W3C home > Mailing lists > Public > public-webid@w3.org > October 2012

Re: privacy definitions -- was: WebID questions

From: Ben Laurie <benl@google.com>
Date: Tue, 16 Oct 2012 13:06:01 +0100
Message-ID: <CABrd9SQxJv=sTSVRzKL0oW2EXSgnTty9_OABt3Qb88jV81NfPw@mail.gmail.com>
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: Henry Story <henry.story@bblfish.net>, "Jonas Hogberg K.O" <jonas.k.o.hogberg@ericsson.com>, "public-philoweb@w3.org" <public-philoweb@w3.org>, "public-webid@w3.org" <public-webid@w3.org>, Oshani Seneviratne <oshani@mit.edu>
On 16 October 2012 13:00, Melvin Carvalho <melvincarvalho@gmail.com> wrote:
>
>
> On 1 October 2012 15:36, Ben Laurie <benl@google.com> wrote:
>>
>> On 1 October 2012 14:07, Henry Story <henry.story@bblfish.net> wrote:
>> >
>> > On 1 Oct 2012, at 14:35, Ben Laurie <benl@google.com> wrote:
>> >
>> >> On 1 October 2012 13:20, Henry Story <henry.story@bblfish.net> wrote:
>> >>>
>> >>> On 1 Oct 2012, at 13:43, Ben Laurie <benl@google.com> wrote:
>> >>>
>> >>>> On 30 September 2012 20:22, Henry Story <henry.story@bblfish.net>
>> >>>> wrote:
>> >>>>>
>> >>>>> On 30 Sep 2012, at 20:46, Ben Laurie <benl@google.com> wrote:
>> >>>>>
>> >>>>>> On 30 September 2012 10:30, Henry Story <henry.story@bblfish.net>
>> >>>>>> wrote:
>> >>>>>>>
>> >>>>>>> On 29 Sep 2012, at 19:50, Ben Laurie <benl@google.com> wrote:
>> >>>>>>>
>> >>>>>>>> On 28 September 2012 15:26, Jonas Hogberg K.O
>> >>>>>>>> <jonas.k.o.hogberg@ericsson.com> wrote:
>> >>>>>>>>> At
>> >>>>>>>>>
>> >>>>>>>>> http://blogs.kuppingercole.com/kearns/2012/09/25/in-search-of-privacy/?goback=.gde_3480266_member_168314336,
>> >>>>>>>>> Dave Kearns writes:
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>>> There is indeed a lot of confusion about the subject, but there
>> >>>>>>>>> are two key
>> >>>>>>>>> phrases to remember when talking about privacy:
>> >>>>>>>>>
>> >>>>>>>>> Privacy is not anonymity
>> >>>>>>>>> Privacy is not secrecy
>> >>>>>>>>
>> >>>>>>>> Quoting those out of context is not particularly helpful. But for
>> >>>>>>>> more
>> >>>>>>>> on why anonymity is important for privacy...
>> >>>>>>>>
>> >>>>>>>> http://www.links.org/?p=123
>> >>>>>>>> http://www.links.org/?p=124
>> >>>>>>>
>> >>>>>>> Looking at those two, can we agree that we agree that anonymity
>> >>>>>>> should be the default?
>> >>>>>>> I believe as you do that when I go to a web site the default
>> >>>>>>> should be that I not be
>> >>>>>>> identified, and not be tracked. I can choose later to be tracked
>> >>>>>>> or identified for
>> >>>>>>> that site for a given amount of time or until I change my mind,
>> >>>>>>> but the default should
>> >>>>>>> be anonymity.
>> >>>>>>>
>> >>>>>>> ( Within limits of logic of course. If I tell anonymous Y
>> >>>>>>> something P
>> >>>>>>> which has consequence Q, and some other anonymous Z does something
>> >>>>>>> with Q that would have
>> >>>>>>> been nearly impossible to know had they not known P, then I could
>> >>>>>>> conclude within
>> >>>>>>> a certain probability that  Y == Z )
>> >>>>>>>
>> >>>>>>> The web provides this. Some browsers provide it better than
>> >>>>>>> others, but really
>> >>>>>>> this is up to them. It is not perfect: ip addresses can be tracked
>> >>>>>>> and dns lookups
>> >>>>>>> can be tracked. But the web is not reliant on those. It could be
>> >>>>>>> deployed just as well
>> >>>>>>> on top of Tor. Had people had better memories, we could have had
>> >>>>>>> .onion urls plastered
>> >>>>>>> on bus stops since the beginning.
>> >>>>>>>
>> >>>>>>> Anonymity is important for many reasons. Among which is that it
>> >>>>>>> helps create a trusted
>> >>>>>>> public sphere. It increases my trust in the information I read if
>> >>>>>>> I know that the publisher
>> >>>>>>> publishes that information that can be read by anonymous readers.
