- From: Henry Story <henry.story@bblfish.net>
- Date: Wed, 3 Oct 2012 15:41:30 +0200
- To: "public-xg-webid@w3.org XG" <public-xg-webid@w3.org>
- Message-Id: <25F65F5C-9613-4C6F-B5DD-DBF3A7C35EF2@bblfish.net>
Since our community is a bit split on the mailing list still, I thought I's forward this to the XG list. Begin forwarded message: > Resent-From: public-webid@w3.org > From: "Dr Ian Walden" <i.n.walden@qmul.ac.uk> > Subject: RE: Browser UI, privacy, and EU law > Date: 1 October 2012 13:36:05 CEST > To: "'Henry Story'" <henry.story@bblfish.net>, <public-webid@w3.org>, "'Ben Laurie'" <benl@google.com> > > Dear All, > > The answer is, of course, it depends! > > The relevant legislative measure, Directive 02/58/EC, as amended in 2009, > states the following, at article 5(3): > > "Member States shall ensure that the storing of information, or the > gaining of access to information already stored, in the terminal > equipment of a subscriber or user is only allowed on condition that > the subscriber or user concerned has given his or her consent, having > been provided with clear and comprehensive information, in accordance > with Directive 95/46/EC, inter alia, about the purposes of the > processing. This shall not prevent any technical storage or access for > the sole purpose of carrying out the transmission of a communication > over an electronic communications network, or as strictly necessary in > order for the provider of an information society service explicitly > requested by the subscriber or user to provide the service." > > The references to 'consent' and 'clear and comprehensive information' > suggest that a user should be informed what identity he is giving to a web > site, since meaningful consent cannot be given unless the individual knows > what personal data is being disclosed. However, the last sentence of the > article is a get-out provision for data controllers, which means that > consent is not required in all circumstances. > > Kind regards, > > Ian > > Professor Ian Walden > Professor of Information and Communications Law > Head, Institute of Computer and Communications Law > > Centre for Commercial Law Studies > Queen Mary, University of London > 67-69 Lincoln's Inn Fields > London WC2A 3JB > > Tel: +44-(0)20-7882-8086 > Mobile: +44-(0)7968-612-581 > > > -----Original Message----- > From: Henry Story [mailto:henry.story@bblfish.net] > Sent: 27 September 2012 14:29 > To: Ian Walden; public-webid@w3.org; Ben Laurie > Subject: Browser UI, privacy, and EU law > > Let me introduce Ian Walden, Professor of Information and Communication Law > [1], who gave perhaps one of the most entertaining presentations at IETF 83 > at the behest of the Security Area Advisory Group [2] in Paris earlier this > year on the effect of new EU legislation on software development relating to > privacy. > > It has been a long time since then, and I was not expecting such a talk, so > I did not take notes. But I am pretty sure this has some relevance to the > topic at hand here. > > What I would like to know is if we can start arguing from a legal > perspective now for enhancements to user interfaces in browsers to help the > user see what identity (s)he is showing to a web site. I am asking this > because in a discussion with Ben Laurie, who works as security specialist at > Google among many other things [3], Ben seemed to think there was no > requirement in EU law for this. But my take from the talk at IETF in Paris > was quite the opposite, or at the very least that things were about to > seriously change. > > So let me summarise the UI improvement that I ( and others ) have been > arguing for. Client side certificates - with WebID - allows one to > authenticate ( if one desires to ) to a number of web sites in one click. > This is shown in the short video "WebID & Browsers" [4]. As I point out at > the end of the video current browsers allow one to log into different sites > with a client certificate but: > > 1. Fail to make it obvious at all times that one is logged in, or under > what identity > > So, for example if in Safari one has chosen an identity to log in one > cannot change it, or even ever see that this is the identity/certificate one > has chosen. > All the other browsers ask one again on accessing a web site, but still > don't show the identity used. > > 2. Don't make it easy to logout > > There is a bit of javascript that works on Netscape to log out, but the > server must present that option. In my view the user should be in control. > One has to close the whole browser to change identity. > ( Safari does not allow one to logout at all, ever! ) > > 3. Don't make it obvious when one is anonymous > > Aza Raskin a designer at Mozilla presented a design that in my view would > solve this and user interaction problems very neatly and put the user in > control of his identity > > http://www.azarask.in/blog/post/identity-in-the-browser-firefox/ > > Aza did not apply it to https client authentication (TLS) but the design > would clearly work just as well there too. I opened a bug report on Chrome > for something like this to be implemented > > http://code.google.com/p/chromium/issues/detail?id=29784 > > And similarly to other open source and closed source browsers. > > So the WebID protocol is here to try to create a global distributed social > network so that we can have more privacy by working in distributed social > networks [5] and not have to all interact on one huge mega-server (or at > least allow people to not have to do that without suffering a large penalty) > We can get going as is now, but we would like the browsers to put the user > more in control of his identity. > > So I was wondering if this is now a legal requirement :-) > > > Henry > > > > [1] http://www.law.qmul.ac.uk/staff/walden.html > [2] http://www.ietf.org/mail-archive/web/saag/current/msg03614.html > [3] http://en.wikipedia.org/wiki/Ben_Laurie > [4] http://bblfish.net/blog/2011/05/25/ > [5] I have a three minute interview at Oxford internet institute by Prof > William Dutton that covers this > http://webcast.oii.ox.ac.uk/?view=Webcast&ID=20100524_323 > > Social Web Architect > http://bblfish.net/ > > > > Social Web Architect http://bblfish.net/
Attachments
- application/pkcs7-signature attachment: smime.p7s
Received on Wednesday, 3 October 2012 13:42:18 UTC