Re: Privacy Icon Study from Mark Lizar on 2011-03-01 (public-privacy@w3.org from January to March 2011)

From: Mark Lizar <info@smartspecies.com>
Date: Tue, 1 Mar 2011 15:43:47 +0000
To: <jeanpierre.lerouzic@orange-ftgroup.com>
Cc: "public-privacy@w3.org mailing list)" <public-privacy@w3.org>
Message-Id: <A1AD0213-1DD5-4487-9922-FAF6ABBAF08D@smartspecies.com>
Ah Yes,

I did send that email quite quickly without properly explaining what   
I was digging at.

On 1 Mar 2011, at 15:04, <jeanpierre.lerouzic@orange-ftgroup.com> wrote:

> Hi Mark,
>
> Thanks for the answer.
>
> I don't agree with your statement about user consent which is  
> already implemented. LibertyAlliance, OpenId and OAuth make this  
> possible but it's not mandatory at all. In fact it's the kind of  
> solution that should be used seldomly because it's quickly boring  
> the end user.

Consent is required and obtained with various consent models like opt  
in and outs..   What consent models are you referring to with Open Id  
and OAuth?

>
> I don't also agree with the fact that tracking is illegal, in fact:
> - It's the base of the business model of many companies including  
> Google.
> - What is usually illegal (EU/US) is tracking for an unspecified  
> goal and for an infinite amount of time. But I know why Google is  
> tracking me, I benefit from this tracking and the time of tracking  
> is limited.

Illegal in that unless a purpose, contact info and with whom the  
information is being shared is posted in notice the public data  
gathering activity isn't legally compliant in the EU.  Often there are  
many data collection activities that don't provide this information  
before or during collection.  Google does provide this information.   
Although many web tracking services don't hence the need for ICONS.

> The US FTC has an opinion on the subject of privacy which is that  
> companies should not track users in an unreasonable way and the  
> burden of implementing this is on the companies that track users. I  
> think this is the first practical attempt at solving the problem. If  
> we go at a philosophical level: After all it's not a technical  
> problem, but a societal problem (a behavior problem)  so the  
> solution should come from the society not from technology.

I agree technology can only do so much.  Do not track lists and ICONS  
provide transparency and maybe even accessibility to start addressing  
these issues, but I am looking for research on how these may progress  
to a solution.  I am concerened that these are being promoted as a  
whole solution themselves.


>
> So we may talk about very different topics :-)



