Re: simple, standardized privacy policy discovery from Mark Lizar on 2013-08-20 (public-privacy@w3.org from July to September 2013)

From: Mark Lizar <mark.lizar@gmail.com>
Date: Tue, 20 Aug 2013 08:13:53 +0100
To: opennotice@googlegroups.com
Cc: Jim Hudson <public-privacy@w3.org>
Message-Id: <CDCEAD62-5866-41F7-A4F5-F14D65441417@gmail.com>
Thanks Nick for bringing this up, 

 This is a key issue for Open Notice and something I hope that can be either added to the new Consent Tag Specification effort or, add to another standards track. 

We brought this issue up at the W3C Do Not Track conference last year  in the paper we submitted.  

The paper claims that policies, both terms and privacy need to be systematically usable and automatically findable. We definitely need to have a  standard way for  policies to be found and systematically used. 

ISOC paid me for a paper about 3 years ago on this topic, this is the first time I came across this issue. Thanks to Trent Adams.

I was supporting option 4 at the time.  But, #3 "Link Relations" registry seems like an excellent way forward. 

The flexibility is needed and perhaps other required policies should be added, e.g. cookie policies. 

Is this something the Privacy group can push forward at W3C? 

Best Regards, 

Mark


On 20 Aug 2013, at 03:17, Nick Doty <npdoty@gmail.com> wrote:

> Hi Open Notice folks,
> 
> I know we've tended to talk about deeper in the stack than just finding privacy policies on a Web page, but I thought this might be a very small piece that's still worth discussing. Based on what I've heard from, for example, people working on Tosback, just finding the text can be non-trivial, even though it should be simple.
> 
> If you have had this problem, would the Link relation help? Or do you know of other solutions that I haven't listed?
> 
> (I would have CCed this mailing list, but I can't send to it except with this @gmail account. Feel free to reply here if you want to discuss just with OpenNotice, or on public-privacy if you want to discuss with the W3C community. You can follow the Archived-At link to find the Web archive of this message, and that has a link to reply even if you're not currently subscribed to public-privacy@w3.org.)
> 
> Thanks,
> Nick
> 
> Begin forwarded message:
> 
>> Resent-From: public-privacy@w3.org
>> From: Nicholas Doty <npdoty@w3.org>
>> Subject: simple, standardized privacy policy discovery
>> Date: August 19, 2013 7:08:10 PM PDT
>> To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
>> Cc: akmassey@gatech.edu, jasnell@gmail.com
>> Archived-At: <http://www.w3.org/mid/44DDA40C-999B-4647-92D5-37D7E96E9701@w3.org>
>> 
>> The difficulties in finding privacy policies for Web sites are occasionally mentioned. I've heard this raised as an issue for:
>> * end users, who may not want to dig around for a privacy policy link on a Web page
>> * end users on mobile devices, for whom finding and following links can be particularly difficult
>> * researchers, who might be crawling or analyzing privacy policies to study en masse
>> * civil society, who may want to provide automated comparison, versioning or analysis of privacy policies
>> 
>> While discovery of a human-readable privacy policy is a very limited part of the general problems our industry has encountered with long-form privacy policies on the Web, standardized discovery protocols would contribute to a variety of use cases and could facilitate some larger scale solutions (short notices, privacy icons, registries, etc.).
>> 
>> I don't claim to know every proposal in this area, but here are a few that address the very specific question of discovery of human-readable privacy policies that apply to a particular Web page. (Apologies if I'm repeating an incomplete collection that has already been gathered somewhere else.)
>> 
>> 1. P3P discuri attribute  
>>  http://www.w3.org/TR/P3P/#POLICY
>> A mandatory discuri on every <policy> element in an XML P3P policy gave a full URI for a human-readable version of the privacy policy. This is implemented now, for example, by Yahoo! and Microsoft. P3P policies are discoverable in a defined way (well-known URI, Link header, link tag) and then the <policy> element can be parsed to find the human-readable version.
>> 
>> 2. DNT Tracking Status Resource   
>>  http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#status-resource
>> An optional element of a site-wide tracking status resource (itself discovered through a well-known URI or response header) is a JSON policy field which points to a human-readable policy, though this is suggested to be specific to the kind of tracking relevant to a DNT preference. That document is currently a draft and I don't know offhand of any in-the-wild implementations of this section.
>> 
>> 3. A "privacy-policy" or "terms-of-service" Link relation    
>>  http://tools.ietf.org/html/rfc6903
>> RFC 6903 defines privacy-policy and terms-of-service as relations of links, to be used either inline in HTML or as a Link HTTP header. The RFC was published (Informational) just this March. (I also see some earlier suggestions, not widely pursued, for rel="privacy", but I don't see any problem with the longer form.)
>> 
>> 4. policies.txt     
>>  https://www.sixlines.org/2013/08/19/policiestxt.html
>> Most recently, I saw this brought up by Aaron Massey, who suggests a policies.txt file in a well-known location, similar to the widely used robots.txt protocol and the informal humans.txt analog.
>> 
>> Personally, I think the Link relation (#3) is both flexible and very easy to implement. IETF published the documentation as an informational draft, and I'm not sure the history there or why it wasn't pursued on the standards track. Sites that have different privacy policies for different URLs can implement it through different link tags in the heads of documents. Very small sites can just add rel="privacy-policy" to a plain old anchor tag. And hey, it works for terms-of-service too.
>> 
>> Questions for you all:
>> * Would you find standardization/use of this valuable?
>> * Is there any standardization necessary beyond the informational Link relation definition? If so, what features would you want to see?
>> * Would you be willing to implement it, or what would be needed to encourage implementation?
>> 
>> Thanks,
>> Nick
>> 
>> CC Aaron Massey, who brought this up on Twitter/his blog, Jason Snell who authored the Link relation proposal. I'm also sharing this with the Open Notice group who have been talking about related standardization efforts.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups "open notice" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to opennotice+unsubscribe@googlegroups.com.
> To post to this group, send email to opennotice@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/opennotice/CCDCAC74-4FF0-481E-8B8D-0E7416D18068%40gmail.com.
> For more options, visit https://groups.google.com/groups/opt_out.
Received on Tuesday, 20 August 2013 07:14:50 UTC