W3C home > Mailing lists > Public > www-ws-arch@w3.org > March 2002

Re: WS Privacy [Was RE: Status of D-AG006]

From: Rigo Wenning <rigo@w3.org>
Date: Thu, 21 Mar 2002 13:11:31 +0100
To: Tim Coote <tim@coote.org>
Cc: Hugo Haas <hugo@w3.org>, www-ws-arch@w3.org
Message-ID: <20020321121131.GT2681@localhost>
On Wed, Mar 20, 2002 at 10:52:33PM -0000, Tim Coote wrote:
> Hullo
> 
> I'm not a lawyer, but for what it's worth, I'd get this reviewed by lawyers
> before setting it in stone. What I don't understand is which lawyers. I
> think that the UK Data Protection Act (the basis of EU legislation, I think)
> is quite good, but I have also heard of some draconian data
> protection/privacy issues in Germany. It would be daft to produce a standard
> that was immediately outlawed in key parts of the world.
> 
Hello, 

I think we should avoid FUD about privacy and look into to the real
challenges. What does privacy in the charter of WS really mean?

1/ Hooks for P3P
We should avoid to look into a specific law (like uk), as W3C has to
work globally. If we would implement, say french law or hungarian law,
we would still have a problem e.g. with US-law or australian law. I
would also like to remind, that W3C is issuing recommendations. They are
never mandatory. They will be used, because they are useful. This means,
we have not the same goal as a law here.

Therefor, we should avoid to make specific provisions about a specific
law or regulation system. Nevertheless, knowing all those rules can help us
specifying the hooks that developers of web services will need to comply
with the level of data protection in their respective countries.
(Yes, that works, e.g. P3P)

So I think one requirement would be to provide the hooks, so that
WS-Software can use P3P. SOAP has already done that. The challenge is to
identify, where the hook should sit and what it should do.

2/ Privacy by design
The discussion already mentioned, that for some data protection principles
it is simply impossible to hardcode them into a technology. This is
known. Some privacy (or better data protection) problems can't be solved
with technology. So I don't think, requiring privacy means, that WS has
to solve unsolvable problems.

But while designing technology, one has to keep privacy in mind. It is a
bit like I18N. It is a subject, which goes across WG boundaries. An
example can be given from HTTP. The so called "browser-chattering"
allows to get a lot of information about the user of a Web-site. A
technology could choose to avoid such chattering and only transmit the
information necessary in a certain context. 

Another example is unique-ID. Do we really need world uniqueID's for the
purpose or are they just an add on. These kind of questions has to be
discussed. Just think about the amount of problems, that a generated by
cookies. If cookies would have been designed with privacy in mind, they
would generate a lot less problems today.

3/ Privacy is broad and touches also security
Confidentiality is the subject, where privacy meets security. This
counts for access to data, but also encryption during transfer. There
are special provisions in the european data protection directive about
the security of transmission of personal data. 

Wouldn't it be much easier for companies to comply with this, if the
hooks were already prepared to plug a module, that does the required
security/confidentiality? But this needs an architecture, where one can
actually plug something in. While designing the architecture, we have to
think about where those things have to be pluggable.

4/ Privacy is not a one-shot issue
It will accompaign you during the whole period of development of WS.
Changes will raise new privacy challenges. They have to be solved.
Sometimes, it's simply a choice that has to be made...

IAL (I'm a lawyer ;)

-- 
Rigo Wenning            W3C/INRIA
Policy Analyst          Privacy Activity Lead
mail:rigo@w3.org        2004, Routes des Lucioles
http://www.w3.org/      F-06902 Sophia Antipolis
Received on Thursday, 21 March 2002 07:17:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 3 July 2007 12:24:56 GMT