Re: Opening UP Notice: policy infrastructure Re: oo.apple.com

Dave Raggett had written down something along those lines for the Workshop on 
Privacy and data usage control:
http://www.w3.org/2010/09/raggett-fresh-take-on-p3p/

I was impressed by the potential of his approach, which would even work for 
DAP. Mainly he throws away the things in P3P that were too much overhead and 
keeps the things of P3P we still use today. Even the PrimeLife project did not 
need additional semantics. 

But one thing is a conviction after PrimeLife and XACML policies. If this 
would have to work on the web platform we are building, it must be dirt 
simple. PrimeLife's XACML approach works in heavily engineered intranets of 
large companies, but isn't ready for web scale [1]

If we would have some mechanism to trigger notifications, that would be a big 
step forward. But I also follow concerns from others that we should not 
succumb to the creation of an avalanche of notifications. 

Producing simple solutions isn't simple at all!

Best, 

Rigo


On Thursday 21 April 2011 18:27:59 Mark Lizar wrote:
> Yes.. It seems all conversations in this area come back to the FTC's
> most fundamental (and first) principle ..  Notice
> 
>   so..
> 
> Is the question how to go about developing something like P3P but on a
> broader scale for notification in general?  .
> 
> Malcolm's paper raises the issues:
> 
> "A better approach would be one where individuals have more ‘real’
> control.  This could be
> by better means of providing notice or by setting stricter rules.
> Another option would be to
> support notice/use limitation approaches by providing better
> mechanisms to assure
> individuals that their personal information is under control (while
> still allowing direct
> control where this is practicable and where individuals wish to
> exercise it) for example by:
> • providing for adaptable information handling standards that could
> respond more
> specifically to culture and context;
> • more robust transparency requirements for organisations;
> • compliance audits published in certain circumstances; and/or
> • risk/incentive frameworks to get information handling right."
> 
> Another approach may be to open notification of public notices to a
> standard, and to open consent as a specific breed of bilateral notice
> standard so that these are functions that are external from
> Enterprise.  Right now these two functions are performed by each
> enterprise and notice and consent are not systematically accessible.
> It is clear that a standard is specifically needed for consent
> status.   With out a dramatic increase in accessibility to notices it
> is very difficult to develop solutions like Do-Not-Track that work or
> provide clarity of control.  This is what I believe to be causing
> notification to be such a burden, and as Apple is realising, causing
> so much friction with Customers..
> 
> Rather than asserting some privacy principles are doing too much I
> would suggest that for the first time we can look at enhancing the
> static notification infrastructure that exists on and off line.
> Suggesting something along the lines of a simple  digital/online
> notice standard providing a common notice location and focusing on
> structuring notices for accessibility first.
> 
> In response to the requirement for assurance metrics and audits .
> Include something like a common versioning process for logging notices
> and Online notices can be used as the top layer of an audit log for
> consent and control of information policy online.
> 
> The idea of a privacy risk rating system is great and I think would be
> much easier to create with an open notice standard.  Although I think
> it is a larger than privacy issue.
> 
> 

Received on Thursday, 21 April 2011 19:22:46 UTC