- From: SULLIVAN, BRYAN L (ATTCINW) <BS3131@att.com>
- Date: Fri, 16 Jul 2010 03:54:53 -0700
- To: <public-device-apis@w3.org>
Here are the comments I made today during the discussion on privacy and policy: My assessment of the group sentiment: If DAP doesn't define a default policy it will risk "breaking the web". But the definition of a least-restrictive default that loosens protections too much will likely raise objections. There is a tension between those two goals. The technical question is secondary, e.g. needing to include the rules as an HTTP header or use an intermediary negotiation protocol ala Powerbox. There is no consensus in DAP that giving the user detailed control over privacy choices is a good thing, i.e. that it would be usable by users or would not "break the web" (i.e. cause features to stop working inadvertently and confusingly to the user, or diminish the effectiveness of some services such as search engines). While there is no clear intent (yet) to do so, we will have issues if DAP takes the same approach with security, e.g. defines a set of security policies that are intended to be implemented uniformly across the world. - In work outside W3C (e.g. BONDI) we specifically avoided defining a specific policy set (but did specify a framework for policy definition), since it was viewed as an unacceptable imposition on the marketplace and would require customization anyway for different markets and regulatory requirements. - It is certainly good to seek consensus on a recommended default policy (or set of policies), but a normative requirement that they are fixed and not customizable would not be acceptable to us. Whether the fixed privacy ruleset approach itself is workable for the network service provider community is TBD. Similar to security, there may be a need to be more flexible to support market/regulatory requirements. Thanks, Bryan Sullivan | AT&T
Received on Friday, 16 July 2010 10:55:35 UTC