Fwd: Browser UI, privacy, and EU law

Since our community is a bit split on the mailing list still, I thought I's forward this to the
XG list. 

Begin forwarded message:

> Resent-From: public-webid@w3.org
> From: "Dr Ian Walden" <i.n.walden@qmul.ac.uk>
> Subject: RE: Browser UI, privacy, and EU law
> Date: 1 October 2012 13:36:05 CEST
> To: "'Henry Story'" <henry.story@bblfish.net>, <public-webid@w3.org>, "'Ben Laurie'" <benl@google.com>
> 
> Dear All,
> 
> The answer is, of course, it depends!
> 
> The relevant legislative measure, Directive 02/58/EC, as amended in 2009,
> states the following, at article 5(3):
> 
> "Member States shall ensure that the storing of information, or the
> gaining of access to information already stored, in the terminal
> equipment of a subscriber or user is only allowed on condition that
> the subscriber or user concerned has given his or her consent, having
> been provided with clear and comprehensive information, in accordance
> with Directive 95/46/EC, inter alia, about the purposes of the
> processing. This shall not prevent any technical storage or access for
> the sole purpose of carrying out the transmission of a communication
> over an electronic communications network, or as strictly necessary in
> order for the provider of an information society service explicitly
> requested by the subscriber or user to provide the service."
> 
> The references to 'consent' and 'clear and comprehensive information'
> suggest that a user should be informed what identity he is giving to a web
> site, since meaningful consent cannot be given unless the individual knows
> what personal data is being disclosed. However, the last sentence of the
> article is a get-out provision for data controllers, which means that
> consent is not required in all circumstances.
> 
> Kind regards,
> 
> Ian
> 
> Professor Ian Walden
> Professor of Information and Communications Law
> Head, Institute of Computer and Communications Law
> 
> Centre for Commercial Law Studies
> Queen Mary, University of London
> 67-69 Lincoln's Inn Fields
> London WC2A 3JB
> 
> Tel: +44-(0)20-7882-8086
> Mobile: +44-(0)7968-612-581
> 
> 
> -----Original Message-----
> From: Henry Story [mailto:henry.story@bblfish.net] 
> Sent: 27 September 2012 14:29
> To: Ian Walden; public-webid@w3.org; Ben Laurie
> Subject: Browser UI, privacy, and EU law
> 
> Let me introduce Ian Walden, Professor of Information and Communication Law
> [1], who gave perhaps one of the most entertaining presentations at IETF 83
> at the behest of the Security Area Advisory Group [2] in Paris earlier this
> year on the effect of new EU legislation on software development relating to
> privacy. 
> 
> It has been a long time since then, and I was not expecting such a talk, so
> I did not take notes. But I am pretty sure this  has some relevance to the
> topic at hand here.
> 
> What I would like to know is if we can start arguing from a legal
> perspective now for enhancements to user interfaces in browsers to help the
> user see what identity (s)he is showing to a web site. I am asking this
> because in a discussion with Ben Laurie, who works as security specialist at
> Google among many other things [3], Ben seemed to think there was no
> requirement in EU law for this. But my take from the talk at IETF in Paris
> was quite the opposite, or at the very least that things were about to
> seriously change.
> 
> So let me summarise the UI improvement that I ( and others ) have been
> arguing for. Client side certificates - with WebID - allows one to
> authenticate ( if one desires to ) to a number of web sites in one click.
> This is shown in the short video "WebID & Browsers" [4]. As I point out at
> the end of the video current browsers allow one to log into different sites
> with a client certificate but:
> 
>  1. Fail to make it obvious at all times that one is logged in, or under
> what identity
> 
>    So, for example if in Safari one has chosen an identity to log in one
> cannot change it, or even ever see that this is the identity/certificate one
> has chosen.
>    All the other browsers ask one again on accessing a web site, but still
> don't show the identity used. 
> 
>  2. Don't make it easy to logout
> 
>     There is a bit of javascript that works on Netscape to log out, but the
> server must present that option. In my view the user should be in control.
> One has to close the whole browser to change identity.
>     ( Safari does not allow one to logout at all, ever! )
> 
>  3. Don't make it obvious when one is anonymous
> 
>  Aza Raskin a designer at Mozilla presented a design that in my view would
> solve this and user interaction problems very neatly and put the user in
> control of his identity
> 
>      http://www.azarask.in/blog/post/identity-in-the-browser-firefox/
> 
> Aza did not apply it to https client authentication (TLS) but the design
> would clearly work just as well there too. I opened a bug report on Chrome
> for something like this to be implemented 
> 
>    http://code.google.com/p/chromium/issues/detail?id=29784
> 
> And similarly to other open source and closed source browsers.
> 
> So the WebID protocol is here to try to create a global distributed social
> network so that we can have more privacy by working in distributed social
> networks [5] and not have to all interact on one huge mega-server (or at
> least allow people to not have to do that without suffering a large penalty)
> We can get going as is now, but we would like the browsers to put the user
> more in control of his identity. 
> 
>  So I was wondering if this is now a legal requirement :-)
> 
> 
>  Henry 
> 
> 
> 
> [1] http://www.law.qmul.ac.uk/staff/walden.html
> [2] http://www.ietf.org/mail-archive/web/saag/current/msg03614.html
> [3] http://en.wikipedia.org/wiki/Ben_Laurie
> [4] http://bblfish.net/blog/2011/05/25/
> [5] I have a three minute interview at Oxford internet institute by Prof
> William Dutton that covers this
>    http://webcast.oii.ox.ac.uk/?view=Webcast&ID=20100524_323
> 
> Social Web Architect
> http://bblfish.net/
> 
> 
> 
> 

Social Web Architect
http://bblfish.net/