>> >>>>>>> Knowing that the publisher
>> >>>>>>> cannot tell who is reading what he is publishing is a very strong
>> >>>>>>> guarantee that he
>> >>>>>>> is not adapting his message to different groups. Oddly enough
>> >>>>>>> anonymity has an important role
>> >>>>>>> therefore in public discussion.
>> >>>>>>>
>> >>>>>>> So do we agree here? I think we do.
>> >>>>>>
>> >>>>>> So far.
>> >>>>>
>> >>>>> ok. So let's see if we can agree further, from here :-)
>> >>>>>
>> >>>>> There are a number of identification options available.
>> >>>>> Let me list some of them:
>> >>>>>
>> >>>>> - anonymous ( 0 identification )
>> >>>>> - cookies   ( site bound )
>> >>>>> - TLS-Origin-Bound-Certificates ( unforgeable cookies )
>> >>>>> - Self-Signed certificates with an .onion WebID
>> >>>>>       ( I promised Appelbaum to work on that. This gives you an
>> >>>>> identity, but nobody knows
>> >>>>>         where you or your server are located )
>> >>>>> - Self-Signed certificates with a http(s) WebID
>> >>>>> - CA Signed Certificates
>> >>>>> - DNSSEC Signed Certificates
>> >>>>> - ...?
>> >>>>>
>> >>>>> We agree that anonymous should be the default.
>> >>>>> I think we can agree as a matter of simple fact that none of the
>> >>>>> browsers show
>> >>>>> you which of those modes you are in when looking at a web page. You
>> >>>>> cannot
>> >>>>> as a user therefore tell if you are anonymous or not. You cannot
>> >>>>> therefore tell
>> >>>>> if the page you are looking at has been tweaked for you or if it
>> >>>>> would appear
>> >>>>> differently to someone else in the same mode as you. You cannot tell
>> >>>>> if the
>> >>>>> agent on the other side can tie you to a browsing history or not.
>> >>>>>
>> >>>>> Well let me put this in a more nuanced way: you can tell the above
>> >>>>> from the
>> >>>>> side-effects - say if they should you your profile on a google+ page
>> >>>>> with edit mode
>> >>>>> allowed - but that is up to the server to show you that. We both
>> >>>>> want it to be
>> >>>>> up to the user. We don't want it to be up to the user in some
>> >>>>> complicated conf file
>> >>>>> hidden away somewhere. We both want it to be in your face,
>> >>>>> transparent. I should
>> >>>>> in an eyeblink be able to tell if I am anonymous or not, and I
>> >>>>> should be able
>> >>>>> to switch from one mode to the next if and when I want to in a
>> >>>>> simple easy gesture.
>> >>>>>
>> >>>>> Just as in real life when we put on a mask we know that we are
>> >>>>> wearing the mask,
>> >>>>> so on the web we want to know what mask we are wearing at all times.
>> >>>>>
>> >>>>> These are the improvements I have been fighting ( not alone ) to get
>> >>>>> browsers to
>> >>>>> implement. Are we fighting on the same side here?
>> >>>>
>> >>>> I agree that it is desirable to know how your browser is identifying
>> >>>> you and to be able to switch between users. So, I guess Chrome would
>> >>>> claim that the facility to have multiple users provides this. Do you
>> >>>> disagree?
>> >>>
>> >>> I looked up multiple Users and found this:
>> >>>  http://support.google.com/chrome/bin/answer.py?hl=en&answer=2364824
>> >>> I had not seen this before.
>> >>>
>> >>> So it seems to work for certificates. I created a new user Tester, and
>> >>> noticed the following as that Tester:
>> >>>
>> >>> 0. It did not have any of my bookmarks ( I suppose that's useful,
>> >>> cause your
>> >>>   bookmarks could identify you )
>> >>> 1. When I went to Google+ it did not know I was
>> >>> 2. Having signed in to https://my-profile.eu/ as the old user, I tried
>> >>> as the
>> >>>    new user Tester, and had to select a certificate again. Good.
>> >>>
>> >>> So that seems like one way to separate one's personalities. I'd still
>> >>> like to
>> >>> have the url bar show me for each tab:
>> >>>
>> >>> [anonymous] when I am not logged in
>> >>> [cookie] when I am tracked on that site
>> >>> [henry story] for a local site identity
>> >>> [bblfish@home] when I am using a certificate
>> >>>
>> >>> With the option of logging out from that site (ie checking x ->
>> >>> anonymous ). Because
>> >>> currently I could forget that I had chosen a certificate on a site,
>> >>> and it
>> >>> would continue sending it. Or I could mistakenly choose a certificate
>> >>> as one user,
>> >>> and then decide that was the wrong user for that persona, and not be
>> >>> able to choose
>> >>> the certificate again, without closing my browser completely. That
>> >>> would allow, on
>> >>> browser startup, the browser to remember the last identity choice for
>> >>> a site. Without
>> >>> logout capability that is not possible, because then it would be
>> >>> impossible to repair
>> >>> an identity mistake without creating a new user. (And it makes testing
>> >>> tedious).
