Re: Opening UP Notice: A structure to apply policy infrastructure Re: oo.apple.com from Mark Lizar on 2011-04-22 (public-privacy@w3.org from April to June 2011)

From: Mark Lizar <info@smartspecies.com>
Date: Fri, 22 Apr 2011 13:04:44 +0100
To: Rigo Wenning <rigo@w3.org>
Cc: public-privacy@w3.org
Message-Id: <5965F2E3-BACF-4F6F-94E0-D8BC2218C284@smartspecies.com>
Thanks Rigo,

Great reference doc... And yes!  A standard that is simple to use..   
Which is not necessarily simple to design.

An approach to reducing notices and increasing there meaning may be to  
enhance existing notice practices to reduce the amount of notices  
pushed to people by enabling the pulling of notices or/and notice  
components. Perhaps a different approach and a broader perspective to  
a notice standard than P3P taxonomy or Data Types in Dave's paper.   
Clearly a common notice structure for Enterprise notices is needed  
that can be structured so that the legal components can be  measured  
and also be audited by individuals.  Producing notice metrics based  
not only on counting the notice components but also measuring the  
performance and veracity of Enterprise data practices.  Producing  
notice metrics and meta-data that can be called by context to provide  
an aggregate understanding of information at anytime in an individuals  
web session, so as to provide a structure for more dynamic and  
granular control.

For instance - Do-Not-Track --> an individual can click a -do-not- 
track option and then pull a notice that the Enterprise has acquiesced  
to the request not to be tracked.  This sort of system can be used  as  
a way to structure public auditing and regulate participation.

I imagine a system of this nature where instead of having to read  
policies, notices can be layered so that a person can get an immediate  
visual/iconic view of aggregate notices in context via notice meta- 
data.  (Perhaps by mode of control or governance) An information  
structure that can be drill down into the notice via layers, like priv- 
icons, then privacy labels, then compact privacy policies etc.

Unlike P3P and the administration of preferences, this suggestion is  
more along the lines of measuring Enterprise compliance to law and  
legal practices so as to facilitate interaction with those practices.   
Describing an infrastructure upon which something like P3P can be  
effective in asserting preferences across.  Fundamentally suggesting  
Enterprise put all of their open notices and signs online in a  
standard way as a matter of best practice to extend the openness of  
Notices for digital use.  Raising the minimum usability of a notice by  
placing it in a standard place online for needed accessibility that is  
proportional to the practices of digital data gathering.  This  
standard could include everything from building signs to surveillance  
notices, to notices about privacy policies and the like.  This way any  
applications, webservice, product, etc can call notice information  
according to context.   Not only according to privacy preferences,  
which people don't necessarily know or understand. (without the right  
tools and common structure)

The theory being that a common Enterprise notice infrastructure that  
is first accessible and available online can be measured and parsed to  
be publicly accountable.  Delivering standard structure and metrics  
for the performance of an Enterprise in contrast to their notice and  
designed to develop uniform enforceability across  and with-in  
jurisdictions to data protection regulation. (and privacy best  
practices) (GAPP)

Perhaps also providing a way to harmonize regulatory policy, and  
notice taxonomies. Producing a path for accountability for any type of  
application product and service especially privacy and informed  
consent applications.  Introducing the concept of a mechanism that can  
be called at anytime to produce an aggregate visual view of  
information control for the web service User that is layered.

Hope this helps introducd the difference in approach and how this may  
interact with P3P.

Best Regards,

Mark



On 21 Apr 2011, at 20:22, Rigo Wenning wrote:

> Dave Raggett had written down something along those lines for the  
> Workshop on
> Privacy and data usage control:
> http://www.w3.org/2010/09/raggett-fresh-take-on-p3p/
>
> I was impressed by the potential of his approach, which would even  
> work for
> DAP. Mainly he throws away the things in P3P that were too much  
> overhead and
> keeps the things of P3P we still use today. Even the PrimeLife  
> project did not
> need additional semantics.
>
> But one thing is a conviction after PrimeLife and XACML policies. If  
> this
> would have to work on the web platform we are building, it must be  
> dirt
> simple. PrimeLife's XACML approach works in heavily engineered  
> intranets of
> large companies, but isn't ready for web scale [1]
>
> If we would have some mechanism to trigger notifications, that would  
> be a big
> step forward. But I also follow concerns from others that we should  
> not
> succumb to the creation of an avalanche of notifications.
>
> Producing simple solutions isn't simple at all!
>
> Best,
>
> Rigo
>
>
> On Thursday 21 April 2011 18:27:59 Mark Lizar wrote:
>> Yes.. It seems all conversations in this area come back to the FTC's
>> most fundamental (and first) principle ..  Notice
>>
>>  so..
>>
>> Is the question how to go about developing something like P3P but  
>> on a
>> broader scale for notification in general?  .
>>
>> Malcolm's paper raises the issues:
>>
>> "A better approach would be one where individuals have more ‘real’
>> control.  This could be
>> by better means of providing notice or by setting stricter rules.
>> Another option would be to
>> support notice/use limitation approaches by providing better
>> mechanisms to assure
>> individuals that their personal information is under control (while
>> still allowing direct
>> control where this is practicable and where individuals wish to
>> exercise it) for example by:
>> • providing for adaptable information handling standards that could
>> respond more
>> specifically to culture and context;
>> • more robust transparency requirements for organisations;
>> • compliance audits published in certain circumstances; and/or
>> • risk/incentive frameworks to get information handling right."
>>
>> Another approach may be to open notification of public notices to a
>> standard, and to open consent as a specific breed of bilateral notice
>> standard so that these are functions that are external from
>> Enterprise.  Right now these two functions are performed by each
>> enterprise and notice and consent are not systematically accessible.
>> It is clear that a standard is specifically needed for consent
>> status.   With out a dramatic increase in accessibility to notices it
>> is very difficult to develop solutions like Do-Not-Track that work or
>> provide clarity of control.  This is what I believe to be causing
>> notification to be such a burden, and as Apple is realising, causing
>> so much friction with Customers..
>>
>> Rather than asserting some privacy principles are doing too much I
>> would suggest that for the first time we can look at enhancing the
>> static notification infrastructure that exists on and off line.
>> Suggesting something along the lines of a simple  digital/online
>> notice standard providing a common notice location and focusing on
>> structuring notices for accessibility first.
>>
>> In response to the requirement for assurance metrics and audits .
>> Include something like a common versioning process for logging  
>> notices
>> and Online notices can be used as the top layer of an audit log for
>> consent and control of information policy online.
>>
>> The idea of a privacy risk rating system is great and I think would  
>> be
>> much easier to create with an open notice standard.  Although I think
>> it is a larger than privacy issue.
>>
>>
Received on Friday, 22 April 2011 12:05:42 UTC