- From: Nathan <nathan@webr3.org>
- Date: Wed, 03 Oct 2012 14:45:47 +0100
- To: Henry Story <henry.story@bblfish.net>
- CC: "public-xg-webid@w3.org XG" <public-xg-webid@w3.org>, Coralie Mercier <coralie@w3.org>
can web-id be folded in to RWW, and mail auto forwarded to this list? Henry Story wrote: > Since our community is a bit split on the mailing list still, I thought I's forward this to the > XG list. > > Begin forwarded message: > >> Resent-From: public-webid@w3.org >> From: "Dr Ian Walden" <i.n.walden@qmul.ac.uk> >> Subject: RE: Browser UI, privacy, and EU law >> Date: 1 October 2012 13:36:05 CEST >> To: "'Henry Story'" <henry.story@bblfish.net>, <public-webid@w3.org>, "'Ben Laurie'" <benl@google.com> >> >> Dear All, >> >> The answer is, of course, it depends! >> >> The relevant legislative measure, Directive 02/58/EC, as amended in 2009, >> states the following, at article 5(3): >> >> "Member States shall ensure that the storing of information, or the >> gaining of access to information already stored, in the terminal >> equipment of a subscriber or user is only allowed on condition that >> the subscriber or user concerned has given his or her consent, having >> been provided with clear and comprehensive information, in accordance >> with Directive 95/46/EC, inter alia, about the purposes of the >> processing. This shall not prevent any technical storage or access for >> the sole purpose of carrying out the transmission of a communication >> over an electronic communications network, or as strictly necessary in >> order for the provider of an information society service explicitly >> requested by the subscriber or user to provide the service." >> >> The references to 'consent' and 'clear and comprehensive information' >> suggest that a user should be informed what identity he is giving to a web >> site, since meaningful consent cannot be given unless the individual knows >> what personal data is being disclosed. However, the last sentence of the >> article is a get-out provision for data controllers, which means that >> consent is not required in all circumstances. >> >> Kind regards, >> >> Ian >> >> Professor Ian Walden >> Professor of Information and Communications Law >> Head, Institute of Computer and Communications Law >> >> Centre for Commercial Law Studies >> Queen Mary, University of London >> 67-69 Lincoln's Inn Fields >> London WC2A 3JB >> >> Tel: +44-(0)20-7882-8086 >> Mobile: +44-(0)7968-612-581 >> >> >> -----Original Message----- >> From: Henry Story [mailto:henry.story@bblfish.net] >> Sent: 27 September 2012 14:29 >> To: Ian Walden; public-webid@w3.org; Ben Laurie >> Subject: Browser UI, privacy, and EU law >> >> Let me introduce Ian Walden, Professor of Information and Communication Law >> [1], who gave perhaps one of the most entertaining presentations at IETF 83 >> at the behest of the Security Area Advisory Group [2] in Paris earlier this >> year on the effect of new EU legislation on software development relating to >> privacy. >> >> It has been a long time since then, and I was not expecting such a talk, so >> I did not take notes. But I am pretty sure this has some relevance to the >> topic at hand here. >> >> What I would like to know is if we can start arguing from a legal >> perspective now for enhancements to user interfaces in browsers to help the >> user see what identity (s)he is showing to a web site. I am asking this >> because in a discussion with Ben Laurie, who works as security specialist at >> Google among many other things [3], Ben seemed to think there was no >> requirement in EU law for this. But my take from the talk at IETF in Paris >> was quite the opposite, or at the very least that things were about to >> seriously change. >> >> So let me summarise the UI improvement that I ( and others ) have been >> arguing for. Client side certificates - with WebID - allows one to >> authenticate ( if one desires to ) to a number of web sites in one click. >> This is shown in the short video "WebID & Browsers" [4]. As I point out at >> the end of the video current browsers allow one to log into different sites >> with a client certificate but: >> >> 1. Fail to make it obvious at all times that one is logged in, or under >> what identity >> >> So, for example if in Safari one has chosen an identity to log in one >> cannot change it, or even ever see that this is the identity/certificate one >> has chosen. >> All the other browsers ask one again on accessing a web site, but still >> don't show the identity used. >> >> 2. Don't make it easy to logout >> >> There is a bit of javascript that works on Netscape to log out, but the >> server must present that option. In my view the user should be in control. >> One has to close the whole browser to change identity. >> ( Safari does not allow one to logout at all, ever! ) >> >> 3. Don't make it obvious when one is anonymous >> >> Aza Raskin a designer at Mozilla presented a design that in my view would >> solve this and user interaction problems very neatly and put the user in >> control of his identity >> >> http://www.azarask.in/blog/post/identity-in-the-browser-firefox/ >> >> Aza did not apply it to https client authentication (TLS) but the design >> would clearly work just as well there too. I opened a bug report on Chrome >> for something like this to be implemented >> >> http://code.google.com/p/chromium/issues/detail?id=29784 >> >> And similarly to other open source and closed source browsers. >> >> So the WebID protocol is here to try to create a global distributed social >> network so that we can have more privacy by working in distributed social >> networks [5] and not have to all interact on one huge mega-server (or at >> least allow people to not have to do that without suffering a large penalty) >> We can get going as is now, but we would like the browsers to put the user >> more in control of his identity. >> >> So I was wondering if this is now a legal requirement :-) >> >> >> Henry >> >> >> >> [1] http://www.law.qmul.ac.uk/staff/walden.html >> [2] http://www.ietf.org/mail-archive/web/saag/current/msg03614.html >> [3] http://en.wikipedia.org/wiki/Ben_Laurie >> [4] http://bblfish.net/blog/2011/05/25/ >> [5] I have a three minute interview at Oxford internet institute by Prof >> William Dutton that covers this >> http://webcast.oii.ox.ac.uk/?view=Webcast&ID=20100524_323 >> >> Social Web Architect >> http://bblfish.net/ >> >> >> >> > > Social Web Architect > http://bblfish.net/ >
Received on Wednesday, 3 October 2012 13:47:03 UTC