URIs, deep linking, framing, adapting and related concerns

I think you are mostly asking architectural questions, which I won't
answer right now; I just wanted to touch on the non-technical
question.

On Fri, Oct 16, 2009 at 8:56 AM, Rotan Hanrahan
<rotan.hanrahan@...> wrote:
I agree that a statement from someone is desirable. But this is
primarily a legal question, which the TAG is ill equipped to answer.
Putting a URI somewhere is a form of speech and is subject to whatever
local regulations govern speech. For example, trademark law prohibits
uses of a mark that might confuse a consumer, and uttering a URI that
contains profanity, threats, pornography, copyrighted material, state
or personal secrets, etc. would also be subject to law. So the
question is not black or white. As for things like the absurd
http://www.aa.com/i18n/footer/legal.jsp "links to the site", you'd
really have to get an attorney or legal scholar to tell you that you
are violating no law by ignoring what American says. You shouldn't
believe me.

I would be happy to reinforce a request that W3C make a statement or
FAQ of some kind on the subject. It might be desirable to summarize
statute in a sampling of jurisdictions, and there is some relevant
case law that W3C could point people to.

Jonathan

"Deep Linking" in the World Wide Web
TAG Finding 11 Sep 2003:
http://www.w3.org/2001/tag/doc/deeplinking.html

David Booth


On Fri, 2009-10-16 at 09:30 -0400, Jonathan Rees wrote: --
David Booth, Ph.D.
Cleveland Clinic (contractor)

Opinions expressed herein are those of the author and do not necessarily
reflect those of Cleveland Clinic.

Indeed, yet 6 years on the misunderstandings persist.

Also, this earlier TAG Finding predates the massive growth in adaptive sites where the representations returned from a URL will vary considerably depending on context. Deep links to such sites are problematic. The sites would not necessarily attempt to deny access via out-of-context linking, but might respond otherwise with an error, a redirection to a better alternative URL, or perhaps an alternative representation of the identified resource. I am not aware of any general guidance on which, if any, of these strategies would be appropriate.

There is also the issue of what is appropriate when a page contains references to third-party resources. If the phishing culprit were to directly present/manipulate the logos of the Bank of Webtopia, then perhaps a copyright/trademark infringement might be noted. But if said culprit were to place the manipulations into JavaScript/CSS/etc. and merely reference the images in the markup, then it is the end-user's browser that is doing the infringement. Or is it? (It's a legal question, so perhaps out of scope for the TAG.) Browsers might get clever about spotting these abuses of the Web, but if we *expect* the browsers to be this clever then perhaps the behaviour has to be part of the Web architecture itself.

I feel that perhaps a refresh of the 2003 Finding may be beneficial, and perhaps should include an appropriate "sound bite" that would attract broader attention and hopefully drive the message home.

---Rotan.


-----Original Message-----
From: David Booth [mailto:david@...]
Sent: 16 October 2009 15:49
To: Jonathan Rees
Cc: Rotan Hanrahan; www-tag@...; Thinh Nguyen
Subject: Re: URIs, deep linking, framing, adapting and related concerns

"Deep Linking" in the World Wide Web
TAG Finding 11 Sep 2003:
http://www.w3.org/2001/tag/doc/deeplinking.html

David Booth


On Fri, 2009-10-16 at 09:30 -0400, Jonathan Rees wrote: --
David Booth, Ph.D.
Cleveland Clinic (contractor)

Opinions expressed herein are those of the author and do not necessarily
reflect those of Cleveland Clinic.

(Composed earlier and a little out of order now):

You'd think I'd be happy to disclaim the TAG reducing its work in this
area, citing that it is a "non-technical" question, but there's still
an architectural framework of messages and responsibility; recall
the http://lists.w3.org/Archives/Public/www-tag/2009Oct/0020.html 
discussion about authoritative metadata, MIME types, and the
responsibility associated with sending a JPEG image which says
"fire! fire!" as text/plain (or some such; I think the minutes
didn't catch the full example.)

