2012/Getting a Handle on Privacy and Security

From Open Source Bridge Wiki
Jump to: navigation, search

When was the last time you read a Privacy Policy, or looked at self-signed certs in the browser? How about cookie management? I bet you have awesome passwords! Lets face it, the browser does little to help the normal user in understanding and managing their privacy and security. This talk explores some of those issues, looks at projects Mozilla is working on in the area, and hopes to get developers and user experience people engaged in improving the usability of privacy and security in the browser.

Speaker: Shane Caraveo

Return to this session's details

Contributed notes

Goal: to make privacy/security issues more understandable to users.

Mozilla initiatives:

DNT: Do Not Track

Doesn't prevent tracking by itself. Is a signal for the user's preference that organizations have to buy into.

  • W3C technical bits defined
  • Process issues
  • what is tracking?
  • what happens when you see the header?

Technical bits are easy; behaviors are difficult to define.

Odd that Microsoft turned it on by default. Nice that they jumped on the bandwagon, but it's supposed to be the user's choice. Does this water down the meaning for ad agencies?

No demo because this is a header.

Collusion

Add-on for Firefox about 3 months ago, now available for Chrome and IE.

  • Mozilla and Ford Foundation working together
  • educate users about tracking
  • experimental addon
  • real-time tracking information
  • help users identify tracking
  • will help users opt-in to tracking
  • UI is still too techy

Crowd-source information from Collusion to identify trackers and problems.

(Demo -- shows sites that track and links between them. Cool techy graph UI. :-) )

Personas aka BrowserID

Designed to be a distributed system; it's tied to your email address and you can set up your own server on your own domain.

Backend is doing Oauth (probably) with existing providers so users can easily come on board from other systems.

  • secure verified authentication without passwords
  • use it, it's awesome
  • forward-looking sol'n for identity management
  • does not solve existing password management
  • demo later

There are also javascript shims that websites can use to provide browserID independent of browser.

Watchdog

BrowserID still leaves the existing problem of passwords in various places, subject to exploit

  • experimental work
  • examine your passwords
  • duplicates, age, similarity, strength
  • show you problem areas
  • help you choose good passwords
  • experimental, geeky, not friendly to most users

(demo)

This is part of a PhD project for the person doing the work.

Alternate demo with UI Shane put together.

Shows you sites that you've shared the same password with, and also those that take passwords insecurely.

Web Activities

  • Lots of ways to cook an egg
  • User agent mediates
  • Inherently private
  • User retains control

Browser knows who you like to share with, what you want to share -- and the site you're using doesn't need to know that.

(demo -- on CNN site, click icon in navbar, logs in to facebook share, gplus, etc. Shane notes that initial version took more control of the UI, but social providers were uninterested in getting on board because they didn't have their branding.)

SocialAPI

  • Integrate social content in browser
  • User Agent mediates
  • Inherently private
  • Possibly promiscuous
  • Users have control

Mozilla are writing their own social provider, called "Motown." They use IRC for presence. :-) Activity stream based on tools used in Mozilla (blogging, bug tracking, yammer, etc.)

Privacy icons

Ideas about icons indicating security, privacy, that make sense to the user. Using in-browser privacy preferences. Probably unrealistic.


https://wiki.mozilla.org/Privacy

"Users should expect their User Agent to be a User Agent."