Re: indicating 'private browsing mode' over the net (was Re: Super Cookies in Privacy Browsing mode) from Joe Hall on 2015-01-26 (public-privacy@w3.org from January to March 2015)

From: Joe Hall <joe@cdt.org>
Date: Mon, 26 Jan 2015 13:38:29 -0500
To: David Singer <singer@apple.com>
Cc: Bjoern Hoehrmann <derhoermi@gmx.net>, Rigo Wenning <rigo@w3.org>, public-privacy@w3.org
Message-ID: <CABtrr-UTyb5Kjd4wc3srZVG7VJx4vm3p=WOgt3CQ5p_vrJwSPw@mail.gmail.com>

On Mon, Jan 26, 2015 at 4:33 AM, David Singer <singer@apple.com> wrote:
> Oh dear, I am clearly explaining this badly.

Thanks much for this, David. I definitely see it clearly now.

> I think it’s interesting in a number of respects:
>
> a) it’s an improvement on the status quo, where servers are completely unaware of any attempt to be private

I guess traditional client privacy tools see the servers as potential
adversaries, so leaking an indication of intent in terms of private
browsing could be a risk (e.g., server says, "ooooh, this session I
would have associated with another session seems to want me not to
link those two sessions... in fact, I'll label it as 'stuff this
person really doesn't want people to know about'"). Here I guess this
isn't clearly a leak of "I'm trying to be private, mom!!!" since it
could very well be just a different person's session using essentially
the same UA/env as a previous person. This makes me wonder if existing
tools to segregate "persona"-like elements (accounts on an OS,
profiles for something like Mozilla products) don't do that enough? or
maybe they're too heavy?

Do you see a need for a server-side personae compliance spec, David?
(Or am I thinking too far ahead or making this too complicated?)

> b) it’s not asking for *secrecy* at all; servers are at liberty to remember as much as before; there are very few privacy proposals that don’t slide into trying to be secret, and this is one. Privacy is also about where information is exposed, what it is linked to, and so on.

Interesting, would servers be at liberty to simply link all the
personas they identify as likely the same user? (e.g., using fancy
analytics like typing analysis, etc. to tell if two different persona
are in fact the same person) That would seem to be a good part of the
bargain to have here... and perhaps this isn't as complicated in terms
of server compliance as TPWG/DNT?

> c) it recognizes that privacy is not a binary state — it’s not an either-or (you have it or you don’t); it’s a spectrum, and it’s about perception and control and exposure as much as it is about recording and so on.

Forgive me again... are you saying that by being able to have as many
persona as I can keep track of that I'm "articulating" (a social
science term of art, sorry) different aspects of my being that I'd
rather servers not link together? That is rather interesting. For
example, you could have a persona for activities that you want privacy
of a certain level (say me looking at job candidate websites online)
and another persona for activities of a higher level (say, if I'm
looking at content online that I'd rather not have linked to my
not-so-private self)?

thanks again, Joe

Received on Monday, 26 January 2015 18:39:17 UTC