W3C Technology and Society Domain Platform for   Privacy Preferences Initiative

W3C Workshop on
Languages for Privacy Policy Negotiation and Semantics-Driven Enforcement

17 and 18 October 2006 -- Ispra/Italy

Workshop Report

Executive Summary

On October 17 and 18, 2006, W3C held a Workshop on Languages for Privacy Policy Negotiation and Semantics-Driven Enforcement in Barza d'Ispra, near Milan, to explore technologies to help address privacy needs across the whole privacy value-chain. The workshop was hosted by the Joint Research Centre of the European Commission.

The Call for Participation had required participants to submit position papers. 35 papers were received; 17 were presented. Workshop participants came from the industrial research and development, academic, and public policy communities across Europe, North America, the Middle East, East Asia, and Australia.

The workshop program was structured into a number of sessions, and an open discussion of next steps.

Workshop participants explored technologies to help address privacy needs across the whole value-chain. On the Web, data collection and transfer are routine: Services are provided by combinations of multiple providers without users realizing; to manage the wealth of information available, users increasingly rely on third parties that provide personalized views. In this complex environment, enterprises face challenges in managing the data that they process: It becomes hard to keep track of privacy promises that were made when particular sets of data were collected, and to translate the context of data collection into access control rules. Additional problems arise as users become publishers themselves: How is the personal information that is made available on the web -- often through value-added services -- used? How can others be held accountable for their use of this information? How can access control decisions and accounability mechanisms leverage the Web? How can community and user driven Web sites leverage access control and accountability frameworks?

While P3P enables enterprises to machine-readably express the privacy policies that govern a particular service, this workshop looked at privacy in the backend, at conditions, actions and obligations attached to data records containing personal data, and at usage control and accountability models for information published on the Web.

One key obstacle toward progress on integrated privacy approaches for both enterprise processes and the Web is the lack of interoperability between different policy languages: While current policy mechanisms are tailored towards specific use cases and serve these use cases well, today's enterprise and Web environments require tightly combining the different approaches. Participants in the workshop agreed that future work should not focus on creating a single combined policy language to cover the entire field of personal information processing and access control. Rather, the community should aim at leveraging successfully deployed policy languages such as XACML and P3P, and focus on key enablers for interoperability between and combinability of these languages. An important contribution could consist in developing common interfaces between policy languages and diverse data models. The PRIME and PAW projects promise to provide valuable input in this general area of work.

Workshop participants also discussed recent work aimed to help with privacy negotiations, an area of technology that was deferred by previous W3C work on P3P. Negotiating alternative policies and then implementing the promises made will be a challenge for data management tools, as negotiation results mean that different policies are appplied with much finer granularity than in traditional deployments.

17 October

Opening the Workshop

John J Borking opened the workshop by reviewing changes and challenges in today's world: How have privacy perspectives changed between 1995 and 2006? How have attitudes towards privacy, security, and the trade-offs between the two changed? How have legal environments changed? While the future might hold a decrease of anonymity, increasing threats to privacy due to merging and mining of vast arrays of data, and a general blurring of public and private spaces, Borking also observed increasing awareness which might help deploy privacy-enhancing technology. In discussing technical privacy safeguards, he emphasized the importance of deploying these technologies broadly, beyond niche markets that mostly cater to privacy activists.

Daniel J Weitzner talked about transparency and end-to-end accountability, and started from the real-life disconnect between the perceived compliance with laws and regulations, and the knowledge of these laws and regulations. He asked whether future challenges are really so much about the law catching up on technology, or whether we possibly need a technology environment that can sort out policy questions without using a recourse to law. Translating to the privacy space, Weitzner identified a transactional approach to privacy that scales to large-scale, many-to-many transactions and to publicly available data as a main challenge. He observed that purpose limitations might sound like an answer to this challenge, but pointed out the trade-offs that exist between flexibility, the effectiveness of privacy protection, and the individual and regulatory capability to deal with these mechanisms. Weitzner suggested to move from a world which is strict about data collection, but loose about its usage, to one that focuses on usage control. Specific requirements include semantically aware access-control, and policy-aware transaction logging capacities.

