Re: Fwd: Browser UI, privacy, and EU law from Nathan on 2012-10-03 (public-xg-webid@w3.org from October 2012)

From: Nathan <nathan@webr3.org>
Date: Wed, 03 Oct 2012 15:28:42 +0100
To: Melvin Carvalho <melvincarvalho@gmail.com>
CC: Henry Story <henry.story@bblfish.net>, "public-xg-webid@w3.org XG" <public-xg-webid@w3.org>, Coralie Mercier <coralie@w3.org>
Message-ID: <506C4B9A.1070405@webr3.org>
Melvin Carvalho wrote:
> On 3 October 2012 15:45, Nathan <nathan@webr3.org> wrote:
> 
>> can web-id be folded in to RWW, and mail auto forwarded to this list?
> 
> 
> Nathan did you mean that the XG (now expired) folded into the public-webid
> CG

No :p but the XG folding in to webid cg it entails the same question :)

>>
>> Henry Story wrote:
>>
>>> Since our community is a bit split on the mailing list still, I thought
>>> I's forward this to the
>>> XG list.
>>> Begin forwarded message:
>>>
>>>  Resent-From: public-webid@w3.org
>>>> From: "Dr Ian Walden" <i.n.walden@qmul.ac.uk>
>>>> Subject: RE: Browser UI, privacy, and EU law
>>>> Date: 1 October 2012 13:36:05 CEST
>>>> To: "'Henry Story'" <henry.story@bblfish.net>, <public-webid@w3.org>,
>>>> "'Ben Laurie'" <benl@google.com>
>>>>
>>>> Dear All,
>>>>
>>>> The answer is, of course, it depends!
>>>>
>>>> The relevant legislative measure, Directive 02/58/EC, as amended in 2009,
>>>> states the following, at article 5(3):
>>>>
>>>> "Member States shall ensure that the storing of information, or the
>>>> gaining of access to information already stored, in the terminal
>>>> equipment of a subscriber or user is only allowed on condition that
>>>> the subscriber or user concerned has given his or her consent, having
>>>> been provided with clear and comprehensive information, in accordance
>>>> with Directive 95/46/EC, inter alia, about the purposes of the
>>>> processing. This shall not prevent any technical storage or access for
>>>> the sole purpose of carrying out the transmission of a communication
>>>> over an electronic communications network, or as strictly necessary in
>>>> order for the provider of an information society service explicitly
>>>> requested by the subscriber or user to provide the service."
>>>>
>>>> The references to 'consent' and 'clear and comprehensive information'
>>>> suggest that a user should be informed what identity he is giving to a
>>>> web
>>>> site, since meaningful consent cannot be given unless the individual
>>>> knows
>>>> what personal data is being disclosed. However, the last sentence of the
>>>> article is a get-out provision for data controllers, which means that
>>>> consent is not required in all circumstances.
>>>>
>>>> Kind regards,
>>>>
>>>> Ian
>>>>
>>>> Professor Ian Walden
>>>> Professor of Information and Communications Law
>>>> Head, Institute of Computer and Communications Law
>>>>
>>>> Centre for Commercial Law Studies
>>>> Queen Mary, University of London
>>>> 67-69 Lincoln's Inn Fields
>>>> London WC2A 3JB
>>>>
>>>> Tel: +44-(0)20-7882-8086
>>>> Mobile: +44-(0)7968-612-581
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Henry Story [mailto:henry.story@bblfish.**net<henry.story@bblfish.net>]
>>>> Sent: 27 September 2012 14:29
>>>> To: Ian Walden; public-webid@w3.org; Ben Laurie
>>>> Subject: Browser UI, privacy, and EU law
>>>>
>>>> Let me introduce Ian Walden, Professor of Information and Communication
>>>> Law
>>>> [1], who gave perhaps one of the most entertaining presentations at IETF
>>>> 83
>>>> at the behest of the Security Area Advisory Group [2] in Paris earlier
>>>> this
>>>> year on the effect of new EU legislation on software development
>>>> relating to
>>>> privacy.
>>>> It has been a long time since then, and I was not expecting such a talk,
>>>> so
>>>> I did not take notes. But I am pretty sure this  has some relevance to
>>>> the
>>>> topic at hand here.
>>>>
>>>> What I would like to know is if we can start arguing from a legal
