- From: Timothy Holborn <timothy.holborn@gmail.com>
- Date: Thu, 24 Apr 2014 23:52:27 +1000
- To: Web Payments CG <public-webpayments@w3.org>
- Message-Id: <0FA5226F-5AB9-4A18-ABB4-03AEC39889EA@me.com>
So, I’ve been reading: http://www.computerworld.com.au/article/543477/should_australians_prepare_rubber-hose_cryptanalysis_/ Where access to your systems is required without your consent - what options of how that is done, should be available to be asserted as a preference by the user prior to any-such event of involuntary fulfillment. Few ideas; i’m not sure an interface exists that gives people the opportunity to be brought into the discussion and given some options. Rather than simply expecting people to say no; why not give a bunch of options? Perhaps a preferences method could be made available to users, that supports ‘lawful intercept’ requirements by picking a box - how one chooses to respond to such requests. lawful intercept is absolutely required; however, how do we know how often and for what purposes these systems are used, in the interests of defending the rule of law - broadly. whilst the use-case of lawful intercept is amongst an extreme example - there are others, such as a death of a person; disappearance of a minor, medical emergency and others. so; what are the options - i’ve come up with a few… Option 1 - Auto-Publish: If someone needs to hack your account, you publish the bit they’re trying to hack into publicly, and the IP/WebID/Web-Identity of the data-requestor. in an automated way - perhaps if marked, as an alternative to unfettered access (giving people private keys without warrants / court-orders)… Therein; if that method is unreasonably exploited (meaning, the result was that some ‘approved’ db just wants to archive the lot - then it would be a breach of privacy / human rights principles. Option 2 - state the claim if you’ve bought some meat; and it’s found to be contaminated, it would be good to know about it before symptoms appeared. or an electric device that was prone to burning down houses, etc. If your ‘digital receipt’ preference is ‘do not contact’ you might make an exception to the rule, in such circumstances. on the flip-side, if the receipts are stored retailer-side - If a company found a fault with their product, so therefore wanted to go change the warranty terms after they found these new issues with their products (meaning, after point of sale.). from a standards point of view, what protects from those types of ‘attacks’. The other issue that comes to mind is using decryption methods to change a document at a later date. I imagine block-chain type technologies make these sorts of attacks more difficult? are there other methods considered? Sometimes, the most difficult people to keep honest are public servants. whilst internal issues might be sorted out, an organisations willingness to admit fault (regardless of whether they’ve internally identified / corrected an issue) - these systems could be used for purposes of gaining commercial advantage, or other ‘financially motivated’ nefarious purpose. (meaning, contrary to the interests of the principle capability request - of seeking to uphold the rule of law…). Option 3 - Goto Court / Subpoena / refer to solicitor In non-urgent cases - where actions of both parties should be made available to a court of law for judgement. Perhaps a mechanism might exist to ensure the data is still available (i.e. cannot be deleted, but is still encrypted) but is not made available until post a judgement. i imagine this is a bit like a webmaster address registered with a domain name. Law says something along the lines of "all people are equal in the eyes of the law”. Reality shows that funds / accessibility to ’stuff’ is a bit like helping the poor see an optometrist, let alone fill a prescription… _____________________________________________________________ The idea of simply handing over private keys seems unreasonably unfettered. Australian politics seems to regard ‘metadata’ as billing data http://www.zdnet.com/australias-chief-law-officer-brands-metadata-a-contestable-concept-7000023859/ - How can principles be applied to non-voluntary data requests, and what options could be provided to users via embedded functions in platform services; to comply to these requests? If the requests are always kept secret - my concern would be that systemically, the system becomes less secure as the potential consequences for overuse are minimal. I am especially concerned about the potential implications around innovation markets (pre-patent / IPR Protection strategies being in-place). Therein; e-contracts and other related factors… Interactions with other tech; I believe the WebID capability (Issuing a x.509v3 cert) to machines with FOAF descriptions (more from a WoT / IoT point of view, than specified user, although inclusive if ‘linked users’) helps by ‘authorising’ workstations / machines, into the world of linked-data. I imagine solutions would need to fit into international agreements also… thoughts anyone? Timh.
Received on Thursday, 24 April 2014 13:53:23 UTC