During the subsequent discussion, Anne Anderson drew a parallel between this approach and Naftaly Minsky's theory of law-government interaction, and pointed out criticism of that approach due to its lack of flexibility. Weitzner remarked that it was unlikely that a rule set as comprehensive as P3P would be attempted ever again. Louis-François Pau asked about the interaction with different legal and cultural environments, and questioned the enforceability aspects of Weitzner's vision. Weitzner pointed out that he had sketched a framework which would allow parties to transactions to declare what rules they feel bound by, and to hold them accountable to this statement; he also suggested that existing technologies for secure audit trails could be leveraged.

Requirements and Frameworks

Frank Wagner introduced the T-Identity Protector, a solution to anonymize, pseudonymize, and de-pseudonymize personal information, driven by legal requirements; the disclosure and release of identity information is controlled tightly. T-Identity Protector acts as a black-box system that is inserted into processes where personal information is transmitted. Wagner discussed basic requirements, quality factors, and risks of the system. He introduced skill management across an enterprise group, the analysis of communication data for marketing purposes, and the processing of personal information in Grids as possible use cases.

In the subsequent discussion, Sören Preibusch noted that some operations were not possible on pseudonymized data. Louis-François Pau emphasized the importance of using privacy protection as a revenue-generating service in order to achievve acceptance and deployment of solutions.

Robin Wilton presented an analysis of privacy policy expression languages. He introduced a high-level view of the actors and flows that are affected by privacy policy languages, and mapped P3P, XACML, EPAL, and ODRL to the control points identified in this flow. As a conclusion, he suggested that Liberty's ID-WSF might potentially supplement these existing options. Wilton then suggested a systematic classification of existing technologies into processes, preferences, and technology, and argued that existing approaches were mostly at the intersection of two of these three spheres. A privacy preference sweet spot would have to leverage instruments from all three of them.

Johan Hjelm suggested that the compromise would ultimately have to be in the technology. Pau remarked that there was a set of tools in the OMG SLA handbook that shows the same three levels, and emphasized that the winners in the game are service providers who manage SLAs. Wilton elaborated that, in his view, the extent to which technology needs to be applied might, among other factors, depend on the balance between legislation and best practice in individual jurisdictions.

Ernesto Damiani noted that the architecture presented reminded him of DRM enforcement, and asked whether the model was really applicable to identity management and privacy.

Günter Karjoth presented Privacy Policies as a Component of Policy-enabled Governance. He started out by sketching high-level requirements for privacy languages: Rich expressiveness -- integrating, e.g., processes such as notification after access, and requirements on system properties with access control and audit -- comined with clear semantics and well-defined scope; composable policies to enable distributed authoring; comparison relationships to enable sticky policies. As a framework, Karjoth suggested thinking about a core language, associated with other entities through binding mechanisms, and applied to sector-specific contexts using ontologies or vocabularies. He stressed compatibility with existing standards as a key requirement. Karjoth concluded that governance requirements go beyond "data labeling" and extend into policy enforcement, and suggested use and extension of existing access control approaches to meet privacy requirements as a starting point for future development, that could then focus on efforts that embed enforceable policies with other deployed standards.

Renato Iannella talked about A Policy Oriented Architecture for the Web: New Infrastructure and New Opportunities. He sketched the breadth of the current policy environment, in which lots of policy languages cater to different use cases -- from privacy to quality of service --; use different enforcement models -- ranging from Creative Commons style licenses to full-fledged DRM --; take different trust approaches -- from enforcement to community acceptance; yet have common requirements around transparency, accountability, adaptability to dynamic context information, and resolution of conflicts between different policies.

Iannella called for an abstract reference model to capture commonality where it exists, and to serve as a unifying overlay that helps to connect the various ingredients for a policy-aware web.

