Re: new Privacy Best Practices draft

On 05/07/11 22:15, Frederick.Hirsch@nokia.com wrote:
> I have created an initial draft of  a Privacy Best Practices document for service providers.
>
> see http://dev.w3.org/2009/dap/privacy-practice

I think this is a great start, but believe that usability for effective 
privacy is really challenging. The European Commission VP for the 
Digital Agenda, Neelie Kroes eloquently describes three principles for 
privacy: transparency, fairness and user control, see:

http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/11/461

To which I would add usability. Transparency is about being able to 
understand what a website (and its third parties) wants to do and why. 
Fairness is about not being arm-twisted into a one sided agreement that 
meets the interest of big business at the expense of end users. User 
control is being able to review and revoke earlier decisions.

You have touched upon transparency in the current draft, but I believe 
it should go further and set expectations that users be given clear 
information on what information is collected, what purposes it will be 
used for, how long it will be retained, and who it it may be shared 
with, and under what conditions.  Usability studies have shown that many 
users are keen to get quickly to the task in hand, and click through any 
requests.  One means to address that is to enable scrutiny by trusted 
third parties or perhaps wisdom of crowds (or even just your friends). 
This allows the UI to silently proceed with implicit consent unless the 
third party opinion is that doing so would harm the user's interest. In 
any case the application should make it easy for the user to later 
review the agreement with the website and revoke earlier decisions as 
appropriate.

Popping up a dialog and asking the user to click to indicate consent 
isn't ideal. In some cases the user interaction with an application can 
be taken as implicit consent, e.g. clicking on a button to show pubs 
within 5 minutes walk from my current location. The consent requires 
human interaction, and shouldn't be granted say by a simulated click via 
a script generated event. The transparency of the button's label/icon in 
context isn't something an automated system can easily check. We thus 
need a way to enable third parties to review applications for adherence 
to best practices.

Anyway, this is just a glimpse at what we are starting to explore in the 
EU "webinos" research project which aims to develop an open source 
web-based platform for applications spanning mobile, tablet, desktop, 
home media (TV) and in-car infortainment head-units.  It will take us 
some time to conduct the exploration via implementation work and 
usability studies, but I look forward to providing further feedback as 
that work proceeds.

-- 
  Dave Raggett<dsr@w3.org>  http://www.w3.org/People/Raggett

Received on Friday, 8 July 2011 17:59:29 UTC