Re: Opening UP Notice: policy infrastructure Re: oo.apple.com

Yes.. It seems all conversations in this area come back to the FTC's  
most fundamental (and first) principle ..  Notice

  so..

Is the question how to go about developing something like P3P but on a  
broader scale for notification in general?  .

Malcolm's paper raises the issues:

"A better approach would be one where individuals have more ‘real’  
control.  This could be
by better means of providing notice or by setting stricter rules.   
Another option would be to
support notice/use limitation approaches by providing better  
mechanisms to assure
individuals that their personal information is under control (while  
still allowing direct
control where this is practicable and where individuals wish to  
exercise it) for example by:
• providing for adaptable information handling standards that could  
respond more
specifically to culture and context;
• more robust transparency requirements for organisations;
• compliance audits published in certain circumstances; and/or
• risk/incentive frameworks to get information handling right."

Another approach may be to open notification of public notices to a  
standard, and to open consent as a specific breed of bilateral notice  
standard so that these are functions that are external from  
Enterprise.  Right now these two functions are performed by each  
enterprise and notice and consent are not systematically accessible.  
It is clear that a standard is specifically needed for consent  
status.   With out a dramatic increase in accessibility to notices it  
is very difficult to develop solutions like Do-Not-Track that work or  
provide clarity of control.  This is what I believe to be causing  
notification to be such a burden, and as Apple is realising, causing  
so much friction with Customers..

Rather than asserting some privacy principles are doing too much I  
would suggest that for the first time we can look at enhancing the  
static notification infrastructure that exists on and off line.    
Suggesting something along the lines of a simple  digital/online  
notice standard providing a common notice location and focusing on  
structuring notices for accessibility first.

In response to the requirement for assurance metrics and audits .   
Include something like a common versioning process for logging notices  
and Online notices can be used as the top layer of an audit log for  
consent and control of information policy online.

The idea of a privacy risk rating system is great and I think would be  
much easier to create with an open notice standard.  Although I think  
it is a larger than privacy issue.


- Mark



On 21 Apr 2011, at 14:22, Chappelle, Kasey, VF-Group wrote:

> And the two threads converge . . .
>
> If industry and regulation operated under Malcolm's model (which I  
> agree would be an improvement - consent, especially in the European  
> model, is overused to the point where it's meaningless), would Apple  
> have been able to avoid the blogosphere calling for its head on  
> geolocation data collection (even if it turns out to have a primary  
> purpose)?
>
> -----Original Message-----
> From: public-privacy-request@w3.org [mailto:public-privacy-request@w3.org 
> ] On Behalf Of Malcolm Crompton
> Sent: 21 April 2011 14:11
> To: 'Mark Lizar'; 'Karl Dubost'
> Cc: 'Rigo Wenning'; public-privacy@w3.org
> Subject: RE: policy infrastructure Re: oo.apple.com
>
> Just to push this debate one step further, we wrote papers in 2007  
> that pointed out that we are pushing the notice and consent model  
> too hard.
> People have neither the time or inclination to read and make  
> decisions on hundreds of notices a day.  The original 'individual  
> participation'
> principle has become a burden in too many cases, so that when it is  
> really needed it is lost in the weeds of all the other decisions  
> that an individual is asked to make about handling personal  
> information.
>
> The Centre for Information Policy Leadership was making this point  
> even earlier.  The US FTC has effectively now reached a similar  
> conclusion.
>
> The papers are online at the very bottom of the following page in  
> the box titled 'Recommended Reading':
>
> http://www.openforum.com.au/Privacy_and_Trust.
>
> See particularly the "Working Paper" for a possible way forward to  
> overcome the problem
>
> Malcolm Crompton
>
> Managing Director
> Information Integrity Solutions Pty Ltd
> ABN 78 107 611 898
>
> T:  +61 407 014 450
>
> MCrompton@iispartners.com
> www.iispartners.com
>
>
>
>
> -----Original Message-----
> From: public-privacy-request@w3.org [mailto:public-privacy-request@w3.org 
> ]
> On Behalf Of Mark Lizar
> Sent: Thursday, 21 April 2011 10:43 PM
> To: Karl Dubost
> Cc: Rigo Wenning; public-privacy@w3.org
> Subject: Re: policy infrastructure Re: oo.apple.com
>
> On 21 Apr 2011, at 12:56, Karl Dubost wrote:
>
>> Mark,
>>
>> a few questions to better understand what you are suggesting.
>>
>> Le 21 avr. 2011 à 07:29, Mark Lizar a écrit :
>>> At this time, all of the policies and notices are ad-hoc, un-
>>> standardised which means that are not useful in comparison from
>>> service to service.
>>
>> How would you make explicit the elements of the policy?
>
> Elements of a policy are already explicit it data protection
> legislation globally.  In fact Notice is the only consistent
> regulation across all major regulating jurisdiction.  These elements
> are further defined in each regulation but almost always include basic
> legally required notice elements like; purpose specification, use
> limitation, contact information, third parties that interact with the
> limited use of the information etc.
>
>
>> What are the differences in your suggestion from P3P?
>> http://www.w3.org/TR/P3P11/#Introduction
>
>
> P3P was designed to make machine readable privacy preferences.  This
> is about discovering and finding access to notices that are already
> legally required to be as open as possible to compare with something
> like privacy preferences.  The reason I believe P3P struggled is that
> there is a lack of standard notices for P3P to hook into.
>
>>
>>> In fact without a standard in notice, there is no simple way for
>>> people to see what kind of control they have over information when
>>> interacting online.
>>
>> How would you like the policies (legalese) to be changed as controls
>> (actions/preferences)?
>
> Well, for example a simple standard may just have a file with fields
> to accommodate links to policy components.  A notices meta data could
> provide transparency over its components,   Links can provide access
> in a standard way to layers of policy.
>
>>
>>> A standard in notice would provide a way for notice to be viewed on
>>> aggregate for a clear and dynamic picture of policy.
>>
>> There are at least 4 parts it seems in what you are mentioning
>>
>> 1. The description of the policy (markup)
>
>> 2. The notification of changes (protocol)
>> 3. Knowing what has changed See http://www.goodiff.org/
>> 4. The visualization of policies and their changes (design/UX)
>>  See the work http://www.azarask.in/blog/post/privacy-icons/
>> 5. Access to bits of the policy (api)
>
> Perhaps P3P, POWDER, XACML, ORDL, ACAP, RIF, etc can be used easily
> with a simple standard to unite such efforts? .
>
>>
>> If I understood what you are describing, what kind of issues would
>> it solve?
>
> Well, this potentially solve many issues.  The primary focus should be
> accessibility and internationalisation of notice  information, e.g.
> the ability for a device to automatically parse location based notices
> to provide notice information in different formats or languages.
>
> Although, I imaging that a simple standard would have an immense
> impact on privacy, trust, security and economic performance of service
> information that Enterprise try to deliver.
>
>
>>
>>
>>
>> -- 
>> Karl Dubost - http://dev.opera.com/
>> Developer Relations & Tools, Opera Software
>>
>
>
>
>
>
>