W3C Identity in the Browser Workshop

The W3C recently held a workshop on Identity in the Browser for which a number of position papers are available as well as a blog post, agenda with presentation links, and a workshop report.

I submitted a position paper and gave a presentation noting that requirements that are simple to express can have large consequences in terms of complexity and implementation. I mentioned as an example to efforts in the Liberty Alliance to avoid correlation of identity across service providers through the use of opaque name identifiers. Another example is  managing policy definitions with multiple parties involved in setting policy.  I also highlighted the applicability of the FTC Do Not Track requirements mentioned in the previous W3C workshop on Web Tracking and User Privacy.

The workshop was well attended, including significant attendance and interest from  a wide variety of stakeholders.

Possible next steps were focused on incremental improvements to current technology, with the intent of achieving results in a short time frame, including  

(a) Creating a standard for tagging web form fields so that password fillers can work reliably (e.g. know which field is user name, password etc )

(b) Enabling crypto functions available to Javascript applications, with the approach of encouraging re-use of secure implementations rather than use (mis-use) of primitives 

(c) further discussion of the broader issues on a mail list.

There was a useful review of requirements with rough agreement on most of these. Discussion of the failure of some earlier attempts at addressing these issues included mention that this is a wicked problem, that usability is essential, that it must be a decentralized and user-centric system  and that the buy-in of all stakeholders, including web service providers is essential, and that there must be incentives for all.

Note was made of the relevance of the NSTIC (US National Strategy for Trusted Identities in Cyberspace)  initiative.

There were many interesting papers, a small sampling is the following:


Federated Browser-Based Identity using Email Addresses, Mike Hanson Dan Mills Ben Adida

The Emerging JSON-Based Identity Protocol Suite, Michael B. Jones, also see the slides

(edited first paragraph to update link to workshop report and provide link to agenda with presentations)

A call for reasonable Web Tracking and User Privacy

rea·son·able – (see http://www.merriam-webster.com/ )
a : being in accordance with reason reasonable theory>
b : not extreme or excessive < reasonable requests>c : moderatefair reasonable chance> reasonable price>d : inexpensive


At the W3C workshop on Web Tracking and User Privacy there were a number of themes.


One theme is that there are different business interests related to tracking user activity on the web and different definitions of tracking. For example, 1st party tracking might involve a web site recording information to maintain a shopping cart contents, something a user would typically expect. Third party tracking might be used to provide advertisements to a user based on their activity. This may or may not be acceptable to a user but relates to efforts to fund a site that may provide value without charging a fee.


Some tracking offers end users value, whether it be in supporting “free” services or in providing targeted ads that are useful and of interest. 


Of greater concern is the lack of transparency and accountability – tracking without user knowledge or permission and the potential for misuse of the information due to inappropriately long retention or 


Another theme is that usability is important and this includes not burdening users with needless and numerous prompts for permission. In fact, given experience with security prompts such as those related to SSL/TLS certificates, 



Morality, self-interest and constraints

Roger Brownsword brought up (PDF) the interesting topic of the relationship of moral codes of society with regulation and technology at the Technology & Regulation Symposium at the Berkeley Center for Law and Technology. Essentially law, regulation and technology can supplement the moral codes of a society – so less or more is required depending on the strength of common belief and adherence to those moral codes. As a shift occurs away from belief in doing something because it is “right”, to self-interest (the prudential approach),  and finally what is only possible or practical. The second can rely on signals that you will be detected and convicted, e.g. with many CCTV cameras. The third is evidenced by technologies used to enforce options, such as turnstiles for example.

I note that Will Durant says something similar in volume 1 (“Our Oirental Heritage”) of the epic “Story of Civilization’.

Regulation patterns

Travis D. Breaux, Assistant Professor of Computer Science, Carnegie Mellon University presented interesting thoughts on regulatory patterns during the Berkeley Center of Law and Technology “Technology, Transforming the Regulatory Endeavor” symposium.

He suggested that the following regulatory “Patterns” that should be followed in drafting regulations. Regulations  should:

  1. Allow suspending the course of a prescribed action when appropriate. An example is suspending required notification during a police investigation.
  2. Allow design alternatives by giving guidance not implementation details. This allows for technology change, for example. An example might be allowing a change of notification from paper mail to email by not being prescriptive in mechanism.
  3. Support thresholds and exceptions. For example, allow substituting a notice on a web site rather than individual notices, to enable scaling.
  4. Enable indemnification. An example is to generally require use of encryption but with exception if credit card processing rules are met.
  5. Support prohibitions. For example disallow use of SSN unless already used, then require notification of continued use and allow people to prohibit its use.