don't have to click the login button. If I click
>>>>>>> the login button and it asks me for a certificate I don't have to choose one
>>>>>>> with a WebID - or choose one at all for that matter.
>>>>>>> 
>>>>>>> The browser UI people could add a field in the certificate login selection
>>>>>>> box for an origin-bound-certificate perhaps. I am not sure how they should
>>>>>>> present this, nor what the advantages or disadvanteges of doing that would
>>>>>>> be,  and it is outside the scope of the discussion here.
>>>>>>> 
>>>>>>> But if I want to login with an identity I have on the web, and I want this
>>>>>>> to be correlated, then I don't see why that freedom should not be available
>>>>>>> to me.
>>>>>>> 
>>>>>>> I am just saying that practically most people will not want to have 10000
>>>>>>> identities. Certainly if we restrict ourselves to identities that they want
>>>>>>> to use for correlation, it seems unlikely that people can cope with more
>>>>>>> than a handful or find it useful.
>>>>>> 
>>>>>> I find a standard that is not interested in helping people who want to
>>>>>> log in _and_ have privacy to not be very interesting.
>>>>> 
>>>>> That is stated so generally it is difficult to make much of it.  You seem to want Origin-bound-certificates it seems as described here:
>>>>> 
>>>>> http://tools.ietf.org/agenda/81/slides/tls-1.pdf
>>>>> 
>>>>> ( though the criticism of TLS certificates on slide 3 is wrong as I have already explained in
>>>>> http://lists.w3.org/Archives/Public/public-webid/2012Sep/0093.html )
>>>>> 
>>>>> I pointed out in my reply above that perhaps origin bound certificates could be tied  into a user experience with normal browsers and normal certificates. I don't see why there should  be a standard that solves both problems, or why they could not work together.
>>>>> 
>>>>> Now this still leaves you with the option of thinking that the problem you really care about - secure login to one site - is the one and only truly honest problem that an engineer needs to solve who is concerned about privacy. Let me spend a little time disabusing you of that understandably simple and appealing idea.  Consider:
>>>>> 
>>>>> 1. What kind of privacy do you get if you log into one site (say with Origin-bound certificates ) and it offers everything to you: your social networks, your films, your news, your search, etc... Is that really privacy?
>>>>> 
>>>>> 2. What incentive do you have when you go to a different site, and you log in there completely fresh? Let us imagine that that is the only thing you CAN do when you login to a new site: perhaps linked data and WebID have been made illegal in this world. So you arrive at this new site, and the number of people you can interact with is inevitably less than on mega-co's servers. You may find that cool. But where do you think the rest of humanity is going to end up on? And what does that do to your privacy when they tweet more and more where they saw you, what you told them, and in any case all the communication you send them has to go through megaco's servers.
>>>>> 
>>>>> So consider why and how you came to think that "login and privacy" were the only thing to merit your attention. Also consider why you think that login and identity don't equal privacy. Say you have a freedom box and I have mine, and I go to your server and authenticate and post a picture. The only two people who can see the picture are you and me. Where is there a privacy gap there?
>>>>> 
>>>>> I believe you are serious in your desire for privacy. And I respect that. But I think by not taking into account the network effect, by not noticing the many folded nature of reality, you end up working against your own values, and discarding solutions that could help you achieve your aims. So I do urge you to consider WebID as another tool to help create a more just and less asymetric space for us to live in, where we can all enjoy greater privacy and security.
>>>> 
>>>> I've talked about many issues with WebID, why do you think privacy is
>>>> my sole concern?
>>> 
>>> 
>>> You said "I find a standard that is not interested in helping people who want to log in _and_ have privacy to not be very interesting." But why would you think that WebID does not enable privacy?
>>> 
>>> I then put that together with your earlier statement "that some people do not want to be correlated across sites."
>>> Referring to a document on DO-NOT-TRACK by the W3C. It seems that you think that being correlated across sites (in any way) is a privacy problem.
>>> 
>>> If I put these together then it seems to me that you are thinking that a fundamental requirement for privacy is that one not be identified across sites in any way. You seem to exclude the possibility that I wilfully be identifying myself across a site, as one that cannot be privacy enhancing. Or else why would you think that WebID cannot be an option for people who are keen on privacy?
>>> 
>>> My understanding of privacy starts from a different intuition. A communication between two people is private if the only people who have access to the communication are the two people in question. One can easily generalise to groups: a conversation between groups of people is private (to the group) if the only people who can participate/read the information are members of that group....
>>> 
>>> So now imagine that you and I and each member of this mailing list have their own freedom box [1] . A freedom box is a one person server that serves only the person in question. I am purposefully taking an extreme example to make the point. Now lets imagine you put a picture of our future meeting at TPAC in late October - I hope you will be able to come - onto your freedom box, and tag the people who appear in that picture taken later at night in a bar. You may not want to make it public until and unless all the members who have appeared in the picture accept that picture to be public. So to keep it close to our current technology, let us say you send them an e-mail with the link to the page containing the pictures. You don't want all the people on the web who see that URL as it passes unencrypted through the etherspace to be able to also click on the URL and see the picture. So you add an access control rule to your page that only allows the people who were designed in the picture - by WebID - to access to those resources. On receiving the mail the tagged people can click on the picture's URL, authenticate with WebID, and see the picture. Anybody else who tried would not be able to see it: 403 Access Forbidden. Now I would say that those pictures are protected for privacy - they are not public, and only visible to the designated group - and you have used WebID in the process of making sure they were kept private. There was no third person in the loop that also saw the pictures. Only those people you wanted to could see them.
