W3C home > Mailing lists > Public > public-sysapps@w3.org > June 2012

Re: updated draft charter

From: Dave Raggett <dsr@w3.org>
Date: Wed, 06 Jun 2012 13:15:09 +0100
Message-ID: <4FCF49CD.3090306@w3.org>
To: public-sysapps@w3.org


On 06/06/12 04:24, SULLIVAN, BRYAN L wrote:
> On the privacy aspects, I think it would be a good time to take a
> system-level approach to that across these APIs. Thus I propose that
> we add a Privacy API to the phase 1, with the objective of providing
> to the user whatever information is relevant to the privacy related
> characteristics of all apps on the device, and related system-wide
> controls for the same. For example, in the DNT discussion it's been
> noted that diverse implementations in web user agents (of which there
> can be multiple) and web-enabled apps can lead to fragmented and
> inconsistent representations of user privacy preferences. Thus it
> would be good to enable management of preferences system-wide, and
> ensure that the applicable signals are always used (e.g. DNT header).
> The objective of the API would not be to mandate any UI aspects, but
> to provide the ability of apps to disclose privacy related
> characteristics, and the ability of suitably authorized apps to read
> those characteristics and manage system-wide privacy settings.

It is a bit late to add a privacy API deliverable to the questionnaire,
so I hope that others can respond to Bryan's suggestion via email.

Bryan: could you expand further on what you have in mind? My initial
reading is that you are asking for an API to access and update privacy
preferences, and for applications to indicate their privacy policies.

I can envisage a privacy management application that allows you to view
what privacy related permissions were set for given applications. There
are for example, Android apps for this, although they require a rooted
device to update the settings. This would be closely related to the
existing deliverables on the security and execution models.

Whilst I hesitate to mention P3P, a lot of good work was done on a
vocabulary for privacy policies covering what data is collected, who it
may be shared with and under what retention policy. P3P as it was
originally specified proved too hard to provide full implementations.
Microsoft's compact policies provided a simple solution, but only
covered cookies. A couple of years back I did some work for the
PrimeLife project on a broader subset of P3P that is easy to implement,
as I proved in the form of a Firefox add-on, see:

   http://www.w3.org/2010/09/raggett-fresh-take-on-p3p/

>From the W3C workshop on Privacy and data usage, in October 2010:

   http://www.w3.org/2010/policy-ws/

Do Not Track has now re-opened the door for work on richer means for web
sites to express their policies, but I suspect that it is still too
early to begin standardizing. P3P's vocabulary is a valuable input, but
we need further work to better understand the landscape beyond DNT.

I anticipate a growing role for apps like "Lookout" that warn when you
try to install malware, and also provide warnings relating to privacy.
The next step will be to provide warnings according to the user's
privacy profile, e.g. carefree, cautious, or paranoid, and to take into
account independent third party assessments rather than just relying on
the website or app's stated privacy policy.

-- 
Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett
Received on Wednesday, 6 June 2012 12:15:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 6 June 2012 12:15:37 GMT