Re: simple, standardized privacy policy discovery

I don't have much time to participate here (or anywhere outside my standing commitments), but I'd like to volunteer a few things that I hope will be helpful.

1) The Web have a structural problem with client-server: it puts the user in a subordinate position by allocating primary responsibility for terms, conditions, policies and much else on the server side. This is at variance with the peer-to-peer, end-to-end architecture of the Net itself, and has turned the commercial surface of the Net into a feudal system: <http://www.wired.com/opinion/2012/11/feudal-security/>. This is also the situation that the commonterms.net paper <http://commonterms.net/walkerthesis.pdf> visits (nicely), and commonterms.net solutions address as well. Yet if we frame solutions within this lopsided system, which disempowers users by design, we've already lost. If we frame solutions at the deeper level of the Net's peer-to-peer geology, we'll be better off.

2) At ProjectVRM <http://projectvrm.org>, Customer Commons <http://customercommons.org>, the Personal Data Ecosystem Consortium <http://pde.cc> and other organizations, there is ongoing work toward solutions that start on the individual's side: solutions that make individuals equal in power to organizations, and able, for example, to present and arrive at simple agreements — and to express policies (e.g. Do Not Track) in a consistent way to all websites and providers of services. Customer Commons, for example, is working with the Cyberlaw Clinic at Harvard's Berkman Center on simple and straightforward terms and policies that individuals can assert, and can be agreed to at the machine as well as the human level. It would be good to coordinate around this work. For more background on this, see chapters 4 and 20 of The Intention Economy: <http://amzn.to/16vymjc>. I believe, by the way, that the work on discovery being proposed here can match up nicely with the work happening on the side of the individual.

3) Other .orgs, such as Mozilla, are also on the case. There is much we can do to not re-invent wheels that are already available at no cost in the world. One example: <http://hvrd.me/xgzDEw>. Another: <http://standardlabel.org>.

4) All of this will be on the table, and most of the entities listed above will be present, at the next IIW unconference, in October at the Computer History Museum in Mountain View. Mark has been to a number of these, and they keep getting better. This next one will be our 17th. More here: <http://www.internetidentityworkshop.com>. Hope to see you there.

Cheers,

Doc

On Aug 22, 2013, at 1:22 PM, Mark Lizar <info@smartspecies.com> wrote:

