Re: W3C Workshop Agreement?

On 13 Aug 2010, at 12:21, Tschofenig, Hannes (NSN - FI/Espoo) wrote:

>> Well, there were two sets of reservations:
>> 
>> - Folks from various vendors saying they didn't really think they'd implement those proposals. 

> I would call NSN a vendor and we are very interested in implementing and providing privacy based capabilities to our customers. Hence, you cannot say "vendors" here but rather to those persons at the workshop, such as Ian, David,  etc. I assume they speak with their company hat but I am not sure.

>> - People with various backgrounds questioning whether either Web services or browser vendors would have incentives to deploy a particular technology. 
 
> The very negative reaction from the previous set of people was obviously noticed by others in the room and hence everyone else was indeed wondering what would make these guys change their mind. People in the room very well understood that some companies have a business model that is based on collecting information and enhancing privacy capabilities seems to be in conflict with their business model.

So, here's what the summary currently says:

"The two practical proposals that drew most interest and discussions were the Mozilla privacy icon approach and CDT’s privacy rule-set idea. Both also drew significant questions about their practical viability and about the respective incentives for implementation by browser vendors and large Web properties. Yet, further investigation and experimentation with both approaches seems worthwhile."

Can you suggest additional changes?

>> For example, I don't think Deirdre counts as "the side of browser vendors and big Web service providers."  I do think, though, that her remarks about lawyers' tendency to write ambiguous text, and the fundamental incompatibility of that with some of the privacy policy notions, is a valid reservation about the privacy icons work. 

> She is aware of how the industry works and is not too shy to say it. I did not got the impression that she argued against developing better ways for presenting privacy policies on the Internet.

That's why the report says "drew questions." There's no claim here that asking questions about the viability is the equivalent of pushing back on useful privacy protection -- and, indeed, that wouldn't be true.

>> What we could say is that the questions were about the practical viability and likelihood of implementation in both Web browsers and by Web service providers, or some such.  What do you think? 
>> 
 
> I tend to think that the core problem is with the incentives rather than with the technical aspects.

Yes, absolutely.

> Sure, there are challenges (like with any technology) but those are typically (for engineers) solvable. Here, the arguments about the implementation and user interface aspects are just claims to hide the real problem that people see, namely "why should I do this when it could hurt my business".

You're suggesting a linkage between "would it be implemented" and "technical issues" that I don't see in the report. I've clarified further to say that the question is about incentives for implementation and deployment.

>> I remember repeated discussion of privacy considerations and not much opposition against those. That's what I meant by "agreement."  If I'm overstating what I thought I heard, I'd be happy to correct this.

> I noticed that many people used the term "privacy considerations", including myself, but nobody really described what they mean by that. I can tell you what I have in mind. We in the IAB are working on a document that provides the counterpart of the "Guidelines for Writing RFC Text on Security  Considerations"  (RFC 3552) but for privacy.

Right. But the fact the we don't have the framework in place quite yet shouldn't preclude us from capturing the workshop discussion.

(Meanwhile, I do think it would be useful to figure out what that privacy guidelines document could look like.)

--
Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)

Received on Friday, 13 August 2010 10:54:34 UTC