W3C TAG position on policy mechanisms for Web APIs and Services

To: The W3C Device APIs and Policy Working Group

The W3C Policy Languages Interest Group maintains a Wiki [1] which 
contains real world cases where personal information has been compromised 
due to inadequate policy or poor/nonexistent enforcement. One of these 
cases describes how Virgin Mobile used photos that it found on Flickr in a 
national advertising program.  The photos appeared on large billboards, 
much to the surprise of the owner and the subject. 
In the public mind, issues related to the management and protection of 
user information in Web Applications, Device access over the Web and 
Services provided over the Web loom large and must be addressed.  The TAG, 
therefore, urges working groups working in these areas to include in their 
architectures the ability to communicate policy information so that it can 
be used to determine correct access to and retention of user data and 
resources. Addressing these concerns should be a requirement, although the 
details of how they are addressed may vary by application. For example, a 
working group might provide mechanisms for including policy information in 
API calls in a flexible manner, perhaps by using some more generalized 
extensibility mechanism. 
We note that there has been some dialog in this area.  In particular, the 
IETF GeoPriv Working Group has requested [2] the W3C Geolocation Working 
Group to add additional support for user privacy. There is a discussion 
thread on this subject on the Geolocation Mailing list [3]. 

Thank you very much. 

Noah Mendelsohn 
For the W3C Technical Architecture Group 

[1] http://www.w3.org/Policy/pling/wiki/InterestingCases 

P.S. Tracker:  this should fulfill TAG ACTION-318

Noah Mendelsohn 
IBM Corporation
One Rogers Street
Cambridge, MA 02142

Received on Friday, 4 December 2009 15:32:01 UTC