- From: Dave Raggett <dsr@w3.org>
- Date: Wed, 06 Jun 2012 13:15:09 +0100
- To: public-sysapps@w3.org
On 06/06/12 04:24, SULLIVAN, BRYAN L wrote: > On the privacy aspects, I think it would be a good time to take a > system-level approach to that across these APIs. Thus I propose that > we add a Privacy API to the phase 1, with the objective of providing > to the user whatever information is relevant to the privacy related > characteristics of all apps on the device, and related system-wide > controls for the same. For example, in the DNT discussion it's been > noted that diverse implementations in web user agents (of which there > can be multiple) and web-enabled apps can lead to fragmented and > inconsistent representations of user privacy preferences. Thus it > would be good to enable management of preferences system-wide, and > ensure that the applicable signals are always used (e.g. DNT header). > The objective of the API would not be to mandate any UI aspects, but > to provide the ability of apps to disclose privacy related > characteristics, and the ability of suitably authorized apps to read > those characteristics and manage system-wide privacy settings. It is a bit late to add a privacy API deliverable to the questionnaire, so I hope that others can respond to Bryan's suggestion via email. Bryan: could you expand further on what you have in mind? My initial reading is that you are asking for an API to access and update privacy preferences, and for applications to indicate their privacy policies. I can envisage a privacy management application that allows you to view what privacy related permissions were set for given applications. There are for example, Android apps for this, although they require a rooted device to update the settings. This would be closely related to the existing deliverables on the security and execution models. Whilst I hesitate to mention P3P, a lot of good work was done on a vocabulary for privacy policies covering what data is collected, who it may be shared with and under what retention policy. P3P as it was originally specified proved too hard to provide full implementations. Microsoft's compact policies provided a simple solution, but only covered cookies. A couple of years back I did some work for the PrimeLife project on a broader subset of P3P that is easy to implement, as I proved in the form of a Firefox add-on, see: http://www.w3.org/2010/09/raggett-fresh-take-on-p3p/ >From the W3C workshop on Privacy and data usage, in October 2010: http://www.w3.org/2010/policy-ws/ Do Not Track has now re-opened the door for work on richer means for web sites to express their policies, but I suspect that it is still too early to begin standardizing. P3P's vocabulary is a valuable input, but we need further work to better understand the landscape beyond DNT. I anticipate a growing role for apps like "Lookout" that warn when you try to install malware, and also provide warnings relating to privacy. The next step will be to provide warnings according to the user's privacy profile, e.g. carefree, cautious, or paranoid, and to take into account independent third party assessments rather than just relying on the website or app's stated privacy policy. -- Dave Raggett <dsr@w3.org> http://www.w3.org/People/Raggett
Received on Wednesday, 6 June 2012 12:15:36 UTC