Re: simple, standardized privacy policy discovery

This  is a great update on Notice discovery. 

I noticed in option 3 RFC - there is a note. 

Note that in the absence of clear legal obligations placed on an
   entity, either through contract or law, the presence of a "privacy-
   policy" link does not constitute a legally binding obligation on the
   part of the service.  The linked resource can only be interpreted as
   a description of the expected practice.

I would disagree that there is an absence of clear legal obligation.  

I have previously looked and produced a summary on openness and notice in regards to a privacy framework at Kantara both are required in principle  and law.   Yet there is no standard way to discover, parse, and structure notice links, (and therefore notices).  The result is that these policies are closed and the laws have not  previously been enacted or  enforced in a way that reflect the principles they are based on.   This expected to change with new laws currently under way around the world. 

For our purposes we are working on a Consent Tag specification to Open Notice and make them much more usable for contextual aware applications.  Our aim is to spec out a consent transaction receipt which, amongst other things, takes the links to policies and provides them as a links in a standard tag to the person provisioning consent.  

What is most desired is a standard. Is there a reason why the RFC 6903 was not on a standards track or taken further? 

It seems clear that standard and automatic discovery of policy is very important as a s systematic way to find, reference, and innovate policy expression  for context and I would argue is legally required for notices to be open. 

 Does anyone know of any additional policy discovery mechanisms than those listed by nick below?  Does anyone know of any policy discovery efforts for IOT? (or any other physical contexts)

 Thanks for this post Nick!! 

Kind Regards, 

Mark  Lizar

On 20 Aug 2013, at 03:08, Nicholas Doty <> wrote:

> The difficulties in finding privacy policies for Web sites are occasionally mentioned. I've heard this raised as an issue for:
> * end users, who may not want to dig around for a privacy policy link on a Web page
> * end users on mobile devices, for whom finding and following links can be particularly difficult
> * researchers, who might be crawling or analyzing privacy policies to study en masse
> * civil society, who may want to provide automated comparison, versioning or analysis of privacy policies
> While discovery of a human-readable privacy policy is a very limited part of the general problems our industry has encountered with long-form privacy policies on the Web, standardized discovery protocols would contribute to a variety of use cases and could facilitate some larger scale solutions (short notices, privacy icons, registries, etc.).
> I don't claim to know every proposal in this area, but here are a few that address the very specific question of discovery of human-readable privacy policies that apply to a particular Web page. (Apologies if I'm repeating an incomplete collection that has already been gathered somewhere else.)
> 1. P3P discuri attribute  
> A mandatory discuri on every <policy> element in an XML P3P policy gave a full URI for a human-readable version of the privacy policy. This is implemented now, for example, by Yahoo! and Microsoft. P3P policies are discoverable in a defined way (well-known URI, Link header, link tag) and then the <policy> element can be parsed to find the human-readable version.
> 2. DNT Tracking Status Resource   
> An optional element of a site-wide tracking status resource (itself discovered through a well-known URI or response header) is a JSON policy field which points to a human-readable policy, though this is suggested to be specific to the kind of tracking relevant to a DNT preference. That document is currently a draft and I don't know offhand of any in-the-wild implementations of this section.
> 3. A "privacy-policy" or "terms-of-service" Link relation    
> RFC 6903 defines privacy-policy and terms-of-service as relations of links, to be used either inline in HTML or as a Link HTTP header. The RFC was published (Informational) just this March. (I also see some earlier suggestions, not widely pursued, for rel="privacy", but I don't see any problem with the longer form.)
> 4. policies.txt     
> Most recently, I saw this brought up by Aaron Massey, who suggests a policies.txt file in a well-known location, similar to the widely used robots.txt protocol and the informal humans.txt analog.
> Personally, I think the Link relation (#3) is both flexible and very easy to implement. IETF published the documentation as an informational draft, and I'm not sure the history there or why it wasn't pursued on the standards track. Sites that have different privacy policies for different URLs can implement it through different link tags in the heads of documents. Very small sites can just add rel="privacy-policy" to a plain old anchor tag. And hey, it works for terms-of-service too.
> Questions for you all:
> * Would you find standardization/use of this valuable?
> * Is there any standardization necessary beyond the informational Link relation definition? If so, what features would you want to see?
> * Would you be willing to implement it, or what would be needed to encourage implementation?
> Thanks,
> Nick
> CC Aaron Massey, who brought this up on Twitter/his blog, Jason Snell who authored the Link relation proposal. I'm also sharing this with the Open Notice group who have been talking about related standardization efforts.

Received on Tuesday, 15 October 2013 14:05:29 UTC