The subsequent discussion focused on the relationship between different areas of policy: Privacy, DRM, and access control. Johan Hjelm observed that policies in the identity-management / privacy and digitial rights management spaces were similar since they were both attacking the same problem: Attaching controlled usage rules to content. He observed that in particular the pitfalls of DRM might provide important lessons that privacy policy languages ought to heed. Patricia Charlton looked at the reasons why users don't accept digital rights management: Complexity, and a violation of privacy coupled with control of personal decisions. She suggested that different use cases might require different solutions. Daniel Weitzner observed that there were two approaches to digital rights management: access-control (iTunes) and usage-control (Creative Commons). Günter Karjoth suggested that usage-control and access control were more or less the same, and interpreted usage control as additional information on which to base the access control decision. He noted that work on privacy technologies has stimulated the access-control community to include purposes and obligations in its languages. Sören Preibusch observed that XACML had been mentioned frequently, and noticed that privacy was more than just access control. He urged the participants not to focus just on access-control. Anne Anderson observed that XACML clearly came out of the access control world, but had evolved into a much more generic policy language. This discussion was deferred to a later session. Johan Hjelm suggested that access was a special case of usage, and noted that complexity was unfortunate, but inevitable. He pointed to the mobilife project that explored enabling user visualizations in order to make preference-writing usable. Ernesto Damiani observed that, while there was convergence between access control, privacy languages and DRM, there were architectural and technical differences. Louis-François Pau suggested that negotiation aspects might elminiate some of the candidate language features, and that agents can do a lot of the job that the proposed languages are talking about.

Candidate Technologies I: Negotiation & Policies

Michael Maaser presented Negotiation Enhancements for Privacy Policies, a proposal to extend P3P with descriptions of negotiation policies. These extensions make privacy policies and preferences the basis of a bargaining process that is more complex than the "take it or leave it" approach that P3P presently has. Capabilities that are added include quantities (such as the exactness of location information), charges (to express remuneration of services), and rewards (to express incentives that are given to service users in case they reveal additional information). The preferences that control the negotiation process include prohibitions, permissions, and the ability to mark certain data as optional on the service side. The negotiation approach suggested consists of an exchange of proposals and counter-proposals, based on the parties' preferences, policies, and negotiation strategies.

In the subsequent discussion, Hannes Tschofening cautioned about the complexities introduced by dealing with negotiation protocols. Günter Karjoth poined at WS-Agreement; Louis-François Pau observed that negotiation processes in management science were different from the proposed model.

Sören Preibusch presented another approach towards Privacy Negotiations with P3P. He introduces an extension that enables P3P policies to express policy alternatives that are bound to different service URIs; hence, different privacy policies can be used to select between different services. The alternative statements enable negoting the recipient, purpose, retention and data dimensions of P3P policies. Agreements are indicated by retrieving the service indicated by the service URI; all policies are presented at once.

Discussion of this paper focused on implementation experience.

Piero Bonatti presented Flexible and Usable Policies. He discussed general requirements for a high-level and efficient policy language and negotiation framework for privacy and access control. Requirements include: the need to represent processes; interoperability with legacy data; integration of different kinds of evidence as a basis for trust decisions; the ability to define concepts and their relations; explanation facilities that enable users to understand why a negotiation process fails. Bonatti advocated rule-based approaches for concept definitions and policy languages. He introduced Protune, a trust negotiation framework, as an implementation that matches most of these requirements. This framework uses rules-based policy languages; has limited support for actions; and implements automated trust negotiation based on the negotiating parties' policies. Bonatti emphasized the importance of using lightweight languages and negotiation frameworks.

Louis-François Pau pointed out agent-based approaches as an alternative, as described in his position paper. Bonatti pointed at the Jess project at Carnegie Mellon University as an example that demonstrates the feasibility of this approach. Prompted by a question from Patricia Charlton, Bonatti pointed out that, by "lightweight", he means syntactic constraints on data in order to reduce complexity. Tschofenig noted that AAA (Authentication, Authorization, Accounting) infrastructures are heavily used for access control, and noted that IETF work that uses SAML would be interesting to combine with this approach, since it was rule-based as well. LF Pau noted the tension between lightweight approaches and the ability to deal with broad requirements that arise as applications span jurisdictions.

