Identity transparency - was: privacy definitions -- was: WebID questions from Henry Story on 2012-10-17 (public-privacy@w3.org from October to December 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 17 Oct 2012 13:34:40 +0200
To: wilton@isoc.org, public-privacy list <public-privacy@w3.org>
Cc: Ben Laurie <benl@google.com>, public-privacy list <public-privacy@w3.org>, "public-webid@w3.org" <public-webid@w3.org>
Message-Id: <AFEB5B35-AA43-4485-9097-F8A003461772@bblfish.net>

On 17 Oct 2012, at 13:14, wilton@isoc.org wrote:

> I can see the desirability of what you're driving at, but I think in terms of altering user behaviour more is needed than an icon. Users would have to *want* to use (and separate) multiple personas, based on context, and experience tells us that icons don't generate that desire (cf. the SSL 'padlock'...).

I agree: there are many things to do to improve the value of such features.

The SSL padlock is a good example, of too little value making something relatively uninteresting. The padlock was there to signal to the user that he was connected to a site in an encrypted manner. It was not to tell the user what his own identity was.

In any case it had a number of problems:

 1. It did not say anything about the site or how trustworthy it was
 2. It was hidden at the bottom of the browser, instead of being close to the URL bar, which is where most browsers have it now.

If you look at Aza Raskin's UI solution

    http://www.azarask.in/blog/post/identity-in-the-browser-firefox/

 you will see that what he does is bring the two together, making it easier for the user to see the parallel between user and server identity/security. By tying additional functionality together, such as for example the ability to log out from a site, or change identity, by making the feature more important and more useful, you make it something people pay attention to more.

On server side identity btw, WebID can also be applied longer term to increase trust by building what I call a distributed web of institutional trust. I expanded on these possibilities earlier this year at the European Identity Conference in Switzerland in a talk entitled "WebID and eCommerce"

   http://bblfish.net/blog/2012/04/30/

When you go to a bank, it is important to know that this is a bank you have reached and not some fake. Furthermore it is important to know that it is a bank you can do business with. There are things here that can be moved into the chrome and thereby hugely increase security and trust on the web.



> 
> R
> 
> Sent from my BlackBerry - apologies for typos/terseness
> 
> -----Original Message-----
> From: Henry Story <henry.story@bblfish.net>
> Date: Wed, 17 Oct 2012 11:24:54 
> To: <wilton@isoc.org>
> Cc: David Singer<singer@apple.com>; Melvin Carvalho<melvincarvalho@gmail.com>; Ben Laurie<benl@google.com>; public-privacy list<public-privacy@w3.org>; <public-webid@w3.org>
> Subject: Re: privacy definitions -- was: WebID questions
> 
> 
> On 17 Oct 2012, at 10:35, wilton@isoc.org wrote:
> 
>> I agree; there are already tools that will tell you is cookies are being set (or blocked...).
>> 
>> A tool which could tell you what the identifier is that has been set by a given site would provide useful raw data, but that data would need more processing over time if it were to be used as the basis for user decisions about separation of personas.
> 
> The data would indeed need to be presented nicely to the user via the chrome. It is really 
> important that this happen in the chrome, because that is the part the user can trust.
> 
> So imagine that one develop the cookied mechanism into a WebID cookie somehow. Then one could
> have the HTTP header return something like
> 
> Cookie: ....
> WebID-Cookie: /users/george
> 
> Where an HTTP GET on /users/george would return a document semantically equivalent
> to something like the following Turtle ( http://w3.org/TR/Turtle )
> 
> <> a foaf:PersonalProfileDocument;
>   foaf:primaryTopic <#me> .
> 
> <#me> a foaf:Person;
>      foaf:icon <img/smal-pic> ;
>      foaf:homePage <.> .
> 
> the browser can then fetch this document to give a UI for that site, where of course
> all the above data is access controlled and only visible to the user with that cookie.
> As the user changes his profile on his home page, so the icon in his chrome would change
> too.
> 
> Now all that http://webid.info/spec/ does is allow the same to be done on a global scale
> for users that want to be able to link up across web sites. This can in fact 
> increases privacy as I argued in "Liking Linkability" thread
>  http://lists.w3.org/Archives/Public/public-webid/2012Oct/0071.html
> 
> but ONLY IF Transparency of identity is correctly implemented in the browser.
> 
> Henry
> 
> 
>> 
>> Yrs.,
>> Robin
>> 
>> Sent from my BlackBerry - apologies for typos/terseness
>> 
>> -----Original Message-----
>> From: David Singer <singer@apple.com>
>> Date: Wed, 17 Oct 2012 16:28:27 
>> To: Henry Story<henry.story@bblfish.net>
>> Cc: Melvin Carvalho<melvincarvalho@gmail.com>; Ben Laurie<benl@google.com>; public-privacy list<public-privacy@w3.org>; <public-webid@w3.org>
>> Subject: Re: privacy definitions -- was: WebID questions
>> 
>> I think Aza is doing something different from what I heard you imply.  I thought you wanted a visual indicator somewhere "this site has cookies set".  Aza seems to be saying here "you are logged-in to this site as GuyFawkes".  These are different statements, and the first has questionnable value.  Sorry if I misunderstood.
>> David Singer
>> Multimedia and Software Standards, Apple Inc.
>> 
>> 
> 
> Social Web Architect
> http://bblfish.net/
> 
> 

Social Web Architect
http://bblfish.net/

Attachments

application/pkcs7-signature attachment: smime.p7s

Received on Wednesday, 17 October 2012 11:35:37 UTC