Improved Privacy and Security through Web Standards
Technically, we know how to secure communications, but the tools remain too hard to use. To put these key technologies in the hands of everyone, we are exploring ways to develop a toolkit for Web security, using standards deployed across browsers and devices.
A key barrier to free expression on the Internet is the lack of trust users have in the security and privacy of their communications infrastructure. This insecurity has been emphasized by recent events, including disclosure of NSA and GCHQ's pervasive Internet monitoring, and localized surveillance such as SMS warnings to protesters in Ukraine. Technically, we have known how to do secure communications for a long time, but the tools remain too hard to use. To put these key technologies in the hands of everyone, we are exploring ways to develop a toolkit for Web security, using standards deployed across browsers and devices.
Improving Privacy & Security Through Web Standards
W3C's WebCrypto API will provide the building blocks for secure Web applications, enabling developers to create and deploy end-to-end secure communications applications on the open Web platform. Uses of such apps could include secure communications between journalists and their sources; organizing channels for activists in a repressive regime; or confidential spaces for business colleagues talking about a yet-to-be-released product. To realize the potential of this API, we will need security testing, developer guidance, and best practices demonstrated through exemplary applications. We seek funding to bring this tested toolkit to the developers of apps for free expression on the Web.
Improving security and privacy through standards reviews and internal consulting. Security and privacy engineering work best when they are integrated at design time. We seek to make security and privacy expertise available to the groups designing W3C specifications and fitting them into the existing Web ecosystem, offering internal consulting services to identify privacy and security concerns, help resolve them in a manner that accounts for other considerations (performance, rapid deployment, business goals, etc.), and review the final specifications. We seek funding to strengthen the security expertise in W3C to work in concert with experts in industry and academia.
In ONE sentence, tell us about your project to strengthen the Internet for free expression and innovation.
We are developing tools to improve Web security and privacy through standards work at the World Wide Web Consortium for deployment across browsers and devices.
Who will benefit from what you propose? What have you observed that makes you think that?
The Web's end-users will benefit from tools that make secure communications easier to achieve. Users shouldn't face a choice between "usable" and "secure" -- tools built with privacy and security as core features can eliminate that false alternative. Particularly post-Snowden, more developers and users of technology are looking for communications security.
What progress have you made so far?
W3C's Web Cryptography Working Group has produced a draft Web Cryptography API, that already has test implementations in many browsers. We will now be putting the work out for wider public review and testing. The Privacy and Security Interest Groups are conducting reviews of specifications in development.
What would be a successful outcome for your idea or project?
We aim for a Web where every developer can integrate secure communications in his or her site; and every user can easily make use of those tools. At the end of this phase of work, we should be able to have security and privacy assessments of existing and proposed Web standards; and toolkits by which developers can make effective use of them.
Who is on your team, and what are their relevant experiences or skills?
The World Wide Web Consortium is celebrating its 20th year producing Recommendations (standards) to enable the World Wide Web to interconnect world-wide. Wendy Seltzer, Technology & Society Domain Lead, is a lawyer and technologist with a background in information privacy, security, and open innovation. The team includes technologists with backgrounds in industry and academia, and the Consortium works closely with participants from its international membership.
Cambridge, MA, USA, and the World Wide Web.