RE: W3C Workshop Agreement? from Tschofenig, Hannes (NSN - FI/Espoo) on 2010-08-13 (public-privacy@w3.org from July to September 2010)

From: Tschofenig, Hannes (NSN - FI/Espoo) <hannes.tschofenig@nsn.com>
Date: Fri, 13 Aug 2010 13:21:41 +0300
To: "ext Thomas Roessler" <tlr@w3.org>
Cc: <public-privacy@w3.org>
Message-ID: <3D3C75174CB95F42AD6BCC56E5555B4502E9BE97@FIESEXC015.nsn-intra.net>
Hi Thomas, 
 
a few notes below...


________________________________

	From: ext Thomas Roessler [mailto:tlr@w3.org] 
	Sent: Friday, August 13, 2010 12:53 PM
	To: Tschofenig, Hannes (NSN - FI/Espoo)
	Cc: Thomas Roessler; public-privacy@w3.org
	Subject: Re: W3C Workshop Agreement?
	
	
	On 13 Aug 2010, at 10:48, Tschofenig, Hannes (NSN - FI/Espoo)
wrote:
	
	

		Hi all, 

		In the tentative writeup of the workshop it says: 

		" 
		The two practical proposals that drew most interest and
discussions were the Mozilla privacy icon approach and CDT's privacy
rule-set idea. Both also drew significant questions about their
practical viability and deployability; yet, further investigation and
experimentation with both approaches seems worthwhile. 

		" 

		I think it should rather say that we should be honest
and write:  
		" 
		The two practical proposals that drew most interest and
discussions were the Mozilla privacy icon approach and CDT's privacy
rule-set idea. Both also drew significant questions from the side of
browser vendors and big Web service providers about their practical
viability and deployability; yet, further investigation and
experimentation with both approaches seems worthwhile. 

		" 
		We could even mention the names of the persons /
companies to make it more clear. 

		

	
	
	Well, there were two sets of reservations:
	
	
	- Folks from various vendors saying they didn't really think
they'd implement those proposals. 
	I would call NSN a vendor and we are very interested in
implementing and providing privacy based capabilities to our customers.
Hence, you cannot say "vendors" here but rather to those persons at the
workshop, such as Ian, David,  etc. I assume they speak with their
company hat but I am not sure. 
	 
	- People with various backgrounds questioning whether either Web
services or browser vendors would have incentives to deploy a particular
technology. 
	 
	The very negative reaction from the previous set of people was
obviously noticed by others in the room and hence everyone else was
indeed wondering what would make these guys change their mind. People in
the room very well understood that some companies have a business model
that is based on collecting information and enhancing privacy
capabilities seems to be in conflict with their business model. 
	 
	 
	
	
	For example, I don't think Deirdre counts as "the side of
browser vendors and big Web service providers."  I do think, though,
that her remarks about lawyers' tendency to write ambiguous text, and
the fundamental incompatibility of that with some of the privacy policy
notions, is a valid reservation about the privacy icons work. 
	 
	She is aware of how the industry works and is not too shy to say
it. I did not got the impression that she argued against developing
better ways for presenting privacy policies on the Internet. 
	
	
	What we could say is that the questions were about the practical
viability and likelihood of implementation in both Web browsers and by
Web service providers, or some such.  What do you think? 
	 
	I tend to think that the core problem is with the incentives
rather than with the technical aspects. Sure, there are challenges (like
with any technology) but those are typically (for engineers) solvable.
Here, the arguments about the implementation and user interface aspects
are just claims to hide the real problem that people see, namely "why
should I do this when it could hurt my business". 
	 
	 


		Furthermore, I was wondering about this statement: 

		"There was widespread agreement that further
community-building  work on best practices both for specification
writers and implementers, and systematic privacy review of W3C
specifications would be useful. 

		" 

		Was there really such an agreement? 

		I recall that certain people said that it would have
been nice to provide some implementation hints/user interface aspects
into the geolocation specification. However, the same people were
previously arguing exactly against including such text into the spec at
the time when the spec was written. 

		I don't recall anyone who had argued that there should
be a systematic privacy review of W3C specifications, particularly not
the guys (browser vendors & big Web service providers) who largely
argued against any technical privacy mechanisms in the geolocation /
Device API specs. If you take a look at the geolocation API spec today
then you will see that there is very little in there about privacy. 

		So, I am not sure where this widespread agreement has
come from (given that I was at the workshop).

	
	
	I remember repeated discussion of privacy considerations and not
much opposition against those. That's what I meant by "agreement."  If
I'm overstating what I thought I heard, I'd be happy to correct this.
	

	I noticed that many people used the term "privacy
considerations", including myself, but nobody really described what they
mean by that. I can tell you what I have in mind. We in the IAB are
working on a document that provides the counterpart of the "Guidelines
for Writing RFC Text on Security  Considerations"  (RFC 3552) but for
privacy. I have, for example, no idea what Pat Walshe meant with privacy
guidelines when he mentioned it.  I also have no idea what this means
for the W3C either. In my presentation I had also highlighted that such
a document needs to come with the right organizsation structure. Without
going into details I fear (from my experience) that most organizations
do not have the right structure. 
	 
	
	Your point that this abstract notion seems possibly inconsistent
with actual behavior in current WGs is well-taken.  I'd be willing to
leave that apparent contradiction in the report, though, since I think
it reflects what we're actually seeing.
	
	
	My concern was that there are very academic activities started
that may give the ouside world the impression that the W3C actually
cares about privacy. For example, there is already the PLING working
group established in response to a privacy policy workshop a few years
ago. However, in reality you can discuss some academic publications in
such a venue but when it comes to the real stuff any commitment to deal
with privacy quickly vanishes. In essence what is then left is a nice
Chit Chat Club where people cross post all sorts of articles (typically
without indicating their own opinion or even without having read it
themselves). While it seems to be worthwhile to have those we
unfortunately already have many of them and they all tend to have one
property in common -- they are unable to capture summary of discussions.

	 
	Ciao
	Hannes
Received on Friday, 13 August 2010 10:22:23 UTC