>
> Best regards,
>
> Jean-Pierre
>
>
>
> De : Mark Lizar [mailto:info@smartspecies.com]
> Envoyé : mardi 1 mars 2011 11:04
> À : LE ROUZIC Jean-Pierre RD-MAPS-REN
> Cc : ktrilli@truste.com; public-privacy@w3.org
> Objet : Re: Privacy Icon Study
>
>
> Thanks Jean,
>
> On 1 Mar 2011, at 08:38, <jeanpierre.lerouzic@orange-ftgroup.com>  
> wrote:
>
>> Hi all,
>>
>> Your remarks are certainly very important on a theoretical point of  
>> view, thanks for launching the discussion.
>>
>> If your browser says "do not track me", you can legally sue the  
>> company that tracked you on many juridictions. You don't need  
>> electronic signatures or trusted third parties for that.
>
> So you are suggesting that first, me (a web browsing user) is going  
> to realise that I am being tracked (even though I am on a do not  
> track list) then that I am going to call/email a lawyer to sue this  
> tracking website? Is there a possibility this would be successful?   
> (In any jurisdiction)
>
>> I'ts an unsolved challenge to detect such violations of privacy but  
>> current "hard approaches" to privacy such as the one you seems to  
>> advocate in this post (I don't know your work sorry) are equally  
>> unable to detect it making them as useless as other easier  
>> approaches.
>> As for the risks not mitigated by the "do not track me" approach,  
>> IMO they exist for the 1% of bad guys that do not interact usually  
>> with the mainstream browser user.
>> All what you refer to "user consent, enforcement, trusted third  
>> parties" is very costly and sometime is very difficult to  
>> implement, for example how to implement user consent in a Web 2.0  
>> world of composed services?
>
> Consent is already implemented. At this moment there is a global  
> infrastructure of opt-in's and out's (on websites) which is  
> presumably a major reason why I need to log in and out of web  
> services.  So that my consent can be harvested so my data can be re- 
> used and tracked.
>
> For enforcement to be possible people need access to audit logs  
> (e.g. transparency) to see when, how, who, is using their  
> information/profiles.     Even more people could have control over  
> their own profiles and provide access to this profile to websites,  
> this way having access to audit logs wont be a problem.  Then I can  
> call my lawyer up, show her proof that my information is being  
> illegally used and tracked.    I agree, a do not track list provides  
> the notice to websites that consent is not provided for my  
> information to be used therefore providing a platform for redress.   
> Although, even without a do not track list, this has always been  
> illegal activity in many jurisdictions something that has been  
> observable for many years.  Still no legal action has stopped this.  
> So I dont think a do not track list is going to help besides further  
> popularising/confusing awareness of the issue.
>
>>
>> As a practitioner I would prefer a practical solution that works  
>> 99% of the time instead of a theoretical solution that almost never  
>> work in real life because of lack of interest and implementation.
>
>  I have yet to provide a theoretical solution.  Yet, Do Not Track  
> and ICONS are not even theoretical solutions from what I can tell.
>
> Are they?
>
>>
>> It's only my own opinion indeed.
>
> (opinions welcome)
>
>>
>> Jean-Pierre
>>
>> De : public-privacy-request@w3.org [mailto:public-privacy-request@w3.org 
>> ] De la part de Mark Lizar
>> Envoyé : mardi 1 mars 2011 01:07
>> À : Kevin Trilli
>> Cc : public-privacy (W3C mailing list)
>> Objet : Re: Privacy Icon Study
>>
>>
>> I am still not sure exactly what  privacy ICONS are going to  
>> accomplish without the added infrastructure of consent management,  
>> consumer driven enforcement, consistent regulation across  
>> jurisdictions.. etc.
>>
>> How can privacy icons be verified? Do the ICONS come with a  
>> standard way to layer privacy  notices?  Didnt Trust-E work on  
>> layered notices in 2006?
>>
>> It seems that ICONS are about 1/4 of what needs to be worked  
>> out.    Is it possible for someone to point me to information on  
>> what the privacy icon initiative at TrustE is actually intended to  
>> accomplish?  Does Truste have information on its auditing and  
>> accreditation progam for privacy icons? (or how such a program will  
>> work?)  Is there such a program at this time?
>>
>> I apologise for all the questions.  As a researcher I have been  
>> working towards proposing the development of a global standard and  
>> structure for notices across jurisdictions for quite some time now  
>> and yet I find this privacy Icon approach sparse on actually cause  
>> and effect information.  Similar to the do not track initiative the  
>> privacy icons initiative at this level seems shallow and without  
>> actual foundation for enforcement.
>>
>> Am I wrong?
>>
>> - Mark Lizar
>>
>> On 24 Feb 2011, at 16:39, Kevin Trilli wrote:
>>
>>> Hi all-
>>>
>>> Related, but independent, to Sören's note, TRUSTe released its  
>>> first study on privacy icons, which you can read about on our blog  
>>> if you are interested:
>>>
>>> http://www.truste.com/blog/?p=1172
>>>
>>> Please contact Travis (User Experience Designer) directly (cc:d)  
>>> if you would like to interact or provide any feedback.
>>>
>>> Thanks Sören for sharing, we will take a look at the latest  
>>> version of the standard.
>>>
>>> Kevin
>>>
>>>
>>>
>>> On Feb 24, 2011, at 5:12 AM, Sören Preibusch wrote:
>>>
>>>> Several proposals of iconographic representations of privacy  
>>>> concepts have
>>>> been brought up by academia, industry and individual enthusiasts.  
>>>> Some of
>>>> these proposals were discussed at the Workshop and over this list.
>>>>
>>>> The Unicode Standard, version 6.0 now introduces a plethora of  
>>>> over 750 new
>>>> symbols, emoticons, and pictographs, including characters for  
>>>> sunrise over
>>>> mountains (U+1F304), Bactrian camel (U+1F42B, "has two humps"),
>>>> extraterrestrial alien (U+1F47D), circus tent (U+1F3AA), face  
>>>> screaming in
>>>> fear (U+1F631), etc..
>>>>
>>>> Two (printable) characters may be more relevant for us:
>>>>
>>>> 1F50F LOCK WITH INK PEN
>>>> = privacy
>>>> 1F510       CLOSED LOCK WITH KEY
>>>> = secure
>>>>
>>>> The subtext is the intended meaning. Visual representations can  
>>>> be found at
>>>> http://www.unicode.org/charts/PDF/Unicode-6.0/ 
>>>> U60-1F300.pdf#page=10. As
>>>> pointed out by the Consortium, "the glyphs in [the] charts are only
>>>> representative; there can be wide variation in the glyphs used to  
>>>> represent
>>>> any particular character".
>>>>
>>>> Whilst a single new character in this high range may not be  
>>>> interesting in
>>>> itself, the combining characters in the standard, such as U+20E0  
>>>> (combining
>>>> enclosing circle backslash), can be added to express ideas such  
>>>> as "no
>>>> privacy" or "not secure".
>>>>
>>>> Sören
>>>>
>>>>
>>>
>>
>
Received on Tuesday, 1 March 2011 16:09:51 UTC