>> >>>
>> >>> Currently when I close my browser, on restart the servers ask me for
>> >>> my certificate again.
>> >>>
>> >>> So it looks like this is going generally in the right direction. It
>> >>> still does not provide
>> >>> the transparency we are looking for at the UI level above. But thanks
>> >>> for pointing this out.
>> >>>
>> >>> So I think we agree that what is missing is the transparency at the UI
>> >>> level of which identity
>> >>> one is using at each site. That is what I was hoping the following bug
>> >>> report would achieve.
>> >>>
>> >>> http://code.google.com/p/chromium/issues/detail?id=29784
>> >>>
>> >>> So perhaps by putting this forward under the term transparency, that
>> >>> would help that bug report
>> >>> progress, since otherwise they could thing that the issue had already
>> >>> been completely solved.
>> >>>
>> >>> So that's what I make of that. But have I missed something? Or do we
>> >>> agree there too?
>> >>
>> >> I don't think so
>> >> . As I said, I think that Chrome would claim that the
>> >> users facility provides everything you need - if you want to know
>> >> which cert you're using, then have a user per cert. As for cookies and
>> >> "local site identities", this would require information the browser
>> >> does not currently have, so I think you would first have to explain
>> >> how it is going to get that information.
>> >
>> > Well the browser knows when it sends a cookie. So showing a [cookie]
>> > icon would be easy there. When you are in anonymous mode it does not
>> > send a cookie. (perhaps a no-cookie/cert icon - would be more precise)
>> > As for per site identity that is what the Mozilla folks were working
>> > with Aza Raskin
>> >
>> > http://www.azarask.in/blog/post/identity-in-the-browser-firefox/
>> >
>> > But until a standard is agree to there, one could already have
>> > a [cookie] icon...
>>
>> Sure, but it would be pretty pointless: I just checked and every
>> single tab I have open has some cookies associated.
>
>
> Re cookies: I thought it was interesting new the launch of
>
> http://data.gov.uk/
>
> When you first load the site they give you an option of accepting cookies or
> not.
>
> If you say yes, you get a little "thank you", and an optional explanation of
> what that means.
>
> It's interesting to see a site that takes privacy seriously, is today, in
> the minority.

Lots of sites do it now, actually - its a legal requirement.

>
>>
>> >> For anonymous, Chrome already has an anonymous mode (though note that
>> >> you don't really stay anonymous for long once you enter it, since it
>> >> must still use cookies or the 'net stops working - also bookmarks are
>> >> still available in anon mode).
>> >
>> > As above the browser knows when it sends cookies: and so it can show
>> > the user that it is doing that.
>> >
>> >>
>> >> I believe that Chrome experimented with per-tab personas and found
>> >> that it was a terrible user experience, btw.
>> >
>> > It does not look that bad in Aza Raskin's proposal, and the Account
>> > Manager work at Mozilla
>> >
>> > https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager
>> >
>> > My guess is that the project to create the multiple user work
>> > at Chrome trumped the development of good identity transparency
>> > solutions. That often happens in engineering: one good idea
>> > hides another one for a while.
>>
>> Or, as I said, it turns out to not work very well. That happens even
>> more often, and apparently has happened in this case. Saying it
>> doesn't look that bad to you doesn't change it!
>>
>> > In any case there is a lack of transparency in the multiple user
>> > set up that still needs to be rectified. How that is done I'll leave
>> > to UI experts. But I'll recognise a good solution whatever form it
>> > takes.
>> >
>> > Now here with WebID we are assuming such a solution will be found
>> > by one of the browser vendors in good time, and then adopted by the
>> > others. The current interface  we can agree is not good enough for
>> > sure, but the problems we are trying to  solve are  important enough
>> > that we can work with the current limitations of browser.
>>
>> Who is the "we" that can agree it? And why is it not good enough? You
>> have not explained that at all.
>>
>> > That leaves us with the importance of cross site identity. I think
>> > I have a very powerful argument in favour of its importance. It is
>> > important for a certain kind of privacy to be possible: that between
>> > two people or groups of people wishing to exchange documents that
>> > should only be visible to certain people and no others. This is the
>> > case when someone wishes to discuss something with a doctor, or when
>> > someone wishes to publish photos of people at a party without making
>> > it fully public, and in many many other circumstances.  It is important
>> > for creating a distributed social network, which I will call the
>> > Social Web.  The Web and the internet have always been about
>> > distribution
>> > and decentralisation of information. We want to do that using WebID in
>> > a manner that increases privacy. I will be working on showing how
>> > this can be done on the Web, and on the Web running over Tor.
>> >
>> > Henry
>> >
>> > Social Web Architect
>> > http://bblfish.net/
>> >
>
>
Received on Tuesday, 16 October 2012 12:06:30 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:54:37 UTC