Re: IETF RAI and APP concerns about location privacy from Rigo Wenning on 2009-04-23 (public-ietf-w3c@w3.org from April 2009)

From: Rigo Wenning <rigo@w3.org>
Date: Thu, 23 Apr 2009 09:38:16 +0200
To: "Larry Masinter" <LMM@acm.org>
Cc: "'Matt Womer'" <mdw@w3.org>, jon.peterson@neustar.biz, rai-ads@tools.ietf.org, app-ads@tools.ietf.org, "Richard Barnes" <rbarnes@bbn.com>, rjs@nostrum.com, public-ietf-w3c@w3.org, "Lars Erik Bolstad" <lbolstad@opera.com>, "Angel \(amachin\) Machin" <angel.machin@vodafone.com>, Thomas Roessler <tlr@w3.org>
Message-Id: <200904230938.21091.rigo@w3.org>

Hi Larry, 

also speaking for myself with the experience as staff contact of the 
P3P working group:

On Thursday 23 April 2009, Larry Masinter wrote:
> (speaking for myself):
>
> Site-level privacy policies ( as proposed in the W3C
> GeoLocation group) leave users with the choice of
> not trusting a site for anything (and thus not being
> able to take advantage of needed services) or trusting
> a site for everything.

As you know, W3C/ERCIM is part of the Primelife Identity Management 
research project[1] to bring privacy to Identity Management. Thomas 
Roessler and I have some suggestions in the pipeline and we'll see how 
far we would get with them. If Geolocation can carry a URI, the issue 
of domain-specific privacy settings might be remedied. But it will 
depend on the Geolocation group whether they accept this or not.
>
> Perhaps this is in the interest of dominant search-engine
> providers and their mobile handset partners, because
> most users will give up privacy and their demographic
> information in exchange for valuable services. The
> IETF GeoPriv policies are probably harder to implement,
> too. Standards venue shopping, perhaps?

I don't think there is a particular interest. I think this is just the 
malaise with nearly all privacy tools. They seem to be in the 
competing mood while there is no competition in this area. It is quite 
usual that things are done without doing the proper networking. On 
other occasions, despite loud lip service, privacy is just an 
annoyance that has to be tackled the cheapest way possible. Sometimes 
there are politics involved to influence governmental regulation 
power.
>
> But there can't be one answer for the IETF and
> another answer for W3C. I think the liaison work
> should have been done much earlier.

PLING[2] has already found that there are more than 20 policy 
languages waiting for adoption. PLING was set up as a platform to help 
with the coordination in the policy area. We will try to make it work. 
There is someone from Geopriv in PLING, but not from Geolocation 
AFAIK.
>
> I made several personal appeals for the GeoLocation group
> to start with GeoPriv working group specifications, which
> were ignored.

Oh, we did that too. The P3P WG made nice appeals to the Geopriv WG 
back in 2002 and 2003 and we were just not heard. So it seems this has 
some tradition. P3P asked browsers to implement P3P and they just 
preferred to implement proprietary cookie-blocking tools. Geopriv is a 
complex protocol, pretty heavy to implement IMHO. I think they face 
the same reaction as P3P did 5 years ago[3]. So lets perhaps start 
featherweight to get at least a tiny bit of privacy tools implemented. 
The issue with privacy tools IMHO is that everybody makes marketing 
noise about privacy, but if it comes to real work, the room is empty. 
As an exception, Microsoft deserves some special attention here as 
they implemented parts of P3P and did stand a lot of heat for it. This 
has created the distinction between first party and third party 
cookies.
>
> So the fact that the GeoLocation group members have
> "not thus far been persuaded" should hold no weight:
> of course they're not persuaded, they'd already made
> up their minds when the group was chartered.

I don't think so. The motivation of Geopriv to ignore P3P was that it 
seemed not to fit into their model and not to be in their core 
interest. At that point in time, the P3P WG did not manage to persuade 
Geopriv. For Geolocation, it seems that there are implemented 
solutions that the Group doesn't want to break. And it seems that in 
their opinion geopriv doesn't do the best job if one compares effort 
and results. Been there, done that[3]

Geolocation talked already a lot about geopriv and found a conclusion. 
At least one can't say that Geopriv was ignored. There was a decision 
against it AFAIK. So let's find the reasons and see if things can be 
adapted or if this is just another case of specification darwinism. 

1.http://www.primelife.eu/
2.http://www.w3.org/Policy/pling/
3.https://bugzilla.mozilla.org/show_bug.cgi?id=62453

Best, 

Rigo Wenning
(with W3C Privacy Activity Lead hat on)

Received on Thursday, 23 April 2009 07:40:05 UTC