- From: James Rosewell <notifications@github.com>
- Date: Tue, 21 Apr 2020 02:00:47 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/483/617050886@github.com>
@torgo How often do TAG positions need to be reviewed? The TAG decision to support the move to HTTPS was made five years ago. When was it last reviewed? In the interest of transparent governance and robust decision-making challenging assumptions and group think is healthy. As an example the EU, a leading proponent of privacy, are doing just that following the introduction of GDPR. Their [12th March 2020 meeting agenda](https://data.consilium.europa.eu/doc/document/ST-5979-2020-INIT/en/pdf) concerning the regulation on privacy and electronic communications recognises the problems of consent fatigue in practice and is open to shifting the consent framework to the user’s agent to address these problems. They are open to evaluating the practical reality of past decisions and legislation. The W3C should do the same. Before progressing this, or any other removal of functionality, reliant on the HTTPS security boundary or privacy argument a balancing test involving environmental impact, web performance, open web, competition, trust and the risk of a breaking change need to be undertaken explicitly considering the purpose of the W3C as accepted by all members. **Environmental** Data centre energy consumption contributes to the climate crisis. The trend to ever more security has increased carbon output. As an example; washingtonpost.com contains 160kb of custom fonts and CSS. These are fetched securely over HTTPS and HTTP/2 when available. HTTPS consumes more computing resources than HTTP. The CSS and font assets are identical for every user. The effective mandatory use of HTTPS has prevented ISPs from caching those assets and serving them in a more carbon efficient manner. These assets have no bearing on the article being read. More research is needed into the carbon footprint associated with security. Recent research into the carbon impact of email provides some indicators as to the size of the prize. If everyone in Britain sent one less email per day 16,433 tonnes of carbon would be saved according to [research conducted by OVO Energy in 2019](https://www.ovoenergy.com/ovo-newsroom/press-releases/2019/november/think-before-you-thank-if-every-brit-sent-one-less-thank-you-email-a-day-we-would-save-16433-tonnes-of-carbon-a-year-the-same-as-81152-flights-to-madrid.html) and commented on by Mike Berners-Lee. More robust research is needed. **Performance** If all the public content of Washingtonpost.com were publicly cacheable not only would an even greater carbon reduction result but there would also be a vast improvement to user performance. The technology to achieve this is comparatively simple, works well and is understood. **Trust** People trust brands. Brands spend vast sums of money establishing and maintaining trust. Unlike other daily activities use of the web involves trusting three primary brands simultaneously. The web browser, the ISP and the publisher. It is hard for people to understand which of these brands are responsible for their security and the role each play. They have become confused and scared by privacy statement overload, the media’s reporting of security breaches, and find it hard to decide who to trust. Naturally they gravitate towards better known brands, and when asked statement they “want security”. **Open Web** Google introduced [Accelerated Mobile Pages (AMP) in 2015](https://googleblog.blogspot.com/2015/10/introducing-accelerated-mobile-pages.html) to address the performance issues impacting publishing. Some of these performance issues were introduced as a result of the mass adopting of HTTPS. As the primary host of AMP Google now control the articles users get to see and the revenues publishers receive. Google are one of the biggest financial benefactors from the security boundary referenced. Unless something drastic changes for Firefox, Chromium based web browsers and Safari will be the only web browsers actively maintained in a few years. Google by virtue of their size and scale have absolute control over Chromium and de-facto web standards. It would be interesting to learn what plans the W3C have in place to handle this likely near future scenario. Google will control the web browser and the publisher. Google’s walled garden and the web will in practice become one and the same. Google will enjoy unrivalled trust with web users. Advertising funded journalism is at the heart of democracy. It is under significant threat from many quarters. Anything which threatens its rejuvenation should be questioned rigorously. **Suggestions** The W3C hosts ([MIT, ERCIM, KEIO, BEIHANG](https://www.w3.org/2009/12/Member-Agreement)) have the resources to commission the research needed into the environmental impact of ubiquitous security. Such research will enable the TAG to revalidate it’s position on HTTPS in regards to environmental impact or alter it. The global position on climate change has shifted significantly over the past five year. The UKs [competition and market authority are investigating Google](https://www.gov.uk/cma-cases/online-platforms-and-digital-advertising-market-study). Prior to the coronavirus pandemic they were due to publish their final report and recommendations in July 2020. This report will inform the W3C. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/483#issuecomment-617050886
Received on Tuesday, 21 April 2020 09:01:02 UTC