RE: WS Privacy [Was RE: Status of D-AG006] from Joseph Hui on 2002-03-20 (www-ws-arch@w3.org from March 2002)

From: Joseph Hui <jhui@digisle.net>
Date: Wed, 20 Mar 2002 10:33:35 -0800
To: "Hugo Haas" <hugo@w3.org>, <www-ws-arch@w3.org>
Message-ID: <C153D39717E5F444B81E7B85018A460B081B277A@ex-sj-5.digisle.com>
Hi Hugo,
 
I was just laying out an exit strategy in case we failed to garner support
for Privacy in WSAWG.  That wasn't the same as suggesting to ignore
Privacy per se.
 
Rest assured that Privacy is a legitimate issue.  (The issue at hand is whether
we want to address it in WSAWG.  And if yes, to what extent?)
 
On the new goal you're proposing -- protecting comsumers' private data
from exploitation, I tend to think legislative bodies (instead of technological
standard bodies) can be much much more effective in privacy areas.
E.g. I don't know of any effective technical mechanism that can prevent
a merchant from whom a consumer has purchased goods from using the
consumer's shipping address for promotional mails.  But if the laws 
says the merchant must provide a checkbox for consumers to
exclude themselves from potential spams, then the problem (which is 
only one of many privacy problems) is pretty solved, as it's technologically
trivial to add such anti-spam feature (i.e. stopping spams at their sources).
 
The above said was just my $0.02.
Hope it doesn't discourage anyone from thinking about championing for
the newly proposed Privacy goal.
 
I'd also suggest that as we're starting to deliberate Privacy, we need to
*define* (de Javu?) what Privacy means in the WSAWG context,
so we know what we're getting ourselves into.
 
Cheers,
 
Joe Hui
Exodus, a Cable & Wireless service
===============================
 

 -----Original Message----- 
 From: Hugo Haas [mailto:hugo@w3.org] 
 Sent: Wed 3/20/2002 8:29 AM 
 To: www-ws-arch@w3.org 
 Cc: 
 Subject: Re: WS Privacy [Was RE: Status of D-AG006]
 
 

 Hi Joe and Zahid.
 
 * Joseph Hui <jhui@digisle.net> [2002-03-14 18:43-0800]
 [..]
 > It would be great if someone picks up Privacy and run with it.
 > If not, then we need to start preparing for its eventuality.
 > IMHO, it's alright that we don't swing our bat at every pitch.
 > Privacy's beginnig to look like a wild pitch, to me at least.
 >
 > Here's one exist strategy we may consider,
 > comprising two options:
 >    1) punt Privacy to AG0016, e.g. doc it as a "gap"; or
 >    2) delete it from the charter. 
 >
 > Option 1 ruins our chances to flunk AG0016, the one
 > goal that we should strive for its failure. ;-)
 > Option 2 comes across as traumatic.
 > Either is workable; neither is palatable.
 > New proposals are welcome. 
 > (Please, no quixotic one-liners.
 > Accompany your proposal with analysis/reasoning.)
 
 I don't think that ignoring privacy is an option. Web services will
 not be able to succeed for private use, as opposed to corporate use,
 if privacy protection is not addressed.
 
 Moreover, there are, in Europe for example, legal issues about
 privacy. There was a legal track at XML Europe 2001, and there were
 interrogations about whether Web services would meet legal
 requirements (see xmlhack's report[1]). We need to ensure that the
 answer is yes.
 
 * Ahmed, Zahid <zahid.ahmed@commerceone.com> [2002-03-14 19:03-0800]
 [..]
 > I mentioned previously:
 > >In my opinion privacy policies is web services application
 > >dependent and is part of the domain of the web services
 > >operation environment. Confidentiality policies need to be
 > >addressed between a web services producer and consumer.
 >
 > My proposal is that we limit any features/reqmnts that do
 > not fall under above scope control criteria. Some features
 > may need to be addressed post WSA 1.0 outputs.
 
 Hmmm... I wonder whether security wouldn't fit into that too, since in
 a way it also is Web services application dependent. Note that I am
 not questioning whether we should address security, I am just trying
 to legitimize privacy.
 
 Putting privacy hooks at the right place will keep us from trouble.
 I think that we need to add a goal in the spirit of D-AG0006 about
 privacy:
 
     enables privacy protection of the consumer of a Web service
     across domains and services.
 
 "across domains and services" refers here to the case where the
 consumer interacts with a series of individual services, as part of a
 transaction.
 
 Comments?
 
 Regards,
 
 Hugo
 
   1. http://www.xmlhack.com/read.php?item=1234
 --
 Hugo Haas - W3C
 mailto:hugo@w3.org - http://www.w3.org/People/Hugo/ - tel:+1-617-452-2092
Received on Wednesday, 20 March 2002 13:33:41 UTC