- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Tue, 16 Oct 2012 14:26:35 +0200
- To: Henry Story <henry.story@bblfish.net>
- Cc: Ben Laurie <benl@google.com>, public-privacy list <public-privacy@w3.org>, public-webid@w3.org
- Message-ID: <CAKaEYh+41oG-L3347ar-0ZN-s01OFJ0thtGeu2eQ=-tQJJ3HLg@mail.gmail.com>
On 16 October 2012 14:14, Henry Story <henry.story@bblfish.net> wrote: > > On 16 Oct 2012, at 14:06, Ben Laurie <benl@google.com> wrote: > > > On 16 October 2012 13:00, Melvin Carvalho <melvincarvalho@gmail.com> > wrote: > >> > >> > >> On 1 October 2012 15:36, Ben Laurie <benl@google.com> wrote: > >>> > >>> On 1 October 2012 14:07, Henry Story <henry.story@bblfish.net> wrote: > >>>> > >>>> On 1 Oct 2012, at 14:35, Ben Laurie <benl@google.com> wrote: > >>>> > >>>>> On 1 October 2012 13:20, Henry Story <henry.story@bblfish.net> > wrote: > >>>>>> > >>>>>> On 1 Oct 2012, at 13:43, Ben Laurie <benl@google.com> wrote: > >>>>>> > >>>>>>> On 30 September 2012 20:22, Henry Story <henry.story@bblfish.net> > >>>>>>> wrote: > >>>>>>>> > >>>>>>>> On 30 Sep 2012, at 20:46, Ben Laurie <benl@google.com> wrote: > >>>>>>>> > >>>>>>>>> On 30 September 2012 10:30, Henry Story <henry.story@bblfish.net > > > >>>>>>>>> wrote: > >>>>>>>>>> > >>>>>>>>>> On 29 Sep 2012, at 19:50, Ben Laurie <benl@google.com> wrote: > >>>>>>>>>> > >>>>>>>>>>> On 28 September 2012 15:26, Jonas Hogberg K.O > >>>>>>>>>>> <jonas.k.o.hogberg@ericsson.com> wrote: > >>>>>>>>>>>> At > >>>>>>>>>>>> > >>>>>>>>>>>> > http://blogs.kuppingercole.com/kearns/2012/09/25/in-search-of-privacy/?goback=.gde_3480266_member_168314336 > , > >>>>>>>>>>>> Dave Kearns writes: > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> There is indeed a lot of confusion about the subject, but > there > >>>>>>>>>>>> are two key > >>>>>>>>>>>> phrases to remember when talking about privacy: > >>>>>>>>>>>> > >>>>>>>>>>>> Privacy is not anonymity > >>>>>>>>>>>> Privacy is not secrecy > >>>>>>>>>>> > >>>>>>>>>>> Quoting those out of context is not particularly helpful. But > for > >>>>>>>>>>> more > >>>>>>>>>>> on why anonymity is important for privacy... > >>>>>>>>>>> > >>>>>>>>>>> http://www.links.org/?p=123 > >>>>>>>>>>> http://www.links.org/?p=124 > >>>>>>>>>> > >>>>>>>>>> Looking at those two, can we agree that we agree that anonymity > >>>>>>>>>> should be the default? > >>>>>>>>>> I believe as you do that when I go to a web site the default > >>>>>>>>>> should be that I not be > >>>>>>>>>> identified, and not be tracked. I can choose later to be tracked > >>>>>>>>>> or identified for > >>>>>>>>>> that site for a given amount of time or until I change my mind, > >>>>>>>>>> but the default should > >>>>>>>>>> be anonymity. > >>>>>>>>>> > >>>>>>>>>> ( Within limits of logic of course. If I tell anonymous Y > >>>>>>>>>> something P > >>>>>>>>>> which has consequence Q, and some other anonymous Z does > something > >>>>>>>>>> with Q that would have > >>>>>>>>>> been nearly impossible to know had they not known P, then I > could > >>>>>>>>>> conclude within > >>>>>>>>>> a certain probability that Y == Z ) > >>>>>>>>>> > >>>>>>>>>> The web provides this. Some browsers provide it better than > >>>>>>>>>> others, but really > >>>>>>>>>> this is up to them. It is not perfect: ip addresses can be > tracked > >>>>>>>>>> and dns lookups > >>>>>>>>>> can be tracked. But the web is not reliant on those. It could be > >>>>>>>>>> deployed just as well > >>>>>>>>>> on top of Tor. Had people had better memories, we could have had > >>>>>>>>>> .onion urls plastered > >>>>>>>>>> on bus stops since the beginning. > >>>>>>>>>> > >>>>>>>>>> Anonymity is important for many reasons. Among which is that it > >>>>>>>>>> helps create a trusted > >>>>>>>>>> public sphere. It increases my trust in the information I read > if > >>>>>>>>>> I