API Minimization and User Control [was: Re: DanA: what are you likely to have ready for the F2F] from Appelquist, Daniel, VF-Group on 2011-02-02 (www-tag@w3.org from February 2011)

From: Appelquist, Daniel, VF-Group <Daniel.Appelquist@vodafone.com>
Date: Wed, 2 Feb 2011 15:19:08 +0100
To: "tag" <www-tag@w3.org>
Message-ID: <C96F185C.82D9%daniel.appelquist@vodafone.com>
I am not sure I agree that minimization is an aspect of user control.
Minimization (in this context) is merely applying the principle of providing
a the lowest possible surface area of attack (to those who wish to
misappropriate private information).  It¹s not necessarily implicit that
it¹s the user deciding what granularity of information (for example, city /
neighborhood / street name) but rather that the webapp making the API call
must specify the level of granularity it needs and the API must respond with
no more than what the WebApp needs. The user could play a role there, but
not necessarily. At least that¹s my understanding of the principle as
applied in the DAP privacy requirements:
http://dev.w3.org/2009/dap/privacy-reqs/#privacy-minimization

...or am I missing something?

Dan

PS  I have brought this over to the public tag list  hope that¹s OK.

On 02/02/2011 13:35, "Oracle" <ashok.malhotra@oracle.com> wrote:

>    Dan:
>  If you buy the thesis of the paper, it says that letting the user control
> what private information gets
>  exposed is ultimately futile.  Thus,. minimization which is an aspect of user
> control is not interesting.
>  
> All the best, Ashok
>  
>  On 2/2/2011 12:49 AM, Appelquist, Daniel, VF-Group wrote:
>>  Re: DanA: what are you likely to have ready for the F2F Hia folks --
>>  
>>  I have been making some updates to
>> http://www.w3.org/2001/tag/doc/APIMinimization.html in anticipation of
>> discussion at the f2f as per ACTION-514.
>>  
>>  Ashok/Jonathan  thanks for that reference but I am not sure it really helps
>> me with the specific work item in question.
>>  
>>  I have found the following IETF Draft (
>> http://tools.ietf.org/id/draft-hansen-privacy-terminology-00.html ) which has
>> really reinforced some of my thinking in this space  and has helped me think
>> about this problem space.
>>  
>>  Basically what I propose that we could achieve in a TAG document on this
>> subject is to articulate how to apply this principle to the field of
>> browser-based API definition specifically (building on the work of the above
>> IETF draft and the good work of the folks in the DAP working group).
>>  
>>  Any thoughts?
>>  
>>  Thanks,
>>  Dan
>>  
>>  PS can we take this back to www-tag  or was there a reason you wanted to
>> keep this on tag, noah?
>>  
>>  On 31/01/2011 15:50, "Jonathan Rees" <jar@creativecommons.org> wrote:
>>  
>>   
>>> On Sun, Jan 30, 2011 at 11:05 AM, ashok malhotra
>>>  <ashok.malhotra@oracle.com> wrote:
>>>>  > Re. minimization, take a look at the paper by Abelson, Sussman, Hendler,
et
>>>>  > al..
>>>>  > This argues that users cannot make intelligent choices re. privacy
>>>> because
>>>>  > they do not realize all the
>>>>  > consequences of their actions.  Moreover, the landscape will change and
>>>> the
>>>>  > choices you
>>>>  > make today may not be appropriate tomorrow.  Hence, they say, that what
we
>>>>  > need are laws
>>>>  > about what data can be used in what context.  They cite as example the
>>>> FTC
>>>>  > laws that limit
>>>>  > the use of data that the credit rating companies collect.
>>>>  >
>>>>  > I'm having trouble finding a good pointer to the paper.  They best I get
is
>>>>  > http://portal.acm.org/citation.cfm?id=1349043 which allows you to buy a
>>>>  > copy.
>>>  
>>>  http://dig.csail.mit.edu/2008/06/info-accountability-cacm-weitzner.pdf
>>>  
>>>  (found at project page http://dig.csail.mit.edu/TAMI/ )
>>>  
>>>  Jonathan
>>>  
>>>>  > All the best, Ashok
>>>>  >
>>>>  > On 1/29/2011 4:25 PM, Noah Mendelsohn wrote:
>>>>>  >>
>>>>>  >> Dan: I hope you're feeling better. I would really appreciate it if you
>>>>>  >> could give me some guidance soon as to which areas you're working on
are
>>>>>  >> likely to merit F2F time.
>>>>>  >>
>>>>>  >> My tentative list includes the following as potential items from you:
>>>>>  >>
>>>>>  >> * API minimization
>>>>>  >> * deep linking proto draft
>>>>>  >> * Widgets and offline Web apps - I have a note that Matt Womer is
>>>>> doing a
>>>>>  >> workshop relating to unification Web Apps group and app cache)
>>>>>  >>
>>>>>  >> FYI, your open actions are:
>>>>>  >>
>>>>>  >> ACTION-390: Review ISSUE-58 and suggest next steps  (I note that Henry
has
>>>>>  >> asked for some discussion of the catalog he's put together)
>>>>>  >> ACTION-507: With Noah to suggest next steps for TAG on privacy
>>>>>  >> ACTION-480: Draft overview document framing Web applications as
>>>>> opposed to
>>>>>  >> traditional Web of documents
>>>>>  >> ACTION-460: Coordinate with IAB regarding next steps on privacy policy
>>>>>  >> ACTION-514: open     Draft finding on API minimization
>>>>>  >> ACTION-505: Start a document wrt issue-25 (deep linking)
>>>>>  >>
>>>>>  >> It's not yet clear whether we are overcommitted time-wise, so I'd like
to
>>>>>  >> start by identifying the areas in which there will be real progress to
>>>>>  >> discuss and/or others sufficiently critical to merit F2F time. Anyway,
if
>>>>>  >> you could give me suggestions as to what to schedule, I'd appreciate
>>>>> it.  I
>>>>>  >> need to get the agenda out ASAP.  Thank you.
>>>>>  >>
>>>>>  >> Noah
>>>>>  >>
>>>>>  >>
>>>>  >
>>>>  >
>>>  
>>>  
>>  
>>  
>>   
>
Attachments

application/pkcs7-signature attachment: smime.p7s
Received on Wednesday, 2 February 2011 14:19:46 UTC