Johan Hjelm brought the discussion back to the economic background for Preibusch's negotiation approach. Preibusch pointed out that a case study was available; the starting point was the availability of alternatives. An example could be the comparison of A9.com as a highly personalized search engine to a generic one. Borking suggested that this market might lack transparency. Preibusch suggested that sales brokers could cover different services and offer different offers; Hjelm pointed at the CMU PrivacyFinder search engine. Damiani raised complexity concerns that arise when negotiation is too fine-grained.

Candidate Technologies II: Access Control & Data Handling

Anne Anderson presented XACML-based privacy policy languages. Anderson started by discussing generic requirements: Avoidance of conflicting standards; combination of access control and privacy policies at the enforcement level; and support for negotiation and obligations. She noted that XACML and the XACML privacy profile were established OASIS standards, and that the other requirements listed were fulfilled by XACML or XACML derivatives. Anderson then discussed the XACML constraint language, giving an example in which it is used to express privacy preferences that can be matched against a P3P policy. She went on to lay out the basic structure of XACML rules, combining algorithms, and combinability of rules into policies and plicies into policy sets. Semantics can be added to XACML through the context handler. The "XACML Profile for Hierarchical Resources" enables matching of hierarchies of resources; the hierarchies are encoded into the identities of resources. Anderson pointed out that the integration of semantic information into the Context Handler -- such as RDF descriptions of resources and subjects -- would be a useful avenue for the extension of XACML. Finally, Anderson discussed the matching of client and service policies using XACML, and in particular the WS-XACML specification.

Daniel J Weitzner asked how the data structure was defined, and whether there was a function to express subclasses. Anderson noted that the data structure could be RDF, and that there was a possibility to express attribute subclasses; this could be made more generic. Referring to WS-XACML, Rigo Wenning asked about transporting a flow of personal data augmented by constraints. Anderson noted that there could be requirements for each of the P3P categories. LF Pau mentioned that he was a long-time practicioner of constraints-based languages, and asked about "the ILOG solution." He suggested that it was an advantage of this solution that client control was encapsulated on the client level, and pointed to the risk of scalability issues. Anderson noted that, in conjunction with semantic information, a policy could be mapped onto more detailed information when applied. She noted that, in a web services model, the published information is only a subset of the total access control policy, filtering out those clients that do not want to fulfill certain minimum requirements. Piero Bonatti asked where this language was in the spectrum between declarative languages and "code," and noted that constraints might be used differently, depending on where it was placed. Anderson replied that the XACML core specification does evaluation by a standard engine, using standard datatypes, and noted that negotiation is not in the XACML specification, although it is in the new Web Services Profile of XACML, which is a Working Draft. She also noted that the policy could be written in the same way, either for negotiation or for access control purposes.

Ernesto Damiani presented on Privacy Enhanced Authorizations and Data Handling. He reviewed different categories of policies -- access control, release, data handling, and sanitization policies --, and existing standards for access control, and secondary use (basically, P3P). Damiani then discussed convergence between access control and privacy policy languages, and the research challenges that come out of this convergence, and would need to be tackled to develop a privacy-aware authentication language: Secure and privacy-friendly exchange of context information, such as a user's location; semantic-aware policies to provide enforcement efficiency while supporting sophisticated distributed evaluation, including simple reasoning based on context information; data handling policies to impose constraints on secondary use of personal information. Damiani then elaborated on requirements for data handling policy languages, including the ability to deal with purposes, provisions, and obligations; copmposability; and expression of disputes and remedies if obligations are not fulfilled. Finally, Damiani observed that another set of challenges arises when personal information is stored securely. He concluded that, where current standards are evolving independently, some rethinking might be necessary when the different aspects are put together.

Hannes Tschofenig pointed at IETF work and noted that it covers some of the examples given; he also pointed at OCG for location-based digital rights management. One participant pointed out that legislation might be another source of complexity, besides the preferences that the users themselves introduce. Damiani noted the tradeoff between the risk of overstandardizing vs. introducing hidden sources of complexity.

