W3C home > Mailing lists > Public > public-xg-webid@w3.org > October 2012

Re: Fwd: Browser UI, privacy, and EU law

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Wed, 3 Oct 2012 16:25:28 +0200
Message-ID: <CAKaEYhLubanU2B-3CNVLS5VK7=a5oPJjb3BcCEA-QrvP+k+6ZQ@mail.gmail.com>
To: nathan@webr3.org
Cc: Henry Story <henry.story@bblfish.net>, "public-xg-webid@w3.org XG" <public-xg-webid@w3.org>, Coralie Mercier <coralie@w3.org>
On 3 October 2012 15:45, Nathan <nathan@webr3.org> wrote:

> can web-id be folded in to RWW, and mail auto forwarded to this list?

Nathan did you mean that the XG (now expired) folded into the public-webid

> Henry Story wrote:
>> Since our community is a bit split on the mailing list still, I thought
>> I's forward this to the
>> XG list.
>> Begin forwarded message:
>>  Resent-From: public-webid@w3.org
>>> From: "Dr Ian Walden" <i.n.walden@qmul.ac.uk>
>>> Subject: RE: Browser UI, privacy, and EU law
>>> Date: 1 October 2012 13:36:05 CEST
>>> To: "'Henry Story'" <henry.story@bblfish.net>, <public-webid@w3.org>,
>>> "'Ben Laurie'" <benl@google.com>
>>> Dear All,
>>> The answer is, of course, it depends!
>>> The relevant legislative measure, Directive 02/58/EC, as amended in 2009,
>>> states the following, at article 5(3):
>>> "Member States shall ensure that the storing of information, or the
>>> gaining of access to information already stored, in the terminal
>>> equipment of a subscriber or user is only allowed on condition that
>>> the subscriber or user concerned has given his or her consent, having
>>> been provided with clear and comprehensive information, in accordance
>>> with Directive 95/46/EC, inter alia, about the purposes of the
>>> processing. This shall not prevent any technical storage or access for
>>> the sole purpose of carrying out the transmission of a communication
>>> over an electronic communications network, or as strictly necessary in
>>> order for the provider of an information society service explicitly
>>> requested by the subscriber or user to provide the service."
>>> The references to 'consent' and 'clear and comprehensive information'
>>> suggest that a user should be informed what identity he is giving to a
>>> web
>>> site, since meaningful consent cannot be given unless the individual
>>> knows
>>> what personal data is being disclosed. However, the last sentence of the
>>> article is a get-out provision for data controllers, which means that
>>> consent is not required in all circumstances.
>>> Kind regards,
>>> Ian
>>> Professor Ian Walden
>>> Professor of Information and Communications Law
>>> Head, Institute of Computer and Communications Law
>>> Centre for Commercial Law Studies
>>> Queen Mary, University of London
>>> 67-69 Lincoln's Inn Fields
>>> London WC2A 3JB
>>> Tel: +44-(0)20-7882-8086
>>> Mobile: +44-(0)7968-612-581
>>> -----Original Message-----
>>> From: Henry Story [mailto:henry.story@bblfish.**net<henry.story@bblfish.net>]
>>> Sent: 27 September 2012 14:29
>>> To: Ian Walden; public-webid@w3.org; Ben Laurie
>>> Subject: Browser UI, privacy, and EU law
>>> Let me introduce Ian Walden, Professor of Information and Communication
>>> Law
>>> [1], who gave perhaps one of the most entertaining presentations at IETF
>>> 83
>>> at the behest of the Security Area Advisory Group [2] in Paris earlier
>>> this
>>> year on the effect of new EU legislation on software development
>>> relating to
>>> privacy.
>>> It has been a long time since then, and I was not expecting such a talk,
>>> so
>>> I did not take notes. But I am pretty sure this  has some relevance to
>>> the
>>> topic at hand here.
>>> What I would like to know is if we can start arguing from a legal
>>> perspective now for enhancements to user interfaces in browsers to help
>>> the
>>> user see what identity (s)he is showing to a web site. I am asking this
>>> because in a discussion with Ben Laurie, who works as security
>>> specialist at
>>> Google among many other things [3], Ben seemed to think there was no
>>> requirement in EU law for this. But my take from the talk at IETF in
>>> Paris
>>> was quite the opposite, or at the very least that things were about to
>>> seriously change.
>>> So let me summarise the UI improvement that I ( and others ) have been
>>> arguing for. Client side certificates - with WebID - allows one to
>>> authenticate ( if one desires to ) to a number of web sites in one click.
>>> This is shown in the short video "WebID & Browsers" [4]. As I point out
>>> at
>>> the end of the video current browsers allow one to log into different
>>> sites
>>> with a client certificate but:
>>>  1. Fail to make it obvious at all times that one is logged in, or under
>>> what identity
>>>    So, for example if in Safari one has chosen an identity to log in one
>>> cannot change it, or even ever see that this is the identity/certificate
>>> one
>>> has chosen.
>>>    All the other browsers ask one again on accessing a web site, but
>>> still
>>> don't show the identity used.
>>>  2. Don't make it easy to logout
>>>     There is a bit of javascript that works on Netscape to log out, but
>>> the
>>> server must present that option. In my view the user should be in
>>> control.
>>> One has to close the whole browser to change identity.
>>>     ( Safari does not allow one to logout at all, ever! )
>>>  3. Don't make it obvious when one is anonymous
>>>  Aza Raskin a designer at Mozilla presented a design that in my view
>>> would
>>> solve this and user interaction problems very neatly and put the user in
>>> control of his identity
>>>      http://www.azarask.in/blog/**post/identity-in-the-browser-**
>>> firefox/<http://www.azarask.in/blog/post/identity-in-the-browser-firefox/>
>>> Aza did not apply it to https client authentication (TLS) but the design
>>> would clearly work just as well there too. I opened a bug report on
>>> Chrome
>>> for something like this to be implemented
>>>    http://code.google.com/p/**chromium/issues/detail?id=**29784<http://code.google.com/p/chromium/issues/detail?id=29784>
>>> And similarly to other open source and closed source browsers.
>>> So the WebID protocol is here to try to create a global distributed
>>> social
>>> network so that we can have more privacy by working in distributed social
>>> networks [5] and not have to all interact on one huge mega-server (or at
>>> least allow people to not have to do that without suffering a large
>>> penalty)
>>> We can get going as is now, but we would like the browsers to put the
>>> user
>>> more in control of his identity.
>>>  So I was wondering if this is now a legal requirement :-)
>>>  Henry
>>> [1] http://www.law.qmul.ac.uk/**staff/walden.html<http://www.law.qmul.ac.uk/staff/walden.html>
>>> [2] http://www.ietf.org/mail-**archive/web/saag/current/**msg03614.html<http://www.ietf.org/mail-archive/web/saag/current/msg03614.html>
>>> [3] http://en.wikipedia.org/wiki/**Ben_Laurie<http://en.wikipedia.org/wiki/Ben_Laurie>
>>> [4] http://bblfish.net/blog/2011/**05/25/<http://bblfish.net/blog/2011/05/25/>
>>> [5] I have a three minute interview at Oxford internet institute by Prof
>>> William Dutton that covers this
>>>    http://webcast.oii.ox.ac.uk/?**view=Webcast&ID=20100524_323<http://webcast.oii.ox.ac.uk/?view=Webcast&ID=20100524_323>
>>> Social Web Architect
>>> http://bblfish.net/
>> Social Web Architect
>> http://bblfish.net/
Received on Wednesday, 3 October 2012 14:25:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:56 UTC