RE: Browser UI, privacy, and EU law from Dr Ian Walden on 2012-10-01 (public-webid@w3.org from October 2012)

From: Dr Ian Walden <i.n.walden@qmul.ac.uk>
Date: Mon, 1 Oct 2012 12:36:05 +0100
To: "'Henry Story'" <henry.story@bblfish.net>, <public-webid@w3.org>, "'Ben Laurie'" <benl@google.com>
Message-ID: <002001cd9fc8$f314e1c0$d93ea540$@n.walden@qmul.ac.uk>
Dear All,

The answer is, of course, it depends!

The relevant legislative measure, Directive 02/58/EC, as amended in 2009,
states the following, at article 5(3):

"Member States shall ensure that the storing of information, or the
gaining of access to information already stored, in the terminal
equipment of a subscriber or user is only allowed on condition that
the subscriber or user concerned has given his or her consent, having
been provided with clear and comprehensive information, in accordance
with Directive 95/46/EC, inter alia, about the purposes of the
processing. This shall not prevent any technical storage or access for
the sole purpose of carrying out the transmission of a communication
over an electronic communications network, or as strictly necessary in
order for the provider of an information society service explicitly
requested by the subscriber or user to provide the service."

The references to 'consent' and 'clear and comprehensive information'
suggest that a user should be informed what identity he is giving to a web
site, since meaningful consent cannot be given unless the individual knows
what personal data is being disclosed. However, the last sentence of the
article is a get-out provision for data controllers, which means that
consent is not required in all circumstances.

Kind regards,

Ian

Professor Ian Walden
Professor of Information and Communications Law
Head, Institute of Computer and Communications Law

Centre for Commercial Law Studies
Queen Mary, University of London
67-69 Lincoln's Inn Fields
London WC2A 3JB

Tel: +44-(0)20-7882-8086
Mobile: +44-(0)7968-612-581


-----Original Message-----
From: Henry Story [mailto:henry.story@bblfish.net] 
Sent: 27 September 2012 14:29
To: Ian Walden; public-webid@w3.org; Ben Laurie
Subject: Browser UI, privacy, and EU law

Let me introduce Ian Walden, Professor of Information and Communication Law
[1], who gave perhaps one of the most entertaining presentations at IETF 83
at the behest of the Security Area Advisory Group [2] in Paris earlier this
year on the effect of new EU legislation on software development relating to
privacy. 

It has been a long time since then, and I was not expecting such a talk, so
I did not take notes. But I am pretty sure this  has some relevance to the
topic at hand here.

What I would like to know is if we can start arguing from a legal
perspective now for enhancements to user interfaces in browsers to help the
user see what identity (s)he is showing to a web site. I am asking this
because in a discussion with Ben Laurie, who works as security specialist at
Google among many other things [3], Ben seemed to think there was no
requirement in EU law for this. But my take from the talk at IETF in Paris
was quite the opposite, or at the very least that things were about to
seriously change.

So let me summarise the UI improvement that I ( and others ) have been
arguing for. Client side certificates - with WebID - allows one to
authenticate ( if one desires to ) to a number of web sites in one click.
This is shown in the short video "WebID & Browsers" [4]. As I point out at
the end of the video current browsers allow one to log into different sites
with a client certificate but:

  1. Fail to make it obvious at all times that one is logged in, or under
what identity

    So, for example if in Safari one has chosen an identity to log in one
cannot change it, or even ever see that this is the identity/certificate one
has chosen.
    All the other browsers ask one again on accessing a web site, but still
don't show the identity used. 

  2. Don't make it easy to logout

     There is a bit of javascript that works on Netscape to log out, but the
server must present that option. In my view the user should be in control.
One has to close the whole browser to change identity.
     ( Safari does not allow one to logout at all, ever! )

  3. Don't make it obvious when one is anonymous

  Aza Raskin a designer at Mozilla presented a design that in my view would
solve this and user interaction problems very neatly and put the user in
control of his identity

      http://www.azarask.in/blog/post/identity-in-the-browser-firefox/

Aza did not apply it to https client authentication (TLS) but the design
would clearly work just as well there too. I opened a bug report on Chrome
for something like this to be implemented 

    http://code.google.com/p/chromium/issues/detail?id=29784

And similarly to other open source and closed source browsers.

So the WebID protocol is here to try to create a global distributed social
network so that we can have more privacy by working in distributed social
networks [5] and not have to all interact on one huge mega-server (or at
least allow people to not have to do that without suffering a large penalty)
We can get going as is now, but we would like the browsers to put the user
more in control of his identity. 

  So I was wondering if this is now a legal requirement :-)


  Henry 



[1] http://www.law.qmul.ac.uk/staff/walden.html
[2] http://www.ietf.org/mail-archive/web/saag/current/msg03614.html
[3] http://en.wikipedia.org/wiki/Ben_Laurie
[4] http://bblfish.net/blog/2011/05/25/
[5] I have a three minute interview at Oxford internet institute by Prof
William Dutton that covers this
    http://webcast.oii.ox.ac.uk/?view=Webcast&ID=20100524_323

Social Web Architect
http://bblfish.net/
Received on Wednesday, 3 October 2012 09:26:32 UTC