W3C home > Mailing lists > Public > public-xg-webid@w3.org > October 2012

Re: Fwd: Browser UI, privacy, and EU law

From: Nathan <nathan@webr3.org>
Date: Wed, 03 Oct 2012 14:45:47 +0100
Message-ID: <506C418B.1040406@webr3.org>
To: Henry Story <henry.story@bblfish.net>
CC: "public-xg-webid@w3.org XG" <public-xg-webid@w3.org>, Coralie Mercier <coralie@w3.org>
can web-id be folded in to RWW, and mail auto forwarded to this list?

Henry Story wrote:
> Since our community is a bit split on the mailing list still, I thought I's forward this to the
> XG list. 
> Begin forwarded message:
>> Resent-From: public-webid@w3.org
>> From: "Dr Ian Walden" <i.n.walden@qmul.ac.uk>
>> Subject: RE: Browser UI, privacy, and EU law
>> Date: 1 October 2012 13:36:05 CEST
>> To: "'Henry Story'" <henry.story@bblfish.net>, <public-webid@w3.org>, "'Ben Laurie'" <benl@google.com>
>> Dear All,
>> The answer is, of course, it depends!
>> The relevant legislative measure, Directive 02/58/EC, as amended in 2009,
>> states the following, at article 5(3):
>> "Member States shall ensure that the storing of information, or the
>> gaining of access to information already stored, in the terminal
>> equipment of a subscriber or user is only allowed on condition that
>> the subscriber or user concerned has given his or her consent, having
>> been provided with clear and comprehensive information, in accordance
>> with Directive 95/46/EC, inter alia, about the purposes of the
>> processing. This shall not prevent any technical storage or access for
>> the sole purpose of carrying out the transmission of a communication
>> over an electronic communications network, or as strictly necessary in
>> order for the provider of an information society service explicitly
>> requested by the subscriber or user to provide the service."
>> The references to 'consent' and 'clear and comprehensive information'
>> suggest that a user should be informed what identity he is giving to a web
>> site, since meaningful consent cannot be given unless the individual knows
>> what personal data is being disclosed. However, the last sentence of the
>> article is a get-out provision for data controllers, which means that
>> consent is not required in all circumstances.
>> Kind regards,
>> Ian
>> Professor Ian Walden
>> Professor of Information and Communications Law
>> Head, Institute of Computer and Communications Law
>> Centre for Commercial Law Studies
>> Queen Mary, University of London
>> 67-69 Lincoln's Inn Fields
>> London WC2A 3JB
>> Tel: +44-(0)20-7882-8086
>> Mobile: +44-(0)7968-612-581
>> -----Original Message-----
>> From: Henry Story [mailto:henry.story@bblfish.net] 
>> Sent: 27 September 2012 14:29
>> To: Ian Walden; public-webid@w3.org; Ben Laurie
>> Subject: Browser UI, privacy, and EU law
>> Let me introduce Ian Walden, Professor of Information and Communication Law
>> [1], who gave perhaps one of the most entertaining presentations at IETF 83
>> at the behest of the Security Area Advisory Group [2] in Paris earlier this
>> year on the effect of new EU legislation on software development relating to
>> privacy. 
>> It has been a long time since then, and I was not expecting such a talk, so
>> I did not take notes. But I am pretty sure this  has some relevance to the
>> topic at hand here.
>> What I would like to know is if we can start arguing from a legal
>> perspective now for enhancements to user interfaces in browsers to help the
>> user see what identity (s)he is showing to a web site. I am asking this
>> because in a discussion with Ben Laurie, who works as security specialist at
>> Google among many other things [3], Ben seemed to think there was no
>> requirement in EU law for this. But my take from the talk at IETF in Paris
>> was quite the opposite, or at the very least that things were about to
>> seriously change.
>> So let me summarise the UI improvement that I ( and others ) have been
>> arguing for. Client side certificates - with WebID - allows one to
>> authenticate ( if one desires to ) to a number of web sites in one click.
>> This is shown in the short video "WebID & Browsers" [4]. As I point out at
>> the end of the video current browsers allow one to log into different sites
>> with a client certificate but:
>>  1. Fail to make it obvious at all times that one is logged in, or under
>> what identity
>>    So, for example if in Safari one has chosen an identity to log in one
>> cannot change it, or even ever see that this is the identity/certificate one
>> has chosen.
>>    All the other browsers ask one again on accessing a web site, but still
>> don't show the identity used. 
>>  2. Don't make it easy to logout
>>     There is a bit of javascript that works on Netscape to log out, but the
>> server must present that option. In my view the user should be in control.
>> One has to close the whole browser to change identity.
>>     ( Safari does not allow one to logout at all, ever! )
>>  3. Don't make it obvious when one is anonymous
>>  Aza Raskin a designer at Mozilla presented a design that in my view would
>> solve this and user interaction problems very neatly and put the user in
>> control of his identity
>>      http://www.azarask.in/blog/post/identity-in-the-browser-firefox/
>> Aza did not apply it to https client authentication (TLS) but the design
>> would clearly work just as well there too. I opened a bug report on Chrome
>> for something like this to be implemented 
>>    http://code.google.com/p/chromium/issues/detail?id=29784
>> And similarly to other open source and closed source browsers.
>> So the WebID protocol is here to try to create a global distributed social
>> network so that we can have more privacy by working in distributed social
>> networks [5] and not have to all interact on one huge mega-server (or at
>> least allow people to not have to do that without suffering a large penalty)
>> We can get going as is now, but we would like the browsers to put the user
>> more in control of his identity. 
>>  So I was wondering if this is now a legal requirement :-)
>>  Henry 
>> [1] http://www.law.qmul.ac.uk/staff/walden.html
>> [2] http://www.ietf.org/mail-archive/web/saag/current/msg03614.html
>> [3] http://en.wikipedia.org/wiki/Ben_Laurie
>> [4] http://bblfish.net/blog/2011/05/25/
>> [5] I have a three minute interview at Oxford internet institute by Prof
>> William Dutton that covers this
>>    http://webcast.oii.ox.ac.uk/?view=Webcast&ID=20100524_323
>> Social Web Architect
>> http://bblfish.net/
> Social Web Architect
> http://bblfish.net/
Received on Wednesday, 3 October 2012 13:47:03 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:56 UTC