- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Thu, 10 Jan 2008 14:57:41 -0500
- To: Anil Saldhana <Anil.Saldhana@redhat.com>
- CC: Robert Yonaitis <ryonaitis@hisoftware.com>, public-wsc-wg@w3.org
That's easy: they want date of birth so they can comply with COPPA. You also have the option of not displaying your birth date in your profile. serge Anil Saldhana wrote: > > Bob and Bill, I think what the application does from security/privacy > perspective is beyond the control of the UA. > > I am still trying to understand completely why Facebook wants "date of > birth" during registration and prominently displays it in personal profile. > > Robert Yonaitis wrote: >> Just forwarding this one for bill as it seems his posts from the last >> few times have not gone through >> >> cheers >> -----Original Message----- >> From: William Eburn Sent: Thursday, January 10, 2008 2:33 PM >> To: 'Anil Saldhana'; public-wsc-wg@w3.org >> Subject: RE: Is the padlock a page security score? >> >> Hello all, >> >> As you may know, HiSoftware has content and application testing tools >> around privacy, security, accessibility, general content quality, >> corporate branding, and several factors of site quality. >> >> I am concerned that if we give some de facto score but do not consider >> the content or application, then would I not as a user of the browser >> that gave me the information have the right to sue their corporation if >> I went to a site, the score said 90% reliable and I entered all my PII >> and the next user saw that it was 90% secure -- knew that the scoring >> system was flawed because it didn't consider the content, or the >> application and in this case used a simple SQL Injection to grab all the >> PII out of the system (including mine), then opened multiple bank >> accounts, got car loans, and did whatever, causing me great harm. While >> it's true I was able to cancel the charges as being fraudulent, it took >> over a year to do so. Would the company that provided the page score be >> responsible in a court of law? >> >> Please note, this would be different depending on which country you were >> in. >> >> I think, from our perspective the education of the user to the state of >> the different security indicators is important but for us to assign any >> value judgment on them would at best, be foolish. Immediately we could >> never assign 100%, because as part of the working group we've already >> said that we aren't examining the content or application being viewed by >> the user agent. So it would be my vote to eliminate the idea of a page >> score entirely. What I'm suggesting is that we show them the >> information, educate the user as to what it means, but assign no value. >> >> This is just my two cents on the page score topic. >> >> Thanks, >> Bill >> >> >> -----Original Message----- >> From: public-wsc-wg-request@w3.org [mailto:public-wsc-wg-request@w3.org] >> On Behalf Of Anil Saldhana >> Sent: Thursday, January 10, 2008 2:18 PM >> To: public-wsc-wg@w3.org >> Subject: Re: Is the padlock a page security score? >> >> >> Right on the point, Tim. >> >> We have a tendency to quote personal experiences/behavior to equate it >> to the general behavior of the masses. A security indicator to one >> does not mean an indicator to everyone. >> >> WG has had discussions that the padlock is not sufficient to ensure a >> secure behavior. Hence page security score, ev cert bar etc etc. :) >> >> Timothy Hahn wrote: >>> Hi all, >>> >>> This whole discussion is subjective. What is useful for one person >> could >>> very well be useless to someone else. >>> >>> An analogy - weather forecasts about the possibility of rain today. >> Does >>> such a score indicate whether I will get rained on? No. Does it help >> me >>> decide whether or not to wear a hat or carry an umbrella? Yes. There >> is >>> no way that people other than meteorologists (and some would argue, >> even >>> them) will accurately