RE: policy infrastructure Re: oo.apple.com from Malcolm Crompton on 2011-04-21 (public-privacy@w3.org from April to June 2011)

From: Malcolm Crompton <mcrompton@iispartners.com>
Date: Thu, 21 Apr 2011 23:10:58 +1000
To: "'Mark Lizar'" <info@smartspecies.com>, "'Karl Dubost'" <karld@opera.com>
Cc: "'Rigo Wenning'" <rigo@w3.org>, <public-privacy@w3.org>
Message-ID: <00ef01cc0025$90d43cc0$b27cb640$@com>
Just to push this debate one step further, we wrote papers in 2007 that
pointed out that we are pushing the notice and consent model too hard.
People have neither the time or inclination to read and make decisions on
hundreds of notices a day.  The original 'individual participation'
principle has become a burden in too many cases, so that when it is really
needed it is lost in the weeds of all the other decisions that an individual
is asked to make about handling personal information.

The Centre for Information Policy Leadership was making this point even
earlier.  The US FTC has effectively now reached a similar conclusion.

The papers are online at the very bottom of the following page in the box
titled 'Recommended Reading':

http://www.openforum.com.au/Privacy_and_Trust.

See particularly the "Working Paper" for a possible way forward to overcome
the problem

Malcolm Crompton

Managing Director
Information Integrity Solutions Pty Ltd
ABN 78 107 611 898

T:  +61 407 014 450

MCrompton@iispartners.com 
www.iispartners.com 




-----Original Message-----
From: public-privacy-request@w3.org [mailto:public-privacy-request@w3.org]
On Behalf Of Mark Lizar
Sent: Thursday, 21 April 2011 10:43 PM
To: Karl Dubost
Cc: Rigo Wenning; public-privacy@w3.org
Subject: Re: policy infrastructure Re: oo.apple.com

On 21 Apr 2011, at 12:56, Karl Dubost wrote:

> Mark,
>
> a few questions to better understand what you are suggesting.
>
> Le 21 avr. 2011 à 07:29, Mark Lizar a écrit :
>> At this time, all of the policies and notices are ad-hoc, un- 
>> standardised which means that are not useful in comparison from  
>> service to service.
>
> How would you make explicit the elements of the policy?

Elements of a policy are already explicit it data protection  
legislation globally.  In fact Notice is the only consistent  
regulation across all major regulating jurisdiction.  These elements  
are further defined in each regulation but almost always include basic  
legally required notice elements like; purpose specification, use  
limitation, contact information, third parties that interact with the  
limited use of the information etc.


> What are the differences in your suggestion from P3P?
> http://www.w3.org/TR/P3P11/#Introduction


P3P was designed to make machine readable privacy preferences.  This  
is about discovering and finding access to notices that are already  
legally required to be as open as possible to compare with something  
like privacy preferences.  The reason I believe P3P struggled is that  
there is a lack of standard notices for P3P to hook into.

>
>> In fact without a standard in notice, there is no simple way for  
>> people to see what kind of control they have over information when  
>> interacting online.
>
> How would you like the policies (legalese) to be changed as controls  
> (actions/preferences)?

Well, for example a simple standard may just have a file with fields  
to accommodate links to policy components.  A notices meta data could  
provide transparency over its components,   Links can provide access  
in a standard way to layers of policy.

>
>> A standard in notice would provide a way for notice to be viewed on  
>> aggregate for a clear and dynamic picture of policy.
>
> There are at least 4 parts it seems in what you are mentioning
>
> 1. The description of the policy (markup)

> 2. The notification of changes (protocol)
> 3. Knowing what has changed See http://www.goodiff.org/
> 4. The visualization of policies and their changes (design/UX)
>   See the work http://www.azarask.in/blog/post/privacy-icons/
> 5. Access to bits of the policy (api)

Perhaps P3P, POWDER, XACML, ORDL, ACAP, RIF, etc can be used easily  
with a simple standard to unite such efforts? .

>
> If I understood what you are describing, what kind of issues would  
> it solve?

Well, this potentially solve many issues.  The primary focus should be  
accessibility and internationalisation of notice  information, e.g.  
the ability for a device to automatically parse location based notices  
to provide notice information in different formats or languages.

Although, I imaging that a simple standard would have an immense  
impact on privacy, trust, security and economic performance of service  
information that Enterprise try to deliver.


>
>
>
> -- 
> Karl Dubost - http://dev.opera.com/
> Developer Relations & Tools, Opera Software
>
Received on Thursday, 21 April 2011 13:13:08 UTC