Marco Casassa Mont spoke On the Need to Explicitly Manage Privacy Obligation Policies as Part of Good Data Handling Practices. He first reviewed privacy concepts and background; he emphasized the complementarity of access control policies and obligations, and opposed any subordination of obligations "under" access-control frameworks. Casassa Mont identified the standardization of an integrated language for access-control policies and obligations, with different enforcement systems, as a major standardization opportunity; compatibility with current identity-management solutions was highlighed as an important requirement. Casassa-Mont then drilled down on what "obligations" mean in this context: duties and expectations about the management of personal information, whether they come from law, user preferences or enterprise guidelines. He noted that, conceptually, obligations can be articulated at different abstraction levels, and emphasized the complexity of the space. Key properties of obligations include the time frame for enforcement, expression of events, conditions, targets, and actions, and also workflows and tasks that are controlled by the obligations. Casassa Mont went on to review current work and its limitations. He noted that neither P3P, nor current data retention solutions and data document management systems, nor ad-hoc solutions deployed in vertical markets actually cater to the broad requirements for privacy obligation enforcement. In terms of relevant work, Casassa Mont identified the IBM Enterprise Privacy Architecture, and the XACML space; he noted, however, that these subordinate privacy obligations to access-control, and reviewed the different approaches in more detail. Key requirements for the integration of access-control and obligation languages include shared ontologies and common data handling criteria; however, this kind of integration does not lead to any subordination of obligations under access-control languages. Casassa-Mont closed by briefly discussing the work done in PRIME (which includes loose coupling between access-control and obligations, but does not satisfy broad negotiation requirements), and recommended further work on requirements and community-building as next steps.

Hannes Tschofenig asked about the meaning of compatibility with current identity-management solutions, and pointed out that provisioning and single-sign-on approaches are commonly decoupled; Casassa Mont claimed an increasing amount of integration. Prompted by Hogben, Anne Anderson discussed obligations in XACML: She noted that events could be modeled as targets, coupled with a mechanism that feeds events into a policy evaluation engine. She noted that XACML wasn't the ideal language for obligations, but that it could be done.

Danie J Weitzner inquired further about the subordination concerns raised. Casassa Mont responded that obligations often included temporal delays that didn't fit general access control frameworks, e.g., the deletion of information after a certain amount of time is elapsed, without being triggered through data access.

Xavier Huysman summarized his observation of the discussion as a notion that privacy preferences are not where XACML is really working. He then noted that e-government is using XACML, with a different model based on trusted parties, and cautioned that thinking in terms of privacy preferences only might be dangerous. He urged participants to take the role of the privacy commissioner into account. Anne Anderson noted that this third source of policies could be included in communication. Ernesto Damiani emphasized the need for a mapping of client-side privacy preferences to access-control policies on the server side.

Further discussion of this presentation centered around paradigms of policies and preferences, and the meaning of "sticky policies."

During the final panel of the session, Piero Bonatti pointed out at policy combination operators and their semantics as an important area for standardization. Anne Anderson commented that it was unlikely to see companies put resources into standardization of this area, since current solutions were catering to their needs now. Daniel J Weitzner summarized two important points: There are minimum requirements for interoperability, and there are costs in terms of implementation efforts. Hannes Tschofenig brought up location privacy as an interesting example in which the hard work lies in agreeing on some of the application-specific attributes. Giles Hogben pointed out the dangers of modeling data too closely; he noted that extensibility is required in order to deal with diverse data models.

Wrap-Up Discussion

The wrap-up discussion reviewed the various points that had come up throughout the day's discussions, and identified an initial list of issues for further discussion. A summary of this session was prepared in real-time, and then used to frame the second day's afternoon discussions.

