Position Paper for the W3C Workshop on Delivery Context
March 4-5, 2002, Sophia-Antipolis, France
Ericsson Eurolab Deutschland GmbH
Most existing solutions for representing delivery context information and exploiting it for the adaptation or rendering of content are still rather specialized on a specific set of profile attributes, such as user location or device capabilities and device-related user settings. The system architectures are - more often than not - one-dimensional, i.e. based on a client-server or a client-proxy-server architecture. Either the client itself or a proxy in a trusted domain is responsible for handling profile information and communicating it to the server, and the server does the rendering of the requested content exploiting the available delivery context information.
As the Device Independence Activity is striving to broaden its scope with respect to delivery context, more generic notions of context information as well as more distributed system architectures will need to be considered. Fragments of context information will be collected, stored and interpreted at different places and by different players, and they will need to be communicated and matched against each other as well as against the user's identity. Content will be adapted and manipulated, according to context information, by different nodes and in different - not necessarily trusted - domains.
This raises the question of privacy since context information may be of a sensitive nature, which is rather obvious for the case of, for example, location information but may not be perceived as critical in the case of simple device capabilities like the screen resolution. However, no clear borderline can be drawn, and at the end of the day it is the user who should decide individually which types of information they consider sensitive. Concerns around privacy issues are still not very widespread among Internet users, but there seem to be at least two factors that are currently pushing public awareness: The explosion of spam e-mailing which makes it very obvious that personal information is indeed being spied out in the Internet, and the emergence of location-based services which clearly provide substantial added value and convenience to the user but at the same time exploit information of a very sensitive nature.
It should be pointed out that the prerequisite for revealing any sensitive context information whatsoever to anyone is a certain degree of trust, i.e. a certain confidence that the recipient of the context information will not exploit it for any purposes that the user has not given their consent to. This essential trust cannot be established by means of technology. Rather, it will be gradually built up by means of branding, reputation, experience, etc.
Besides trust, a regulatory and legal framework needs to be in place, along with effective mechanisms of enforcing it. Once after this has been put in place and trust has been established between certain parties to a certain degree, a number of privacy-enhancing technologies can be used to support this framework. There is a number of things that privacy-enhancing technologies can do:
describe policies according to which sensitive information is to be handled, in human- and machine-readable formats,
provide means of negotiation of policies, specified by the involved parties,
enforce such policies within a trusted realm,
document, in a non-repudiatable manner, what information has been communicated under which provisions and policies,
anonymize or pseudonymize context information so that parts of a user profile cannot be linked to the actual human being they pertain to, and/or to each other.
Work has been done to combine CC/PP with the P3P (Platform for Privacy Preferences) framework . This enables a client (or a proxy acting on the client's behalf) to match its preferences as to under which provisions it is prepared to reveal certain pieces of context information, against the policies specified by a service. Further, work has been done to manage user profile information in a proxy which allows to control to whom (trusted third parties) certain pieces of profile information will be revealed . This is done by means of authentication and access control lists. It is expected that this work can be adopted, but may need to be generalized upon transition from a client-proxy-server model to a fully distributed architecture.
Key to a technical framework that can support privacy in a distributed context-aware environment will be two design considerations: user control and usability. User control means that the user is empowered to decide what information they consider sensitive, and in what situations they are prepared to reveal it to which parties for what purposes under which provisions. Usability implies that the system needs to be transparent enough so the user understands what they have specified, and to encourage the user to actively use the system instead of relying on default settings. While usability may seem to be primarily an issue of device and user interface design, it also needs to be inherently supported by the underlying architecture and protocols. Clearly, there will be a tradeoff between usability and the privacy-enhancing functionality. Overwhelming complexity must be avoided or at least be hidden from the user, or the users will reject actively using the technologies.
Note that failure to provide a privacy-enhancing framework that meets these criteria - provided that the majority of users continues to become increasingly concerned about privacy issues -, may lead to users not adopting context-aware services altogether since they may feel they have no control over and no knowledge of what is happening to their personal information behind the scenes.
It is appreciated that the Device Independence Activity will not make any attempt to specifically work on privacy- and trust-enhancing or security technologies, but rather employ known technologies developed elsewhere. However, it is clearly designing a framework which inherently deals with the description, storage, communication and exploitation of information, at least parts of which must be considered privacy-sensitive. It is therefore paramount that privacy, trust and security consideration be taken into account from day one when designing this framework. This approach is almost always more effective and efficient than to first design a system architecture which - deliberately or not - ignores these issues and to a posteriori attempt to add the necessary security functionality.
 M. Nilsson, H. Lindskog, S. Fischer-Hübner. "Privacy Enhancement in the Mobile Internet". In Proceedings of Security and Control of IT in Society-II, IFIP SCITS-II, Bratislava, Slovakia, June 15-16, 2001.
 H. Ohto, L. Suryanarayana, J. Hjelm. "CC/PP Implementors Guide: Privacy and Protocols". W3C Working Draft, work in progress, December 2001.
 H. Zandbelt, B. Hulsebosch. "IDsec: Virtual Identity on the Internet". Internet Draft, work in progress, January 2002.