know that the publisher > >>>>>>>>>> publishes that information that can be read by anonymous > readers. > >>>>>>>>>> Knowing that the publisher > >>>>>>>>>> cannot tell who is reading what he is publishing is a very > strong > >>>>>>>>>> guarantee that he > >>>>>>>>>> is not adapting his message to different groups. Oddly enough > >>>>>>>>>> anonymity has an important role > >>>>>>>>>> therefore in public discussion. > >>>>>>>>>> > >>>>>>>>>> So do we agree here? I think we do. > >>>>>>>>> > >>>>>>>>> So far. > >>>>>>>> > >>>>>>>> ok. So let's see if we can agree further, from here :-) > >>>>>>>> > >>>>>>>> There are a number of identification options available. > >>>>>>>> Let me list some of them: > >>>>>>>> > >>>>>>>> - anonymous ( 0 identification ) > >>>>>>>> - cookies ( site bound ) > >>>>>>>> - TLS-Origin-Bound-Certificates ( unforgeable cookies ) > >>>>>>>> - Self-Signed certificates with an .onion WebID > >>>>>>>> ( I promised Appelbaum to work on that. This gives you an > >>>>>>>> identity, but nobody knows > >>>>>>>> where you or your server are located ) > >>>>>>>> - Self-Signed certificates with a http(s) WebID > >>>>>>>> - CA Signed Certificates > >>>>>>>> - DNSSEC Signed Certificates > >>>>>>>> - ...? > >>>>>>>> > >>>>>>>> We agree that anonymous should be the default. > >>>>>>>> I think we can agree as a matter of simple fact that none of the > >>>>>>>> browsers show > >>>>>>>> you which of those modes you are in when looking at a web page. > You > >>>>>>>> cannot > >>>>>>>> as a user therefore tell if you are anonymous or not. You cannot > >>>>>>>> therefore tell > >>>>>>>> if the page you are looking at has been tweaked for you or if it > >>>>>>>> would appear > >>>>>>>> differently to someone else in the same mode as you. You cannot > tell > >>>>>>>> if the > >>>>>>>> agent on the other side can tie you to a browsing history or not. > >>>>>>>> > >>>>>>>> Well let me put this in a more nuanced way: you can tell the above > >>>>>>>> from the > >>>>>>>> side-effects - say if they should you your profile on a google+ > page > >>>>>>>> with edit mode > >>>>>>>> allowed - but that is up to the server to show you that. We both > >>>>>>>> want it to be > >>>>>>>> up to the user. We don't want it to be up to the user in some > >>>>>>>> complicated conf file > >>>>>>>> hidden away somewhere. We both want it to be in your face, > >>>>>>>> transparent. I should > >>>>>>>> in an eyeblink be able to tell if I am anonymous or not, and I > >>>>>>>> should be able > >>>>>>>> to switch from one mode to the next if and when I want to in a > >>>>>>>> simple easy gesture. > >>>>>>>> > >>>>>>>> Just as in real life when we put on a mask we know that we are > >>>>>>>> wearing the mask, > >>>>>>>> so on the web we want to know what mask we are wearing at all > times. > >>>>>>>> > >>>>>>>> These are the improvements I have been fighting ( not alone ) to > get > >>>>>>>> browsers to > >>>>>>>> implement. Are we fighting on the same side here? > >>>>>>> > >>>>>>> I agree that it is desirable to know how your browser is > identifying > >>>>>>> you and to be able to switch between users. So, I guess Chrome > would > >>>>>>> claim that the facility to have multiple users provides this. Do > you > >>>>>>> disagree? > >>>>>> > >>>>>> I looked up multiple Users and found this: > >>>>>> http://support.google.com/chrome/bin/answer.py?hl=en&answer=2364824 > >>>>>> I had not seen this before. > >>>>>> > >>>>>> So it seems to work for certificates. I created a new user Tester, > and > >>>>>> noticed the following as that Tester: > >>>>>> > >>>>>> 0. It did not have any of my bookmarks ( I suppose that's useful, > >>>>>> cause your > >>>>>> bookmarks could identify you ) > >>>>>> 1. When I went to Google+ it did not know I was > >>>>>> 2. Having signed in