W3C home > Mailing lists > Public > public-xg-webid@w3.org > October 2012

Re: Browser UI, privacy, and EU law

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 3 Oct 2012 15:50:46 +0200
Cc: "public-xg-webid@w3.org XG" <public-xg-webid@w3.org>, Coralie Mercier <coralie@w3.org>
Message-Id: <690FEFA7-C123-4C66-9F7A-F0E05816E9E2@bblfish.net>
To: nathan@webr3.org

On 3 Oct 2012, at 15:45, Nathan <nathan@webr3.org> wrote:

> can web-id be folded in to RWW, and mail auto forwarded to this list?

I am sure this can be done, but I'd rather the webid & rww lists be 
separate, because we still have technical issues on the webid spec
to work with.

I would not mind if public-webid be forwarded to public-xg-webid on the
other hand. public-xg-webid still can do some magic, like update the 
WebID bug database, which is a feature I'd like not to loose.


> Henry Story wrote:
>> Since our community is a bit split on the mailing list still, I thought I's forward this to the
>> XG list. Begin forwarded message:
>>> Resent-From: public-webid@w3.org
>>> From: "Dr Ian Walden" <i.n.walden@qmul.ac.uk>
>>> Subject: RE: Browser UI, privacy, and EU law
>>> Date: 1 October 2012 13:36:05 CEST
>>> To: "'Henry Story'" <henry.story@bblfish.net>, <public-webid@w3.org>, "'Ben Laurie'" <benl@google.com>
>>> Dear All,
>>> The answer is, of course, it depends!
>>> The relevant legislative measure, Directive 02/58/EC, as amended in 2009,
>>> states the following, at article 5(3):
>>> "Member States shall ensure that the storing of information, or the
>>> gaining of access to information already stored, in the terminal
>>> equipment of a subscriber or user is only allowed on condition that
>>> the subscriber or user concerned has given his or her consent, having
>>> been provided with clear and comprehensive information, in accordance
>>> with Directive 95/46/EC, inter alia, about the purposes of the
>>> processing. This shall not prevent any technical storage or access for
>>> the sole purpose of carrying out the transmission of a communication
>>> over an electronic communications network, or as strictly necessary in
>>> order for the provider of an information society service explicitly
>>> requested by the subscriber or user to provide the service."
>>> The references to 'consent' and 'clear and comprehensive information'
>>> suggest that a user should be informed what identity he is giving to a web
>>> site, since meaningful consent cannot be given unless the individual knows
>>> what personal data is being disclosed. However, the last sentence of the
>>> article is a get-out provision for data controllers, which means that
>>> consent is not required in all circumstances.
>>> Kind regards,
>>> Ian
>>> Professor Ian Walden
>>> Professor of Information and Communications Law
>>> Head, Institute of Computer and Communications Law
>>> Centre for Commercial Law Studies
>>> Queen Mary, University of London
>>> 67-69 Lincoln's Inn Fields
>>> London WC2A 3JB
>>> Tel: +44-(0)20-7882-8086
>>> Mobile: +44-(0)7968-612-581
>>> -----Original Message-----
>>> From: Henry Story [mailto:henry.story@bblfish.net] Sent: 27 September 2012 14:29
>>> To: Ian Walden; public-webid@w3.org; Ben Laurie
>>> Subject: Browser UI, privacy, and EU law
>>> Let me introduce Ian Walden, Professor of Information and Communication Law
>>> [1], who gave perhaps one of the most entertaining presentations at IETF 83
>>> at the behest of the Security Area Advisory Group [2] in Paris earlier this
>>> year on the effect of new EU legislation on software development relating to
>>> privacy. 
>>> It has been a long time since then, and I was not expecting such a talk, so
>>> I did not take notes. But I am pretty sure this  has some relevance to the
>>> topic at hand here.
>>> What I would like to know is if we can start arguing from a legal
>>> perspective now for enhancements to user interfaces in browsers to help the
>>> user see what identity (s)he is showing to a web site. I am asking this
>>> because in a discussion with Ben Laurie, who works as security specialist at
>>> Google among many other things [3], Ben seemed to think there was no
>>> requirement in EU law for this. But my take from the talk at IETF in Paris
>>> was quite the opposite, or at the very least that things were about to
>>> seriously change.
>>> So let me summarise the UI improvement that I ( and others ) have been
>>> arguing for. Client side certificates - with WebID - allows one to
>>> authenticate ( if one desires to ) to a number of web sites in one click.
>>> This is shown in the short video "WebID & Browsers" [4]. As I point out at
>>> the end of the video current browsers allow one to log into different sites
>>> with a client certificate but:
>>> 1. Fail to make it obvious at all times that one is logged in, or under
>>> what identity
>>>   So, for example if in Safari one has chosen an identity to log in one
>>> cannot change it, or even ever see that this is the identity/certificate one
>>> has chosen.
>>>   All the other browsers ask one again on accessing a web site, but still
>>> don't show the identity used. 
>>> 2. Don't make it easy to logout
>>>    There is a bit of javascript that works on Netscape to log out, but the
>>> server must present that option. In my view the user should be in control.
>>> One has to close the whole browser to change identity.
>>>    ( Safari does not allow one to logout at all, ever! )
>>> 3. Don't make it obvious when one is anonymous
>>> Aza Raskin a designer at Mozilla presented a design that in my view would
>>> solve this and user interaction problems very neatly and put the user in
>>> control of his identity
>>>     http://www.azarask.in/blog/post/identity-in-the-browser-firefox/
>>> Aza did not apply it to https client authentication (TLS) but the design
>>> would clearly work just as well there too. I opened a bug report on Chrome
>>> for something like this to be implemented 
>>>   http://code.google.com/p/chromium/issues/detail?id=29784
>>> And similarly to other open source and closed source browsers.
>>> So the WebID protocol is here to try to create a global distributed social
>>> network so that we can have more privacy by working in distributed social
>>> networks [5] and not have to all interact on one huge mega-server (or at
>>> least allow people to not have to do that without suffering a large penalty)
>>> We can get going as is now, but we would like the browsers to put the user
>>> more in control of his identity. 
>>> So I was wondering if this is now a legal requirement :-)
>>> Henry 
>>> [1] http://www.law.qmul.ac.uk/staff/walden.html
>>> [2] http://www.ietf.org/mail-archive/web/saag/current/msg03614.html
>>> [3] http://en.wikipedia.org/wiki/Ben_Laurie
>>> [4] http://bblfish.net/blog/2011/05/25/
>>> [5] I have a three minute interview at Oxford internet institute by Prof
>>> William Dutton that covers this
>>>   http://webcast.oii.ox.ac.uk/?view=Webcast&ID=20100524_323
>>> Social Web Architect
>>> http://bblfish.net/
>> Social Web Architect
>> http://bblfish.net/

Social Web Architect

Received on Wednesday, 3 October 2012 13:51:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:56 UTC