W3C home > Mailing lists > Public > public-privacy@w3.org > January to March 2015

Re: indicating 'private browsing mode' over the net (was Re: Super Cookies in Privacy Browsing mode)

From: David Singer <singer@apple.com>
Date: Thu, 29 Jan 2015 19:24:45 +0100
Cc: Wendy Seltzer <wseltzer@w3.org>, chaals@yandex-team.ru, Robin Wilton <wilton@isoc.org>, Joseph Hall Lorenzo <joe@cdt.org>, Bjoern Hoehrmann <derhoermi@gmx.net>, Wenning Rigo <rigo@w3.org>, "public-privacy mailing list) (W3C" <public-privacy@w3.org>
Message-id: <60B1917A-F1D4-4160-8FB6-1742E69403C6@apple.com>
To: Mike O'Neill <michael.oneill@baycloud.com>

> On Jan 29, 2015, at 19:09 , Mike O'Neill <michael.oneill@baycloud.com> wrote:
> Hash: SHA1
>> Interesting mix of norms and tech -- and yes, a different privacy threat
>> model from the one many of us are accustomed to considering. Here, we're
>> trusting the server to share our interests and want to help us enforce
>> the contextual boundaries we choose, even if its knowledge could span
>> those boundaries.
>> This model is a better match with the Web Origin security model -- where
>> an origin site is presumed to have control of the web application
>> security, and the end-user must choose to trust the origin (with limited
>> user-side overrides) or not visit the site.
>> I wonder what sorts of feedback could help to reinforce to end-users
>> that their trust was in fact merited.
>> --Wendy
> It would have to include all the servers being accessed, third-parties also. I think David's header would be seen all of them, and it would only take one to ignore the contextual boundaries, decide to combine multiple personas with other data in a PII keyed database, then broadcast it to the world (and UA based UUIDs are far more reliably user-identifying than IP addresses which are usually ephemeral and non-unique). 

True, but don’t forget we’re coming from a state where the servers don’t even know of the desire.  I don’t mind machine-based discoverability, but it’s tricky to work out how to include transparent proxies and caches in that.

> Maybe there should be an implicit web of trust that covers all the servers receiving user specific data on a page, where they all commit to a common declared level of privacy and security. The browser could then have UI to communicate that.

The problem comes from elements not directly on the page, of course.

> WebID could be used to identify all the parties (not just origins), and a manifest could define the trust relationship.
> Mike
> Version: GnuPG v1.4.13 (MingW32)
> Comment: Using gpg4o v3.4.19.5391 - http://www.gpg4o.com/
> Charset: utf-8
> Tjm9k8/l0OwywckMwFadKL/sFP2SSLP8tzWnXI87UScAJXXAM9/y3bxUKLzY88+9
> rnYRQYHGzEpIzuSN/rRvf8/EOiVfA2CrMQ0h4c+WofrqARNU2xhI7XPY2nI7v2Nl
> sCsK0y89+cKCBDe41jkWvs+vkjrlaCcMvpold6BOPFgIcKSWlDtDKek8bQ78qxi4
> sgmAr41TL6/BnBjxgUh5NDescGLh7DPDmK4/YoLjr1E3IAU2io7h1WevVzxgC+tj
> H/W2oeFlU9dLASm0aFPOfQ98zWvDen94XYFd4SNFJqYgPGwMgcM+7p+ku429n/Q=
> =lP8p

David Singer
Manager, Software Standards, Apple Inc.
Received on Thursday, 29 January 2015 18:25:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 16:49:29 UTC