W3C home > Mailing lists > Public > public-geolocation@w3.org > October 2008

RE: wording for the privacy section

From: John Morris <jmorris@cdt.org>
Date: Fri, 31 Oct 2008 19:38:07 -0400
Message-Id: <a06240833c5312a4ed1d1@[10.0.1.31]>
To: Ian Hickson <ian@hixie.ch>, public-geolocation <public-geolocation@w3.org>
Cc: Alissa Cooper <acooper@cdt.org>

Ian,

Alissa responded to part of this message separately, and I have some 
comments below...

At 10:20 PM +0000 10/29/08, Ian Hickson wrote:
snip
>
>On Wed, 29 Oct 2008, John Morris wrote:
>  >
>  > In contrast, any approach that squarely confronts web developers with
>  > clear privacy expectations will lead some to focus on privacy, even if
>  > -- as you correctly note -- some will not.
>
>I posit that making the API callback include an object that purports to
>describe the user's privacy preferences (as Alissa suggests) will have an
>extremely minimal impact on authors in terms of making them aware of
>privacy, while having a disproportionally high cost on implementors in
>terms of exposing UI, implementing the callback object, and testing these,
>and a disportionally high *cost* on users, in terms of exposing them to an
>interface that they will not understand, and which will almost uniformly
>be ignored anyway.
>
>In fact, I would say that the net effect would be of taking an issue with
>a very well understood privacy model -- only let applications have access
>to your location information if you trust them, a privacy model that has
>worked very well for all private information up to this point -- and
>replacing it with a highly confusing model that will be ignored and that
>will thus disenfrachise users.

If you truly believe that the Internet privacy model "has worked very 
well for all private information up to this point," then we may just 
have to agree to disagree on that.  I think there is fairly broad 
consensus in the U.S. at least (and I am pretty sure in the E.U.) 
that privacy on the Internet has been a failure.  Indeed, your 
employer, FWIW, has taken a leading role in the industry in the U.S. 
in calling for new privacy laws to help address a range of serious 
privacy problems.  According to Google management, the consumer 
privacy situation is "uneven at best."  See, for example, 
http://googleblog.blogspot.com/2006/06/calling-for-federal-consumer-privacy.html 
(joining a broad effort led by CDT to enact new privacy laws).

What Google (and CDT) is calling for in the U.S. is what is called 
"baseline" privacy laws, which would be similar in effect to the 
European data directives on privacy.  And under both the E.U. model 
and the proposed U.S. model, web designers who ignore clear privacy 
directives (such as those expressed in Geopriv) will do so at their 
own peril.  In other words, initiatives like Geopriv are exactly the 
kinds of tools that the E.U. and proposed U.S. models are designed to 
help enforce.

Just because it has been the historic norm for most online developers 
to ignore privacy, that does not mean that this norm should continue. 
The IETF decided to break with the norm and to require that 
developers address privacy with regard to location information.  And 
now the W3C is working to restore the privacy-ignoring norm.

snip
>  > Moreover, if the W3C says to web developers, "you must appropriately
>>  handle privacy rules in order to claim compliance with our standard,"
>>  then I guarantee that at least some developers will address privacy when
>>  they otherwise would not have done so.
>
>If it makes 10 developers more aware of privacy, but makes 20 users less
>careful about disclosing information, then this is a net loss for users.

I predict a different result.  If the browsers build in a location 
privacy interface and use Geopriv to pass on users' expection of 
privacy to developers, and 10 developers honor privacy and others do 
not, then the user base will vote with their feet (and their blog 
posts, etc.) and will target more traffic to the 10 privacy-honoring 
developers.  Everyone wins.

But if developers can get their hand on location without any privacy 
rules, then it will be business as usual and there will be no 
improvement on the privacy front.

And wholly apart from the beneficial effect on developers, 
transmitting location privacy rules along with the location will be 
beneficial in terms of the risk of government surveillance of 
location information.  In the U.S., if there are clearly stated 
privacy expectations, then courts are far more likely to protect 
privacy.

>  > I am not expecting the law to enforce any technical specification, or
>>  any moral.  Instead, I am expecting the law to enforce an "expectation
>>  of privacy," which is something that the law does all the time.
>
>Expectation of privacy is a moral stance. (One I happen to strongly agree
>is important, but that doesn't mean it's not a moral stance.)

Privacy is a legal matter both the U.S. and the E.U.   That it is 
also a moral matter does not make it not a legal matter.  And 
technology directly affects legal matters (for better or worse) all 
the time.  With Geopriv, technology can facilitate a positive impact 
on a legal matter.

I appreciate that the idea that a technical standard can have a 
positive impact on a legal matter is alien to many engineers.  This 
precise question that we are discussing was a core topic of debate 
for about 18 months within the IETF in 2001 and 2002.  At the end of 
the day, that standards body decided that it would break from the 
privacy-ignoring norm and inject privacy into the technology.  I am 
optimistic that the W3C as a whole will reach the same conslusion.

snip
>  > Why are you so unwilling to explore the possibility of using Geopriv,
>>  and why are you so unwilling to try to improve the state of privacy --
>>  especially when the charter of this group mandates a "privacy sensitive"
>>  output.
>
>We believe privacy to be important; critical even. I believe that the
>current API stands a significantly better change of effectively protecting
>the user's privacy than a more fine-grained, more technology-based, and
>more complicated scheme such as Geopriv or ideas based on Geopriv.
>
>I put forward P3P as a classic example of how technology is a very bad
>vehicle for privacy concerns.

P3P was not a broad success, IMO, for two reasons:

(a) because the U.S. lacked a baseline privacy law that forced US 
companies to pay attention to privacy.  But now that Google (and 
Microsoft, Intel, Sun, Oracle, HP, and others -- see the link above) 
support such a law and the U.S. election promises a much more 
privacy-friendly government, I think things will change on this front.

(b) P3P allowed companies rather than users to set the privacy rules. 
Geopriv seeks to empower the users, and the laws will help to enforce 
that power.

I appreciate that what we are proposing will require more work to 
implement, but as I think Alissa has demonstated as a proof of 
concept, it will not be all that hard to do.  And, as I have 
previously noted, I do think that the W3C can benefit from the years 
of thinking about location conveyance that underlie the Geopriv spec.

John
Received on Friday, 31 October 2008 23:38:56 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:50:52 UTC