>>> 
>>>> 
>>>> My point was this: if your response to a desire for privacy _amongst
>>>> many other things_ is "then don't use WebID" that seems like a
>>>> deficiency in WebID to me, and one that makes it a lot less
>>>> interesting to me.
>>> 
>>> I was only saying: if you want to log into a site without using a WebID based certificate, then don't use a WebID based certificate. But don't think that by doing that you are guaranteeing your privacy. As I explained if there is only one big web site to rule them all and you log into it without webid, whatever you post there will be seen not only by the people you wanted to have it visible to, but also by the owners of the site. In our Freedbom Box scenario that is not the case. So this is a case of showing how having a global identity that the user can control enhances privacy.
>> 
>> Are you trolling?
> 
> Certainly not. I have presented this position at numerous conferences, 
> of which the Philosophy of the Web at the Sorbonne in Paris 2 years ago
> 
>   http://bblfish.net/tmp/2010/10/26/
> 
> and at numerous other presentations many of which are online on my 
> home page. It is true that I have not yet done a big presentation on 
> access control and WebID, which is something that I have started 
> remedying with a paper entitled "Extending WebID with delegation" 
> that was accepted at the International Semantic Web Conference ( ISWC ) 
> which will take place in November in Boston
>   http://bblfish.net/tmp/2012/08/05/WebID_Delegation_final_version.pdf
> 
> ( though I would like to rewrite it a bit to make the section 5 on 
> usage restrictions more prominent )
> For the purposes of the FreedomBox though section 3.1 will work fine.
> 
> A number of people in Tim Berners Lee's Distributed Information Group (DIG)
> at MIT have been implementing web access control using WebID of which 
> Ian Jacobi who developed an access control language called AIR and who 
> was also one of the very early implementers of WebID. Others in that 
> group such as Oshani ( referred to in the paper ) are going a step further 
> and working on Usage Restriction vocabularies that tie in with WebID.
> 
>> Your two examples would be equally satisfied by:
>> 
>> 1. I have a site that will tell everybody everything that you are
>> doing, except there's one GIF that only you and your friends can see.
>> Clearly I am providing privacy to you.
>> 
>> 2. If you use your alternative technology via a man-in-the-middle, you
>> get no privacy at all, so clearly your alternative technology provides
>> no privacy.
> 
> Those examples are a bit terse, so excuse me if I misunderstand them.
> 
> In 1. I am not sure what everything else being public on that site would have 
> to do with the question. We are restricting the notion of privacy to 
> a resource. Clearly if you republish the resource publicly, then it won't
> be visible only to members of the group, and so won't be private.
> 
> I think you are suggesting in 1 that one could use something like a 
> username and password to protect one picture and only allow members who 
> can prove they have the password to that username access to that picture.
> This would prove that one does not need WebID for access control? But
> of course that would be quite problematic to start with, for how would
> each of us get a username and password on your freedom box? The problem
> especially is how would you know that when we created accounts on your box
> that we were the people who you met at the conference? With WebID we could
> create a foaf:Group that we could publish on the W3C site containing all
> the members of the group. This file could be something like the following
> 
>  http://www.w3.org/2005/Incubator/webid/team.n3
> 
> You would be able to drag that onto on an admin page generated by
> your freedom box in an action that would give access to all members of 
> that group to your picture in a couple of clicks. You could then even 
> restrict access to some  some subset of the members of the group. So the ease
> of use is hugely improved for you when creating access control rules,
> and for us when connecting to your box.
>  A student at the University of Saint-Etienne retrofitted in a few weeks
> last spring his Social Network LifeShare to do just that. We presented this
> at the WWW2012 Conference in Lyon this summer and he put together a screen
> cast showing how this works
>  http://grayfoxkiller.free.fr/screencast-lifeshare.ogv
> ( there is still a lot of work to do there :-)
> 
> 2. I am not sure what it would be to provide a WebID server via a man
> in the middle. If I purposefully did that then I would be deceiving people
> and deception is always possible. We are not creating technology to stop
> people from being devious, we are making technology to allow them to 
> achieve their aims of having privacy that respects web architecture. To
> do this we are using TLS in a new, unexpected way. 
> 
> I would have thought that given your work at Apache on OpenSSL, and give 
> your foundational role at Apache you would be extremely pleased to see 
> how we are giving TLS a completely new and unexpected life, extending the
> way it can be used in so many new and original ways, and with the help of the 
> IETF Dane and DNSSEC - to lay the  foundations of a distributed secure social 
> web that respects privacy.
> 
> I hope I have understood your response correctly, and started answering
> it to your satisfaction,
> 
> 	Sincerely,
> 
> 	Henry Story
> 
> 
>>> 
>>> 
>>> Henry
>>> 
>>> 
>>> [1] http://freedomboxfoundation.org/
>>> [2] http://www.w3.org/2012/10/TPAC/
>>> 
>>> 
> 
> Social Web Architect
> http://bblfish.net/
> 

Social Web Architect
http://bblfish.net/