In the cases of deep linking, I think we should look at whether the
security and administrative concerns that lead to consideration of
"same origin cookies", CORS, mash-ups, and the browser security
concerns around delegated authority and confused deputy attacks
are additional sources of requirements for consideration.

Producer A creates a message W (a HTTP response in HTML, say) which
the producer purports comes from A, and sends the message to consumer
B. Consumer B reads and interprets the message, believing the message
to be delivered with A's authority and ownership.

However, consumer B, following W3C recommendations, sees images or
frames or sometimes redirects or links to images, data, or pages
viewed that do not actually come from producer A, but instead
producer C.  W might contain IMG tags pointing to C's site,
or frame a page from C's site, or otherwise use C's information
without C's knowledge, permission, authorization, or copyright
release.

Producer A is not merely "uttering" the address of C's data,
producer A is sending B a message which causes B to be confused
about the source. If Producer A is responsible for the effect
of A's messages on consumer B if consumer B is carefully following
recommendations or well-known best practice, then can
Producer A be held responsible for misappropriating
C's information?

The act to focus on, though, is not merely the "uttering"
of the link, but the use of a link in a context which causes
the receiver to follow the link in a different context
than the one intended.

Whether this is illegal, a violation of some right of C, rude
or misleading may be out of scope for the TAG, but at least
we might be able to provide a clearer foundation for talking
about such things.

If there is a free sports event, but someone stands outside
selling "tickets", is this illegal or merely enterprising?
If someone takes a freely distributed TV recording and
substitutes their own advertisers for the original ones,
is this illegal, rude, or just fun?

I think the judgment about legality may depend on the way in
which deep linking is used, and certainly a blanket ban on
"deep linking" isn't likely to be useful.

Another way in which W3C recommendations might have some effect
on the question of deep linking is whether W3C (or IETF)
provide mechanisms by which deep linking can be effectively
prevented; for example, could the Origin mechanism being
proposed to solve cross-origin request spoofing also be
used to prevent links from other sites?

Larry
--
http://larry.masinter.net

I think there are architectural as well as legal issues involved here,
though I'll admit that the border between the strictly technical
architectural issues, and the social architectural issues, isn't always
crisp.

In any case, the TAG does have a history of making statements about these
things, specifically the finding ""Deep Linking" in the World Wide Web"
[1].  I think the finding is probably OK as far as it goes, but I think it
unnecessarily emphasizes issues relating to the distinction between "home"
pages:

"People engaged in delivering information or services via the World Wide
Web typically speak in terms of "Web sites" which have "home pages" or
"portal pages." Deep linking is the practice of publishing a hyperlink
from a page on one site to a page "inside" another site, bypassing the
"home" or "portal" page."

It concludes:

"Attempts at the public-policy level to limit the usage, transmission and
publication of URIs at the policy level are inappropriate and based on a
misunderstanding of the Web's architecture. Attempts to control access to
the resources identified by URIs are entirely appropriate and
well-supported by the Web technology.

This issue is important because attempts to limit deep linking are in fact
risky for two reasons:

   1.       The policy is at risk of failure. The Web is so large that any
policy enforcement requires considerable automated support from software
to be practical. Since a deep link looks like any other link to Web
software, such automated support is not practical.
   2.      The Web is at the risk of damage. The hypertext architecture of
the Web has brought substantial benefits to the world at large. The onset
of legislation and litigation based on confusion between identification
and access has the potential to impair the future development of the Web."

I would be very sympathetic to rearranging the finding, or publishing in
the form of a new additional finding, to focus primarily on the first
sentence of the conclusions, which is the one that says:

"Attempts at the public-policy level to limit the usage, transmission and
publication of URIs at the policy level are inappropriate and based on a
misunderstanding of the Web's architecture. Attempts to control access to
the resources identified by URIs are entirely appropriate and
well-supported by the Web technology.