> Hannes, 
> 
> You definitely get right to the point!!  A point I agree with.  Enforcement is a critical component to motivate adoption as there are no (IMHO) other incentives that will move the market to compliance or enable people to control their own information Open Policies  or the management of consent.  
> 
> I think the questions is not whether or not it will happen, it is more, how will it happen and what will the impact of these changes will be?   Will it be a top down regulatory approach, or will it be a bottom up crowd sourced approach? Or will it be another?    Again, this is a very similar conversation we had about 5 years ago.
> 
> Great discussion, 
> 
> Mark
> 
> On 21 Aug 2013, at 09:30, Pär Lannerö <par.lannero@metamatrix.se> wrote:
> 
>> Thanks Hannes, your concerns are valid. However, there are plenty of legal incentives [1] and given a practical working solution, I am convinced we can awaken latent support for more transparency from both consumer groups and regulators. Such support, in turn, will make clarity and use of standard clauses a competitive adantage on the market.
>> 
>> Furthermore: one small step at a time - such as the standardization of how to locate policies discussed in this thread - can bring us closer to an improved situation!
>> 
>> Pär
>> 
>> [1] Innis Walker, 2013, Transparency-Enhancing Technology for Online Retailers, computers, consumers and consent
>> 
>> 
>> 
>> 
>> 0739442043
>> 
>> 21 aug 2013 kl. 09:49 skrev "Hannes Tschofenig" <hannes.tschofenig@gmx.net>:
>> 
>>> Technically all this sounds great.
>>> 
>>> Practically it seems to fail because companies don't seem to be very interested to make their privacy notices readable.
>>> 
>>> On the other hand if you look at many of the smart phone applications and the permissions they request then in some sense those are 'tiny versions' (although without shiny icons) of the longer privacy notices already.
>>> 
>>> Sorry to be pessimistic here but without a good understanding of the incentives for the different parties to change their behavior I fear that all these efforts will be dead on arrival.
>>> 
>>> On 08/21/2013 08:54 AM, Pär Lannerö wrote:
>>>> 20 aug 2013 kl. 21:58 skrev "David Singer" <singer@apple.com>:
>>>> 
>>>>> Yes.  One choice for each category would have to be 'custom' (we write our own), and a policy that has lots of 'custom' paragraphs would then be harder to understand.  They'd probably want an 'in addition' section, as well (things not covered by the standard categories).
>>>>> 
>>>>> The problem with the approach is the amount of work needed to get going.
>>>>> 
>>>>> 1) Assemble a reasonable corpus of privacy policies.
>>>>> 2) Chunk them up into sections, categorized by subject.
>>>>> 3) Find common themes, and so on, that the bulk of them are using; re-write those in 'common language', and form the set of 'standard clauses'.
>>>>> 4) Go back to the original corpus, and do the rewrite 'what-if': if the standard clauses exist, how could these policies be rewritten to use/refer-to them?
>>>>> 
>>>>> A lot of work.
>>>> 
>>>> 
>>>> Yes, but this is almost exactly what the CommonTerms project has been working on for the past few years. You may remember a brief discussion we had about this previously.
>>>> 
>>>> A huge amount of work remains to be done - not least by the lawyers needed to formulate and curate standard clauses - but now at least we have a working prototype infrastructure, including:
>>>> 
>>>> - a small corpus/database of privacy policies and TOS documents
>>>> - common themes/terms
>>>> - categorization by subject
>>>> - a tool that website owners can use to assemble their own policy based on common therms found in the corpus. And add custom ones, too.
>>>> - a draft uri scheme for common terms
>>>> - a draft presentation format for humans
>>>> - preliminary ideas about how to reference the policy documents on a website (much resembling the policies.txt proposal)
>>>> 
>>>> See http://CommonTerms.net for details.
>>>> 
>>>> Very recently we were granted additional funding from the Internet Infrastructure Foundation to be able to contribute the results of our work to a wider circle. Primarily we are expecting to cooperate within the OpenNotice group, but our results are CC licensed and we're open to collaboration with anybody.
>>>> 
>>>> Best regards
>>>> Pär Lannerö, CommonTerms project leader
>>>> 
>>>> 
>>>> 
>>>>> 
>>>>>> 
>>>>>> regards, Frederick
>>>>>> 
>>>>>> Frederick Hirsch
>>>>>> Nokia
>>>>>> 
>>>>>> [1] http://dev.w3.org/2009/dap/privacy-rulesets/
>>>>>> 
>>>>>> On Aug 20, 2013, at 12:31 PM, ext David Singer wrote:
>>>>>> 
>>>>>>> Thanks Nick
>>>>>>> 
>>>>>>> one idea that came up at a workshop was related to, and would support, Ashkan Solnati's privacys icons.  The idea was that some organization (e.g. the W3C) publish a set of sections of text that represent common statements on various aspects of privacy policy.  For example, there might be 3 alternative sections dealing with "disclosure to law-enforcement" -- Strict (we disclose only when legally mandated to do so), Moderate (we also disclose when we feel it would be best to do so), Lenient (we respond to all requests from law enforcement organizations).