interpret isobars, cloud patterns, and doppler >> radar >>> to determine whether it will rain. But people can get a feeling for >> the >>> chances of rain based on a 0-100% estimate. >>> >>> I think the same is true for the notion of a page security score. >> Does it >>> imply that the user will definitely, without a doubt, not get "taken"? >> No. >>> Does it give the user something with which to make a choice? Yes. >> In >>> this light, I still feel that page security scores are good things to >>> consider. >>> >>> Regards, >>> Tim Hahn >>> IBM Distinguished Engineer >>> >>> Internet: hahnt@us.ibm.com >>> Internal: Timothy Hahn/Durham/IBM@IBMUS >>> phone: 919.224.1565 tie-line: 8/687.1565 >>> fax: 919.224.2530 >>> >>> >>> >>> >>> From: >>> <michael.mccormick@wellsfargo.com> >>> To: >>> <ifette@google.com>, <Anil.Saldhana@redhat.com> >>> Cc: >>> Timothy Hahn/Durham/IBM@IBMUS, <public-wsc-wg@w3.org>, >>> <Mary_Ellen_Zurko@notesdev.ibm.com> >>> Date: >>> 01/10/2008 01:34 PM >>> Subject: >>> RE: Is the padlock a page security score? >>> >>> >>> >>> I would ask the same question about a binary indicator. The padlock >> does >>> not mean it's safe to enter a credit card. >>> >>> From: Ian Fette [mailto:ifette@google.com] Sent: Thursday, January >>> 10, 2008 12:26 PM >>> To: Anil Saldhana >>> Cc: McCormick, Mike; hahnt@us.ibm.com; public-wsc-wg@w3.org; >>> Mary_Ellen_Zurko@notesdev.ibm.com >>> Subject: Re: Is the padlock a page security score? >>> >>> I still don't understand what anything beyond a binary result is >> supposed >>> to tell a user. I'm on a site with "Medium" security - what does that >>> mean? Does that mean that I should give them my credit card or not? >>> On Jan 10, 2008 10:00 AM, Anil Saldhana <Anil.Saldhana@redhat.com> >> wrote: >>> Maybe there is an opportunity to associate "High/Medium/Low" or >>> "Strong/Medium/Low" based on page security score with the padlock. >>> >>> michael.mccormick@wellsfargo.com wrote: >>>> Sure, I agree the padlock is a binary representation of a boolean >>> security >>>> score formula based on a single security variable (SSL on main page). >> A >>>> degenerate case IMHO - but still technically a page security score. >>>> A security score algorithm should take into account most (if not all) >> of >>> the >>>> variables we enumerated under "What is a Secure Page?" Perhaps the >> note >>>> should state that explicitly. Then padlocks wouldn't qualify. >>>> _____ >>>> >>>> From: public-wsc-wg-request@w3.org >> [mailto:public-wsc-wg-request@w3.org] >>> On >>>> Behalf Of Timothy Hahn Sent: Thursday, January 10, 2008 10:40 AM >>>> To: public-wsc-wg@w3.org >>>> Subject: Re: Is the padlock a page security score? >>>> >>>> >>>> >>>> Mez, >>>> I'll toss in my view that the padlock is an example of a page >> security >>>> score. In most user agents, this seems to be pretty much "binary" >> (on >>> or >>>> off) though I think we've heard from some folks that there are some >>>> "embellishments" on their display of the icon which would provide >> more >>>> gradations based on information received. >>>> >>>> On the bright side of such a visible item - it is relatively easy to >>>> describe and for people to grasp the meaning of. >>>> >>>> On the down side of the padlock - ... well, we've had lots of that >>>> discussion on this list already - see the archives. >>>> >>>> Regards, Tim Hahn >>>> IBM Distinguished Engineer >>>> >>>> Internet: hahnt@us.ibm.com >>>> Internal: Timothy Hahn/Durham/IBM@IBMUS >>>> phone: 919.224.1565 tie-line: 8/687.1565 fax: 919.224.2530 >>>> >>>> >>>> >>>> >>>> From: "Mary Ellen Zurko" <Mary_Ellen_Zurko@notesdev.ibm.com> >>>> >>>> To: public-wsc-wg@w3.org >>>> >>>> Date: 01/10/2008 11:10 AM >>>> >>>> Subject: Is the padlock a page security score? >>>> >>>> _____ >>>> >>>> >>>> >>>> >>>> >>>> If not, why not? >>>> >>>> Mez >>>> >>>> >>> >> > -- /* PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Thursday, 10 January 2008 19:58:28 UTC