to https://my-profile.eu/ as the old user, I > tried > >>>>>> as the > >>>>>> new user Tester, and had to select a certificate again. Good. > >>>>>> > >>>>>> So that seems like one way to separate one's personalities. I'd > still > >>>>>> like to > >>>>>> have the url bar show me for each tab: > >>>>>> > >>>>>> [anonymous] when I am not logged in > >>>>>> [cookie] when I am tracked on that site > >>>>>> [henry story] for a local site identity > >>>>>> [bblfish@home] when I am using a certificate > >>>>>> > >>>>>> With the option of logging out from that site (ie checking x -> > >>>>>> anonymous ). Because > >>>>>> currently I could forget that I had chosen a certificate on a site, > >>>>>> and it > >>>>>> would continue sending it. Or I could mistakenly choose a > certificate > >>>>>> as one user, > >>>>>> and then decide that was the wrong user for that persona, and not be > >>>>>> able to choose > >>>>>> the certificate again, without closing my browser completely. That > >>>>>> would allow, on > >>>>>> browser startup, the browser to remember the last identity choice > for > >>>>>> a site. Without > >>>>>> logout capability that is not possible, because then it would be > >>>>>> impossible to repair > >>>>>> an identity mistake without creating a new user. (And it makes > testing > >>>>>> tedious). > >>>>>> > >>>>>> Currently when I close my browser, on restart the servers ask me for > >>>>>> my certificate again. > >>>>>> > >>>>>> So it looks like this is going generally in the right direction. It > >>>>>> still does not provide > >>>>>> the transparency we are looking for at the UI level above. But > thanks > >>>>>> for pointing this out. > >>>>>> > >>>>>> So I think we agree that what is missing is the transparency at the > UI > >>>>>> level of which identity > >>>>>> one is using at each site. That is what I was hoping the following > bug > >>>>>> report would achieve. > >>>>>> > >>>>>> http://code.google.com/p/chromium/issues/detail?id=29784 > >>>>>> > >>>>>> So perhaps by putting this forward under the term transparency, that > >>>>>> would help that bug report > >>>>>> progress, since otherwise they could thing that the issue had > already > >>>>>> been completely solved. > >>>>>> > >>>>>> So that's what I make of that. But have I missed something? Or do we > >>>>>> agree there too? > >>>>> > >>>>> I don't think so > >>>>> . As I said, I think that Chrome would claim that the > >>>>> users facility provides everything you need - if you want to know > >>>>> which cert you're using, then have a user per cert. As for cookies > and > >>>>> "local site identities", this would require information the browser > >>>>> does not currently have, so I think you would first have to explain > >>>>> how it is going to get that information. > >>>> > >>>> Well the browser knows when it sends a cookie. So showing a [cookie] > >>>> icon would be easy there. When you are in anonymous mode it does not > >>>> send a cookie. (perhaps a no-cookie/cert icon - would be more precise) > >>>> As for per site identity that is what the Mozilla folks were working > >>>> with Aza Raskin > >>>> > >>>> http://www.azarask.in/blog/post/identity-in-the-browser-firefox/ > >>>> > >>>> But until a standard is agree to there, one could already have > >>>> a [cookie] icon... > >>> > >>> Sure, but it would be pretty pointless: I just checked and every > >>> single tab I have open has some cookies associated. > >> > >> > >> Re cookies: I thought it was interesting new the launch of > >> > >> http://data.gov.uk/ > >> > >> When you first load the site they give you an option of accepting > cookies or > >> not. > >> > >> If you say yes, you get a little "thank you", and an optional > explanation of > >> what that means. > >> > >> It's interesting to see a site that takes privacy