18 October

Candidate Technologies III: Sharing & Credentials

Patricia Charlton spoke on Supporting the users' privacy preferences when sharing personal content. She discussed the use case of distributed creation and sharing of digital media, for instance photographs taken on cell-phones. Content is often shared within small communities; there are little means for privacy protection; DRM mechanisms are found too complicated. How can technology help users to protect their private sphere, while keeping ease of use for sharing with families and friends? Charlton presented work that attempts to leverage semantic web technologies to this end; the intent is to use ontologies to model domains, preferences, policies and profiles, to assist in automatic matching and filtering of content searches. Preferences and policies were modeled in Rei; expressivity included a subset of what typical DRM specifications do. The subset was selected based on user requirements and feed-back.

Anne Anderson asked where the difference from Digital Rights Management was. Charlton responded that the the preference engine was giving more flexibiltiy to the user; she presented DRM as more complex and application-specific, while, here, the user was center-stage. Prompted by Giles Hogben, Charlton noted that 12 users were used for pre-studies; some components had been tested with 40 users.

Giles Hogben presented An open assertion and evidence exchange and query language. Hogben identified minimizable assertions and the ability to create interoperable policies for complex databases that enable automatic handling of evidence as key requirements. Ingredients for an implementation include an assertion/request language that is able to refer to data without quoting them; trust ontologies; provider ontologies; and a logical separation between assertions and evidence. Hogben proposed an implementation of this approach based on Idemix (providing minimizable credentials), RDF (as an assertion framework), and OWL (to connect Identity Management and Enterprise data models, thereby enabling them to be separate). SPARQL could be used as a query language to operate on top of this information.

Patricia Charlton inquired about usability aspects: If data are cited, not quoted, how is this understandable by the end user? Hogben suggested that this aspect of the technology was occuring on a layer that remains hidden from the end user. Daniel J Weitzner asked about the strength of de-identification in this environment, and about the relationship with trust and reliability. Marit Hansen clarified that anonymous credential technology delivers both anonymity and accountability. Weitzner pointed out that there might be de-anonymization attacks on a content level. Hannes Tschofenig suggested to generate X.509 certificates on the fly instead of using Idemix credentials.

Günter Karjoth presented a A General Certification Framework with Applications to Privacy-Enhancing Certificate Infrastructures on behalf of Jan Camenisch et al. The basic use case presented was attribute exchange: In traditional federated identity management scenarios, the identity provider is able to link different transactions of the same subject. Private Certificate Frameworks, however, enable unlikable transactions; they enabl the release of a subset of attributes of a certificate, release of partial information about an attribute; commitments to attributes; and encryption of attributes. The basic framework relies on the separation between proof specifications (the assertion that is proven) and cryptographic proofs. Proof specifications are based on propositional logic; negation cannot be expressed. The cryptographic proof is verifiable with respect to the issuer's public keys, and verifies the correctness of the proof specification. The proposed approach enables privacy-friendly attribute exchange under weaker trust assumptions.

Hannes Tschofenig pointed at related projects for attribute exchange, such as OpenID and SXIP, and asked about the relationship between the different approaches. Günter Karjoth and Giles Hogben pointed out that the difference was unlikability based on sound cryptographic assumptions. Giuliano Pirelli asked about the availability of implementations; Günter Karjoth agreed to check licensing details for a planned Open Source release. Discussion ensued about how feasible it was to determie minimal assertions; the consensus was that it may not be known how to determine minimal assertions or how to prove minimality, but that the protocol that had been presented would be able to transmit and prove these assertions.

Candidate Technologies IV: Interoperability across Policy Domains

Makoto Hatakeyama introduced a Privacy Policy Negotiation Framework for Attribute Exchange: User, sender, and receiver policies are reconciled to identify a minimum set of attributes that can be transmitted. Hatakeyama sketched a conceptual framework and negotiation protocol.

