- From: Rigo Wenning <rigo@w3.org>
- Date: Thu, 21 Mar 2002 13:11:31 +0100
- To: Tim Coote <tim@coote.org>
- Cc: Hugo Haas <hugo@w3.org>, www-ws-arch@w3.org
On Wed, Mar 20, 2002 at 10:52:33PM -0000, Tim Coote wrote: > Hullo > > I'm not a lawyer, but for what it's worth, I'd get this reviewed by lawyers > before setting it in stone. What I don't understand is which lawyers. I > think that the UK Data Protection Act (the basis of EU legislation, I think) > is quite good, but I have also heard of some draconian data > protection/privacy issues in Germany. It would be daft to produce a standard > that was immediately outlawed in key parts of the world. > Hello, I think we should avoid FUD about privacy and look into to the real challenges. What does privacy in the charter of WS really mean? 1/ Hooks for P3P We should avoid to look into a specific law (like uk), as W3C has to work globally. If we would implement, say french law or hungarian law, we would still have a problem e.g. with US-law or australian law. I would also like to remind, that W3C is issuing recommendations. They are never mandatory. They will be used, because they are useful. This means, we have not the same goal as a law here. Therefor, we should avoid to make specific provisions about a specific law or regulation system. Nevertheless, knowing all those rules can help us specifying the hooks that developers of web services will need to comply with the level of data protection in their respective countries. (Yes, that works, e.g. P3P) So I think one requirement would be to provide the hooks, so that WS-Software can use P3P. SOAP has already done that. The challenge is to identify, where the hook should sit and what it should do. 2/ Privacy by design The discussion already mentioned, that for some data protection principles it is simply impossible to hardcode them into a technology. This is known. Some privacy (or better data protection) problems can't be solved with technology. So I don't think, requiring privacy means, that WS has to solve unsolvable problems. But while designing technology, one has to keep privacy in mind. It is a bit like I18N. It is a subject, which goes across WG boundaries. An example can be given from HTTP. The so called "browser-chattering" allows to get a lot of information about the user of a Web-site. A technology could choose to avoid such chattering and only transmit the information necessary in a certain context. Another example is unique-ID. Do we really need world uniqueID's for the purpose or are they just an add on. These kind of questions has to be discussed. Just think about the amount of problems, that a generated by cookies. If cookies would have been designed with privacy in mind, they would generate a lot less problems today. 3/ Privacy is broad and touches also security Confidentiality is the subject, where privacy meets security. This counts for access to data, but also encryption during transfer. There are special provisions in the european data protection directive about the security of transmission of personal data. Wouldn't it be much easier for companies to comply with this, if the hooks were already prepared to plug a module, that does the required security/confidentiality? But this needs an architecture, where one can actually plug something in. While designing the architecture, we have to think about where those things have to be pluggable. 4/ Privacy is not a one-shot issue It will accompaign you during the whole period of development of WS. Changes will raise new privacy challenges. They have to be solved. Sometimes, it's simply a choice that has to be made... IAL (I'm a lawyer ;) -- Rigo Wenning W3C/INRIA Policy Analyst Privacy Activity Lead mail:rigo@w3.org 2004, Routes des Lucioles http://www.w3.org/ F-06902 Sophia Antipolis
Received on Thursday, 21 March 2002 07:17:09 UTC