seriously, is today, > in > >> the minority. > > > > Lots of sites do it now, actually - its a legal requirement. > > yes, I saw a few of those recently. > > It's a pitty they we end up pushing the sites to do so much work, when the > browsers could make the same visible and clear from the chrome, in a way > that the user would not need to trust the web site owner to do it > correctly. > Currently of course only nice web sites will tell users, all the others > won't. > Yes, definitely. Some folks in the CCC community, used to advocate using Opera browser for this reason. There's an option: 'Ask me before accepting cookies'. And you can accept cookies only for the site you visit. > > > > > > >> > >>> > >>>>> For anonymous, Chrome already has an anonymous mode (though note that > >>>>> you don't really stay anonymous for long once you enter it, since it > >>>>> must still use cookies or the 'net stops working - also bookmarks are > >>>>> still available in anon mode). > >>>> > >>>> As above the browser knows when it sends cookies: and so it can show > >>>> the user that it is doing that. > >>>> > >>>>> > >>>>> I believe that Chrome experimented with per-tab personas and found > >>>>> that it was a terrible user experience, btw. > >>>> > >>>> It does not look that bad in Aza Raskin's proposal, and the Account > >>>> Manager work at Mozilla > >>>> > >>>> https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager > >>>> > >>>> My guess is that the project to create the multiple user work > >>>> at Chrome trumped the development of good identity transparency > >>>> solutions. That often happens in engineering: one good idea > >>>> hides another one for a while. > >>> > >>> Or, as I said, it turns out to not work very well. That happens even > >>> more often, and apparently has happened in this case. Saying it > >>> doesn't look that bad to you doesn't change it! > >>> > >>>> In any case there is a lack of transparency in the multiple user > >>>> set up that still needs to be rectified. How that is done I'll leave > >>>> to UI experts. But I'll recognise a good solution whatever form it > >>>> takes. > >>>> > >>>> Now here with WebID we are assuming such a solution will be found > >>>> by one of the browser vendors in good time, and then adopted by the > >>>> others. The current interface we can agree is not good enough for > >>>> sure, but the problems we are trying to solve are important enough > >>>> that we can work with the current limitations of browser. > >>> > >>> Who is the "we" that can agree it? And why is it not good enough? You > >>> have not explained that at all. > >>> > >>>> That leaves us with the importance of cross site identity. I think > >>>> I have a very powerful argument in favour of its importance. It is > >>>> important for a certain kind of privacy to be possible: that between > >>>> two people or groups of people wishing to exchange documents that > >>>> should only be visible to certain people and no others. This is the > >>>> case when someone wishes to discuss something with a doctor, or when > >>>> someone wishes to publish photos of people at a party without making > >>>> it fully public, and in many many other circumstances. It is > important > >>>> for creating a distributed social network, which I will call the > >>>> Social Web. The Web and the internet have always been about > >>>> distribution > >>>> and decentralisation of information. We want to do that using WebID in > >>>> a manner that increases privacy. I will be working on showing how > >>>> this can be done on the Web, and on the Web running over Tor. > >>>> > >>>> Henry > >>>> > >>>> Social Web Architect > >>>> http://bblfish.net/ > >>>> > >> > >> > > Social Web Architect > http://bblfish.net/ > >
Received on Tuesday, 16 October 2012 12:27:07 UTC