>>>>>>> 
>>>>>>> The hope was that an organization could put together 90+% of their policy by reference.
>>>>>>> 
>>>>>>> "Our choices are:
>>>>>>> a) law-enforcement: W3C Strict
>>>>>>> b) Third-party: W3C affiliates-only
>>>>>>> c) …
>>>>>>> "
>>>>>>> 
>>>>>>> Whether this would fly I am not sure.  Given a limited set of choices in each category, comprehensibility for the end-user would rise (and icons might become possible, if combined with a well-known-resource of some type).
>>>>>>> 
>>>>>>> 
>>>>>>> On Aug 19, 2013, at 19:08 , Nicholas Doty <npdoty@w3.org> wrote:
>>>>>>> 
>>>>>>>> The difficulties in finding privacy policies for Web sites are occasionally mentioned. I've heard this raised as an issue for:
>>>>>>>> * end users, who may not want to dig around for a privacy policy link on a Web page
>>>>>>>> * end users on mobile devices, for whom finding and following links can be particularly difficult
>>>>>>>> * researchers, who might be crawling or analyzing privacy policies to study en masse
>>>>>>>> * civil society, who may want to provide automated comparison, versioning or analysis of privacy policies
>>>>>>>> 
>>>>>>>> While discovery of a human-readable privacy policy is a very limited part of the general problems our industry has encountered with long-form privacy policies on the Web, standardized discovery protocols would contribute to a variety of use cases and could facilitate some larger scale solutions (short notices, privacy icons, registries, etc.).
>>>>>>>> 
>>>>>>>> I don't claim to know every proposal in this area, but here are a few that address the very specific question of discovery of human-readable privacy policies that apply to a particular Web page. (Apologies if I'm repeating an incomplete collection that has already been gathered somewhere else.)
>>>>>>>> 
>>>>>>>> 1. P3P discuri attribute
>>>>>>>> http://www.w3.org/TR/P3P/#POLICY
>>>>>>>> A mandatory discuri on every <policy> element in an XML P3P policy gave a full URI for a human-readable version of the privacy policy. This is implemented now, for example, by Yahoo! and Microsoft. P3P policies are discoverable in a defined way (well-known URI, Link header, link tag) and then the <policy> element can be parsed to find the human-readable version.
>>>>>>>> 
>>>>>>>> 2. DNT Tracking Status Resource
>>>>>>>> http://www.w3.org/2011/tracking-protection/drafts/tracking-dnt.html#status-resource
>>>>>>>> An optional element of a site-wide tracking status resource (itself discovered through a well-known URI or response header) is a JSON policy field which points to a human-readable policy, though this is suggested to be specific to the kind of tracking relevant to a DNT preference. That document is currently a draft and I don't know offhand of any in-the-wild implementations of this section.
>>>>>>>> 
>>>>>>>> 3. A "privacy-policy" or "terms-of-service" Link relation
>>>>>>>> http://tools.ietf.org/html/rfc6903
>>>>>>>> RFC 6903 defines privacy-policy and terms-of-service as relations of links, to be used either inline in HTML or as a Link HTTP header. The RFC was published (Informational) just this March. (I also see some earlier suggestions, not widely pursued, for rel="privacy", but I don't see any problem with the longer form.)
>>>>>>>> 
>>>>>>>> 4. policies.txt
>>>>>>>> https://www.sixlines.org/2013/08/19/policiestxt.html
>>>>>>>> Most recently, I saw this brought up by Aaron Massey, who suggests a policies.txt file in a well-known location, similar to the widely used robots.txt protocol and the informal humans.txt analog.
>>>>>>>> 
>>>>>>>> Personally, I think the Link relation (#3) is both flexible and very easy to implement. IETF published the documentation as an informational draft, and I'm not sure the history there or why it wasn't pursued on the standards track. Sites that have different privacy policies for different URLs can implement it through different link tags in the heads of documents. Very small sites can just add rel="privacy-policy" to a plain old anchor tag. And hey, it works for terms-of-service too.
>>>>>>>> 
>>>>>>>> Questions for you all:
>>>>>>>> * Would you find standardization/use of this valuable?
>>>>>>>> * Is there any standardization necessary beyond the informational Link relation definition? If so, what features would you want to see?
>>>>>>>> * Would you be willing to implement it, or what would be needed to encourage implementation?
>>>>>>>> 
>>>>>>>> Thanks,
>>>>>>>> Nick
>>>>>>>> 
>>>>>>>> CC Aaron Massey, who brought this up on Twitter/his blog, Jason Snell who authored the Link relation proposal. I'm also sharing this with the Open Notice group who have been talking about related standardization efforts.
>>>>>>> 
>>>>>>> David Singer
>>>>>>> Multimedia and Software Standards, Apple Inc.
>>>>> 
>>>>> David Singer
>>>>> Multimedia and Software Standards, Apple Inc.
>>> 
>> 
> 
> 
>

Received on Sunday, 25 August 2013 18:01:04 UTC