>>>> perspective now for enhancements to user interfaces in browsers to help
>>>> the
>>>> user see what identity (s)he is showing to a web site. I am asking this
>>>> because in a discussion with Ben Laurie, who works as security
>>>> specialist at
>>>> Google among many other things [3], Ben seemed to think there was no
>>>> requirement in EU law for this. But my take from the talk at IETF in
>>>> Paris
>>>> was quite the opposite, or at the very least that things were about to
>>>> seriously change.
>>>>
>>>> So let me summarise the UI improvement that I ( and others ) have been
>>>> arguing for. Client side certificates - with WebID - allows one to
>>>> authenticate ( if one desires to ) to a number of web sites in one click.
>>>> This is shown in the short video "WebID & Browsers" [4]. As I point out
>>>> at
>>>> the end of the video current browsers allow one to log into different
>>>> sites
>>>> with a client certificate but:
>>>>
>>>>  1. Fail to make it obvious at all times that one is logged in, or under
>>>> what identity
>>>>
>>>>    So, for example if in Safari one has chosen an identity to log in one
>>>> cannot change it, or even ever see that this is the identity/certificate
>>>> one
>>>> has chosen.
>>>>    All the other browsers ask one again on accessing a web site, but
>>>> still
>>>> don't show the identity used.
>>>>  2. Don't make it easy to logout
>>>>
>>>>     There is a bit of javascript that works on Netscape to log out, but
>>>> the
>>>> server must present that option. In my view the user should be in
>>>> control.
>>>> One has to close the whole browser to change identity.
>>>>     ( Safari does not allow one to logout at all, ever! )
>>>>
>>>>  3. Don't make it obvious when one is anonymous
>>>>
>>>>  Aza Raskin a designer at Mozilla presented a design that in my view
>>>> would
>>>> solve this and user interaction problems very neatly and put the user in
>>>> control of his identity
>>>>
>>>>      http://www.azarask.in/blog/**post/identity-in-the-browser-**
>>>> firefox/<http://www.azarask.in/blog/post/identity-in-the-browser-firefox/>
>>>>
>>>> Aza did not apply it to https client authentication (TLS) but the design
>>>> would clearly work just as well there too. I opened a bug report on
>>>> Chrome
>>>> for something like this to be implemented
>>>>    http://code.google.com/p/**chromium/issues/detail?id=**29784<http://code.google.com/p/chromium/issues/detail?id=29784>
>>>>
>>>> And similarly to other open source and closed source browsers.
>>>>
>>>> So the WebID protocol is here to try to create a global distributed
>>>> social
>>>> network so that we can have more privacy by working in distributed social
>>>> networks [5] and not have to all interact on one huge mega-server (or at
>>>> least allow people to not have to do that without suffering a large
>>>> penalty)
>>>> We can get going as is now, but we would like the browsers to put the
>>>> user
>>>> more in control of his identity.
>>>>  So I was wondering if this is now a legal requirement :-)
>>>>
>>>>
>>>>  Henry
>>>>
>>>>
>>>> [1] http://www.law.qmul.ac.uk/**staff/walden.html<http://www.law.qmul.ac.uk/staff/walden.html>
>>>> [2] http://www.ietf.org/mail-**archive/web/saag/current/**msg03614.html<http://www.ietf.org/mail-archive/web/saag/current/msg03614.html>
>>>> [3] http://en.wikipedia.org/wiki/**Ben_Laurie<http://en.wikipedia.org/wiki/Ben_Laurie>
>>>> [4] http://bblfish.net/blog/2011/**05/25/<http://bblfish.net/blog/2011/05/25/>
>>>> [5] I have a three minute interview at Oxford internet institute by Prof
>>>> William Dutton that covers this
>>>>    http://webcast.oii.ox.ac.uk/?**view=Webcast&ID=20100524_323<http://webcast.oii.ox.ac.uk/?view=Webcast&ID=20100524_323>
>>>>
>>>> Social Web Architect
>>>> http://bblfish.net/
>>>>
>>>>
>>>>
>>>>
>>>>
>>> Social Web Architect
>>> http://bblfish.net/
>>>
>>>
>>
>
Received on Wednesday, 3 October 2012 14:30:00 UTC