Hannes Tschofenig presented the IETF Geopriv and Presence Architecture. The main objectives of the IETF Geopriv Working Group are to identify using protocols and document a format for carrying location information; and developing an authorization policy language for the distribution of location information. The group focuses on location conveyance through SIP, but its work can be used by any protocols that can transport MIME. Location information formats are re-used where available; a civic location format has been developed by the group itself. The group has specified an extension to the RFC 3863 Presence Information Data Format (PIDF) called PIDF-LO that enables encapsulation of location information and usage rules. The authorization framework used by Geopriv encompasses the so-called Basic Ruleset specified along with PDIF-LO (which includes retention periods and retransmission permissions), and the Extended Ruleset which, based on a Common Policy Framework, includes the Geopriv and Presence Policy vocabularies. Geopriv policies are used for location-based authorization; they can express conditions on civic or geospatial locations, and a number of relevant transformations. Presence policies include conditions on detailed identity usage for SIP, actions for subscription handling, and transformations that provide access to data component elements or presence attributes.

Louis-François Pau asked about the applicability of IDLF work. Tschofenig doubted the applicability of the OMA work in an IP-based context.

Daniel J Weitzner presented joint work with Lalana Kagal and others on Promoting Interoperability between Heterogeneous Policy Domains, centered around the Rein Policy Framework. Rein is a Web-based framework for policy specification and reasoning, grounded in Semantic Web Technologies. I tenables combination, extension and handling of policies, meta-policies and policy languages as reources on the Web. It does not introduce a new policy language. Meta-policies provide additional rules that govern the evaluation of policies, and the resolution of conflicts. Ontologies are used to describe policy domains; the framework also includes a request mechanism. Rein policy networks combine resources, policy languages, meta-policies, and their relationships. The Rein reasoning engine can get these entities from the Web when it makes access-control decisions by combining information from a Rein request with a resource's policy network. A testbed implementation uses RDFS for ontologies; rules are expressed in N3 Logic; and the reasoning engine is implemented in N3 Logic on top of CWM. Weitzner discussed access control to a girl scout group's photo album, driven by social networking information on the Net, as an example use case.

Weitzner noted that authentication is out of scope for Rein; Rein can, however, base decisions on existing authentication mechanisms. Patricia Charlton asked whether information about devices could be used instead of information about social networks; this is the case. Weitzner acknowledged that deployment of policy networks on Web scale poses a significant HCI challenge.

The subsequent discussion took up themes from the geopriv presentation, in particular the discussion on the relationship between IETF, W3C, and OMA standards in the area; Johan Hjelm in particular noted the need for convergence between IETF and OMA presence specifications; Weitzner pointed out that different groups might have different requirements, and noted that re-use of P3P elements would be desirable from a W3C perspective. Rigo Wenning pointed out differences between policy and preference paradigmata; Louis-François Pau noted the need for managing policies, and pointed out that more than just protocol work was required.

Discussion on Next steps

During the wrap-up discussion of the workshop, participants reviewed key questions that had come up during earlier discussions; these questions were classified in terms of near-term followup, and essentially research issues. See the summary slide for the notes taken at the meeting.

One key issue for near-time follow-up was the area of policy interoperability and mapping: While there seemed to be no interest among participants in creating a new, all-encompassing access control and obligation language, there was significant interest in exploring the interfaces between different, possibly domain-specific policy languages. Ontologies and common modeling principles could help combine these languages and also help enable automatic translation between different languages. Important contributions in this area could include a standardized language to describe evidence; mechanisms for the discovery of ontologies. More than a third of the participants in the workshop indicated interest in launching a W3C Interest Group to further explore this space.

Other relevant questions in this context concerned unifying frameworks for access control, data handling, and usage control languages; this area of work could help levereage languages developed in the DRM space for privacy protection, and could help to clarify the applicability of access-control languages such as XACML in the privacy space. There was also discussion of developing and expressing pre-defined sets of user preferences, in order to improve the usability of policy-based technologies.

Among the topics identified as necessitating further research, economic aspects of privacy (including business cases, and privacy SLAs) drew most interest; John J Borking and Sören Preibusch were particularly interested in this direction of discussion. Preibusch (on behalf of Deutsches Institut für Wirtschaftsforschung) offered to possibly host a W3C-cosponsored workshop on this space.

Thomas Roessler
$Id: report.html,v 1.20 2006/12/15 15:22:17 roessler Exp $