The European Commission has recently proposed radical new privacy legislation for providers of online services. Web applications must support a user’s right to be forgotten, by deleting on demand all of the personal information held about them. Companies must also disclose more information about how they store and use personal information, as well as notifying users about security incidents resulting in data breaches.
There is nothing quite like privacy regulation to bring out strong opinions. Some commentators believe this legislation is a step in the right direction, and even that it does not go far enough. Others say this it is well intentioned, but may be impractical to implement.
However, not enough people are asking a more fundamental question: why are online services storing so much information in the first place? There are several laudable reasons, as many web applications simply want to personalise their websites and provide a good user experience. A big part of creating a compelling and interesting application is keeping track of what the end user is interested in, learning from what they have done in the past, and tailoring content appropriately. For example, Google remembers your previous searches and Facebook maintains a “friends list”. Both of these are essential to the user experience.
What this doesn’t explain is why this information is stored online rather than on your personal device. Why do Google and Facebook not let the web browser store this information, the same way it stores browsing history and downloads? In part this is because people use several web-enabled devices, and each would need to keep track of all of this data. That’s not easy to do with current web browsers, particularly not between PCs, smartphones, tablets and set-top boxes. Even the most privacy-conscious developer has no way of using local data storage in a reliable manner without seriously inconveniencing the end user, forcing them to store personal data on their own servers instead.
This is where webinos comes in. Part of the webinos system is synchronised data storage: applications will be able to store data with the user’s personal zone, their network of personal devices. Each device will be able to access this data, no matter where it was originally stored. By making this feature a standard, web-accessible JavaScript API, web developers will be able to store information locally rather than in the cloud. This is good news for users; “being forgotten” will be as simple as deleting a file or un-installing and application. It is also great news for companies, as they can avoid storing personal data and being adversely affected by the new legislation.
Of course, the problem of data security remains. Personal data stored by webinos may be valuable (your photos, for example) or privacy-sensitive. As a result, webinos is implementing a number of security measures to protect data stored by web applications. Access control policies will prevent unauthorised data disclosure, and all devices in the personal zone will be strongly authenticated before connecting. The project is also committed to publishing open source code, allowing anyone to inspect and review what the software does and make their own decision about how secure it really is. Of course, end users are not expected to do this all for themselves: the webinos platform can be provisioned by a third part service provider who is trusted to follow best practices in information security and keep personal data safe.
The EC’s privacy laws are well intentioned, and do address a fundamental problem with how users interact with the web. However, some of the proposals appear to be addressing the symptoms rather than the cause. Projects like webinos have the potential to both empower end users and avoid making companies implement costly measures for dealing with data protection and compliance.
John Lyle
Bio
John Lyle is a post-doctoral research assistant at The Department of Computer Science, University of Oxford. His interests are in information security and privacy, in particular the use of secure hardware to create trusted systems. He recently submitted his DPhil thesis on the subject of Trustworthy Web Services and holds an MEng in Computing from Imperial College London.
Webinos interests
John works full-time on the webinos project and is primarily involved with the security and privacy architecture.
