- From: Tschofenig, Hannes (NSN - FI/Espoo) <hannes.tschofenig@nsn.com>
- Date: Fri, 13 Aug 2010 13:21:41 +0300
- To: "ext Thomas Roessler" <tlr@w3.org>
- Cc: <public-privacy@w3.org>
- Message-ID: <3D3C75174CB95F42AD6BCC56E5555B4502E9BE97@FIESEXC015.nsn-intra.net>
Hi Thomas, a few notes below... ________________________________ From: ext Thomas Roessler [mailto:tlr@w3.org] Sent: Friday, August 13, 2010 12:53 PM To: Tschofenig, Hannes (NSN - FI/Espoo) Cc: Thomas Roessler; public-privacy@w3.org Subject: Re: W3C Workshop Agreement? On 13 Aug 2010, at 10:48, Tschofenig, Hannes (NSN - FI/Espoo) wrote: Hi all, In the tentative writeup of the workshop it says: " The two practical proposals that drew most interest and discussions were the Mozilla privacy icon approach and CDT's privacy rule-set idea. Both also drew significant questions about their practical viability and deployability; yet, further investigation and experimentation with both approaches seems worthwhile. " I think it should rather say that we should be honest and write: " The two practical proposals that drew most interest and discussions were the Mozilla privacy icon approach and CDT's privacy rule-set idea. Both also drew significant questions from the side of browser vendors and big Web service providers about their practical viability and deployability; yet, further investigation and experimentation with both approaches seems worthwhile. " We could even mention the names of the persons / companies to make it more clear. Well, there were two sets of reservations: - Folks from various vendors saying they didn't really think they'd implement those proposals. I would call NSN a vendor and we are very interested in implementing and providing privacy based capabilities to our customers. Hence, you cannot say "vendors" here but rather to those persons at the workshop, such as Ian, David, etc. I assume they speak with their company hat but I am not sure. - People with various backgrounds questioning whether either Web services or browser vendors would have incentives to deploy a particular technology. The very negative reaction from the previous set of people was obviously noticed by others in the room and hence everyone else was indeed wondering what would make these guys change their mind. People in the room very well understood that some companies have a business model that is based on collecting information and enhancing privacy capabilities seems to be in conflict with their business model. For example, I don't think Deirdre counts as "the side of browser vendors and big Web service providers." I do think, though, that her remarks about lawyers' tendency to write ambiguous text, and the fundamental incompatibility of that with some of the privacy policy notions, is a valid reservation about the privacy icons work. She is aware of how the industry works and is not too shy to say it. I did not got the impression that she argued against developing better ways for presenting privacy policies on the Internet. What we could say is that the questions were about the practical viability and likelihood of implementation in both Web browsers and by Web service providers, or some such. What do you think? I tend to think that the core problem is with the incentives rather than with the technical aspects. Sure, there are challenges (like with any technology) but those are typically (for engineers) solvable. Here, the arguments about the implementation and user interface aspects are just claims to hide the real problem that people see, namely "why should I do this when it could hurt my business". Furthermore, I was wondering about this statement: "There was widespread agreement that further community-building work on best practices both for specification writers and implementers, and systematic privacy review of W3C specifications would be useful. " Was there really such an agreement? I recall that certain people said that it would have been nice to provide some implementation hints/user interface aspects into the geolocation specification. However, the same people were previously arguing exactly against including such text into the spec at the time when the spec was written. I don't recall anyone who had argued that there should be a systematic privacy review of W3C specifications, particularly not the guys (browser vendors & big Web service providers) who largely argued against any technical privacy mechanisms in the geolocation / Device API specs. If you take a look at the geolocation API spec today then you will see that there is very little in there about privacy. So, I am not sure where this widespread agreement has come from (given that I was at the workshop). I remember repeated discussion of privacy considerations and not much opposition against those. That's what I meant by "agreement." If I'm overstating what I thought I heard, I'd be happy to correct this. I noticed that many people used the term "privacy considerations", including myself, but nobody really described what they mean by that. I can tell you what I have in mind. We in the IAB are working on a document that provides the counterpart of the "Guidelines for Writing RFC Text on Security Considerations" (RFC 3552) but for privacy. I have, for example, no idea what Pat Walshe meant with privacy guidelines when he mentioned it. I also have no idea what this means for the W3C either. In my presentation I had also highlighted that such a document needs to come with the right organizsation structure. Without going into details I fear (from my experience) that most organizations do not have the right structure. Your point that this abstract notion seems possibly inconsistent with actual behavior in current WGs is well-taken. I'd be willing to leave that apparent contradiction in the report, though, since I think it reflects what we're actually seeing. My concern was that there are very academic activities started that may give the ouside world the impression that the W3C actually cares about privacy. For example, there is already the PLING working group established in response to a privacy policy workshop a few years ago. However, in reality you can discuss some academic publications in such a venue but when it comes to the real stuff any commitment to deal with privacy quickly vanishes. In essence what is then left is a nice Chit Chat Club where people cross post all sorts of articles (typically without indicating their own opinion or even without having read it themselves). While it seems to be worthwhile to have those we unfortunately already have many of them and they all tend to have one property in common -- they are unable to capture summary of discussions. Ciao Hannes
Received on Friday, 13 August 2010 10:22:23 UTC