achieving adoption of privacy practices

On today's PING call we mentioned that it is sometimes difficult to get specification groups to devote the time and resources to performing privacy assessments and that some flexibility is required.

In the course of chairing DAP I've observed that the specification process includes two groups that are not always the same (but with some overlap):

1. The working group producing the specification

2. Implementers and adopters of the specification.

In order to advance a specification to standard some number of implementers will need to participate in interoperability testing to advance beyond CR but the exact criteria are decided by the working group (e.g. the number of implementations, the degree of testing etc)

I've also observed (and contributed this as a position paper in one of the earlier W3C privacy workshops) that specifications tend to cover only a portion of an overall system, being a component or module that can be composed into a variety of larger systems. Usually data retention etc may be relevant in that larger system, for example. This can make it hard or impossible for a working group to perform much of an assessment, depending on the size and complexity of the individual specification.

Frank mentioned incentives for performing assessments. It seems these often directly apply to organizations creating complete systems for a business purpose.

Thus, while it is valuable and important for working groups to note privacy considerations, often the implementers are the ones that are in the best position to consider an entire system and have the incentives to perform the assessment work.

For this reason I think we can expect to see informative notes in specifications (referring to an earlier email from Nick) as implementers expect latitude based on the overall system.

As a concrete proposal, from a W3C perspective I wonder whether we should encourage implementers to share privacy assessment information before exiting CR, similar to sharing interop results?

regards, Frederick

Frederick Hirsch
Nokia

Received on Thursday, 11 July 2013 18:20:08 UTC