This is indepenent of the hotion of "home", "portal", "site" or "inside",
etc.  All of that could be moved to chapters that explain the "deep"
aspects of linking as a special case of the larger principle.  I.e., now
that we've told you that limiting usage, transmission, and publication of
any URI is inappropriate (modulo things like libelous text embedded in the
URI itself, etc.), it follows as a special case that the principle applies
equally to pages that the resource owner might consider "nested" or
"inside" as it does to pages that are viewed as "home" or "portal".

Noah

[1] http://www.w3.org/2001/tag/doc/deeplinking-20030911 

--------------------------------------
Noah Mendelsohn
IBM Corporation
One Rogers Street
Cambridge, MA 02142
1-617-693-4036
--------------------------------------








Jonathan Rees <jar@...>
Sent by: www-tag-request@...
10/16/2009 09:30 AM
 
        To:     Rotan Hanrahan <rotan.hanrahan@...>
        cc:     www-tag@..., Thinh Nguyen <thinh@...>,
(bcc: Noah Mendelsohn/Cambridge/IBM)
        Subject:        Re: URIs, deep linking, framing, adapting and
related concerns


I think you are mostly asking architectural questions, which I won't
answer right now; I just wanted to touch on the non-technical
question.

On Fri, Oct 16, 2009 at 8:56 AM, Rotan Hanrahan
<rotan.hanrahan@...> wrote:
> To the TAG members,
>
> Recent discussions with other W3C members once again highlight the
general
> mis-understanding of the role of the URI (or URL, to use the term more
> familiar to the wider community). The publication of a URL that
identifies a
> third party resource cannot (in any sensible manner) be prevented by
that
> third party because the URL is merely the address of a single resource
> within a huge public space. By virtue of placing the resource into the
> public space, the owner of the resource (or the associated intellectual
> property) has effectively agreed to reveal the address and make it
“common
> knowledge”.
>
> Some owners of these resources seem to believe that they can legally
prevent
> people from uttering Web addresses in public. This would be counter to
the
> architecture of the Web, which depends on being able to make such
> references.
>
> This probably seems correct to anyone familiar with the Web. A statement
> from the TAG to this effect reinforcing the open nature of URLs may help
> dispel the misunderstandings about what can and cannot be done with
URLs.

I agree that a statement from someone is desirable. But this is
primarily a legal question, which the TAG is ill equipped to answer.
Putting a URI somewhere is a form of speech and is subject to whatever
local regulations govern speech. For example, trademark law prohibits
uses of a mark that might confuse a consumer, and uttering a URI that
contains profanity, threats, pornography, copyrighted material, state
or personal secrets, etc. would also be subject to law. So the
question is not black or white. As for things like the absurd
http://www.aa.com/i18n/footer/legal.jsp "links to the site", you'd
really have to get an attorney or legal scholar to tell you that you
are violating no law by ignoring what American says. You shouldn't
believe me.

I would be happy to reinforce a request that W3C make a statement or
FAQ of some kind on the subject. It might be desirable to summarize
statute in a sampling of jurisdictions, and there is some relevant
case law that W3C could point people to.

Jonathan

I know this thread has gone quiet, but that's not because
we don't think it's important.

I took the ball on this in the 22 Oct TAG teleconference.
http://www.w3.org/2001/tag/2009/10/22-minutes.html#item06
http://www.w3.org/2001/tag/group/track/actions/322

I'm working with Rigo and others to find people qualified
to research the legal as well as technical aspects.

A somewhat arbitrary estimate on when I'll have news is
end of January.




On Fri, 2009-10-16 at 14:59 -0400, noah_mendelsohn@... wrote:
> I think there are architectural as well as legal issues involved here,
> though I'll admit that the border between the strictly technical
> architectural issues, and the social architectural issues, isn't always
> crisp.
[...]

--
Dan Connolly, W3C http://www.w3.org/People/Connolly/
gpg D3C2 887B 0F92 6005 C541  0875 0F91 96DE 6E52 C29E