W3C home > Mailing lists > Public > public-device-apis@w3.org > December 2009

Re: W3C TAG position on policy mechanisms for Web APIs and Services

From: Frederick Hirsch <frederick.hirsch@nokia.com>
Date: Thu, 10 Dec 2009 16:07:13 -0500
Cc: Frederick Hirsch <frederick.hirsch@nokia.com>
Message-Id: <D9C655CA-15A5-4084-BDD1-B4143F321182@nokia.com>
To: W3C Device APIs and Policy WG <public-device-apis@w3.org>
I mentioned this TAG message (below) on our last call and offered to  
draft a response to the TAG.

The wiki cited provides generic examples of how information can be  
misused, or used in accordance with agreements yet not people's  
expectations.

Unless I'm mistaken, the  Geolocation WG elected not to directly  
address policy in the APIs, different from what is suggested by the  
TAG or IETF Geopriv WG. If I remember,  reasons included that  it  
would be inappropriate for a browser to present statements that it  
cannot enforce, that web site policies should address the concern and  
that conveying privacy policy information (e.g. intent/restrictions  
for reuse/redistribution etc) add complexity.  The counter argument is  
that conveying privacy policy intent is important. If there are  
additional arguments, perhaps a short summary would be useful.

I have a few questions to the WG.

First, it seems an appropriate response to the TAG is to thank them  
for the suggestion and indicate that this will be considered as we  
develop our policy requirements and framework (as Noah outlined in a  
subsequent list message). Any other suggestions? I'd like to send a  
formal response acknowledging the message.

Second, I suggest the privacy requirements need to be addressed in  
our  policy requirements document as well as in API documents. We need  
to be clear on the options, our approach and rationale in the   
requirements document.  Again this is hard since we will deal with  
both widget and web site models. Can anyone help with this?

Third, we should ask whether we will address privacy explicitly in  
APIs or in policy,  implicitly using extension points, or elsewhere in  
the ecosystem model.

How should we make progress on this? Concrete proposals to the list  
would be most helpful. We might want to have a discussion with the TAG  
once we've reached some tentative conclusions.

regards, Frederick

Frederick Hirsch, Nokia
Co-Chair, W3C DAP Working Group

Begin forwarded message:

> From: "ext noah_mendelsohn@us.ibm.com" <noah_mendelsohn@us.ibm.com>
> Date: December 4, 2009 10:33:32 AM EST
> To: "public-device-apis@w3.org" <public-device-apis@w3.org>
> Cc: "public-geolocation@w3.org" <public-geolocation@w3.org>, "www-tag@w3.org 
> " <www-tag@w3.org>
> Subject: W3C TAG position on policy mechanisms for Web APIs and  
> Services
>
> To: The W3C Device APIs and Policy Working Group
>
> The W3C Policy Languages Interest Group maintains a Wiki [1] which
> contains real world cases where personal information has been  
> compromised
> due to inadequate policy or poor/nonexistent enforcement. One of these
> cases describes how Virgin Mobile used photos that it found on  
> Flickr in a
> national advertising program.  The photos appeared on large  
> billboards,
> much to the surprise of the owner and the subject.
>
> In the public mind, issues related to the management and protection of
> user information in Web Applications, Device access over the Web and
> Services provided over the Web loom large and must be addressed.   
> The TAG,
> therefore, urges working groups working in these areas to include in  
> their
> architectures the ability to communicate policy information so that  
> it can
> be used to determine correct access to and retention of user data and
> resources. Addressing these concerns should be a requirement,  
> although the
> details of how they are addressed may vary by application. For  
> example, a
> working group might provide mechanisms for including policy  
> information in
> API calls in a flexible manner, perhaps by using some more generalized
> extensibility mechanism.
>
> We note that there has been some dialog in this area.  In  
> particular, the
> IETF GeoPriv Working Group has requested [2] the W3C Geolocation  
> Working
> Group to add additional support for user privacy. There is a  
> discussion
> thread on this subject on the Geolocation Mailing list [3].
>
> Thank you very much.
>
> Noah Mendelsohn
> For the W3C Technical Architecture Group
>
> [1] http://www.w3.org/Policy/pling/wiki/InterestingCases
> [2]
> http://lists.w3.org/Archives/Public/public-geolocation/2009Aug/0006.html
> [3]
> http://lists.w3.org/Archives/Public/public-geolocation/2009Jun/thread.html#msg98
>
>
> P.S. Tracker:  this should fulfill TAG ACTION-318
>
> --------------------------------------
> Noah Mendelsohn
> IBM Corporation
> One Rogers Street
> Cambridge, MA 02142
> 1-617-693-4036
> --------------------------------------
>
>
>
>
>
Received on Thursday, 10 December 2009 21:07:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:14:03 GMT