- From: Mark Lizar <info@smartspecies.com>
- Date: Fri, 22 Apr 2011 13:04:44 +0100
- To: Rigo Wenning <rigo@w3.org>
- Cc: public-privacy@w3.org
- Message-Id: <5965F2E3-BACF-4F6F-94E0-D8BC2218C284@smartspecies.com>
Thanks Rigo, Great reference doc... And yes! A standard that is simple to use.. Which is not necessarily simple to design. An approach to reducing notices and increasing there meaning may be to enhance existing notice practices to reduce the amount of notices pushed to people by enabling the pulling of notices or/and notice components. Perhaps a different approach and a broader perspective to a notice standard than P3P taxonomy or Data Types in Dave's paper. Clearly a common notice structure for Enterprise notices is needed that can be structured so that the legal components can be measured and also be audited by individuals. Producing notice metrics based not only on counting the notice components but also measuring the performance and veracity of Enterprise data practices. Producing notice metrics and meta-data that can be called by context to provide an aggregate understanding of information at anytime in an individuals web session, so as to provide a structure for more dynamic and granular control. For instance - Do-Not-Track --> an individual can click a -do-not- track option and then pull a notice that the Enterprise has acquiesced to the request not to be tracked. This sort of system can be used as a way to structure public auditing and regulate participation. I imagine a system of this nature where instead of having to read policies, notices can be layered so that a person can get an immediate visual/iconic view of aggregate notices in context via notice meta- data. (Perhaps by mode of control or governance) An information structure that can be drill down into the notice via layers, like priv- icons, then privacy labels, then compact privacy policies etc. Unlike P3P and the administration of preferences, this suggestion is more along the lines of measuring Enterprise compliance to law and legal practices so as to facilitate interaction with those practices. Describing an infrastructure upon which something like P3P can be effective in asserting preferences across. Fundamentally suggesting Enterprise put all of their open notices and signs online in a standard way as a matter of best practice to extend the openness of Notices for digital use. Raising the minimum usability of a notice by placing it in a standard place online for needed accessibility that is proportional to the practices of digital data gathering. This standard could include everything from building signs to surveillance notices, to notices about privacy policies and the like. This way any applications, webservice, product, etc can call notice information according to context. Not only according to privacy preferences, which people don't necessarily know or understand. (without the right tools and common structure) The theory being that a common Enterprise notice infrastructure that is first accessible and available online can be measured and parsed to be publicly accountable. Delivering standard structure and metrics for the performance of an Enterprise in contrast to their notice and designed to develop uniform enforceability across and with-in jurisdictions to data protection regulation. (and privacy best practices) (GAPP) Perhaps also providing a way to harmonize regulatory policy, and notice taxonomies. Producing a path for accountability for any type of application product and service especially privacy and informed consent applications. Introducing the concept of a mechanism that can be called at anytime to produce an aggregate visual view of information control for the web service User that is layered. Hope this helps introducd the difference in approach and how this may interact with P3P. Best Regards, Mark On 21 Apr 2011, at 20:22, Rigo Wenning wrote: > Dave Raggett had written down something along those lines for the > Workshop on > Privacy and data usage control: > http://www.w3.org/2010/09/raggett-fresh-take-on-p3p/ > > I was impressed by the potential of his approach, which would even > work for > DAP. Mainly he throws away the things in P3P that were too much > overhead and > keeps the things of P3P we still use today. Even the PrimeLife > project did not > need additional semantics. > > But one thing is a conviction after PrimeLife and XACML policies. If > this > would have to work on the web platform we are building, it must be > dirt > simple. PrimeLife's XACML approach works in heavily engineered > intranets of > large companies, but isn't ready for web scale [1] > > If we would have some mechanism to trigger notifications, that would > be a big > step forward. But I also follow concerns from others that we should > not > succumb to the creation of an avalanche of notifications. > > Producing simple solutions isn't simple at all! > > Best, > > Rigo > > > On Thursday 21 April 2011 18:27:59 Mark Lizar wrote: >> Yes.. It seems all conversations in this area come back to the FTC's >> most fundamental (and first) principle .. Notice >> >> so.. >> >> Is the question how to go about developing something like P3P but >> on a >> broader scale for notification in general? . >> >> Malcolm's paper raises the issues: >> >> "A better approach would be one where individuals have more real >> control. This could be >> by better means of providing notice or by setting stricter rules. >> Another option would be to >> support notice/use limitation approaches by providing better >> mechanisms to assure >> individuals that their personal information is under control (while >> still allowing direct >> control where this is practicable and where individuals wish to >> exercise it) for example by: >> providing for adaptable information handling standards that could >> respond more >> specifically to culture and context; >> more robust transparency requirements for organisations; >> compliance audits published in certain circumstances; and/or >> risk/incentive frameworks to get information handling right." >> >> Another approach may be to open notification of public notices to a >> standard, and to open consent as a specific breed of bilateral notice >> standard so that these are functions that are external from >> Enterprise. Right now these two functions are performed by each >> enterprise and notice and consent are not systematically accessible. >> It is clear that a standard is specifically needed for consent >> status. With out a dramatic increase in accessibility to notices it >> is very difficult to develop solutions like Do-Not-Track that work or >> provide clarity of control. This is what I believe to be causing >> notification to be such a burden, and as Apple is realising, causing >> so much friction with Customers.. >> >> Rather than asserting some privacy principles are doing too much I >> would suggest that for the first time we can look at enhancing the >> static notification infrastructure that exists on and off line. >> Suggesting something along the lines of a simple digital/online >> notice standard providing a common notice location and focusing on >> structuring notices for accessibility first. >> >> In response to the requirement for assurance metrics and audits . >> Include something like a common versioning process for logging >> notices >> and Online notices can be used as the top layer of an audit log for >> consent and control of information policy online. >> >> The idea of a privacy risk rating system is great and I think would >> be >> much easier to create with an open notice standard. Although I think >> it is a larger than privacy issue. >> >>
Received on Friday, 22 April 2011 12:05:42 UTC