11:57:19 RRSAgent has joined #pling 11:57:19 logging to http://www.w3.org/2010/09/14-pling-irc 11:57:29 RRSAgent, please set log public 11:57:40 spreibus has joined #pling 11:57:54 Agenda: http://www.w3.org/Policy/pling/wiki/2010-09-14 11:58:06 chair: Renato_Iannella 11:58:33 Chair will be Marco 11:58:36 topic: Encore Presentation by Pete Bramhall 12:00:03 P3P_PLING()8:00AM has now started 12:00:11 + +44.122.333.aaaa 12:00:37 chair: Marco_Cassasa_Mont 12:00:39 +??P2 12:00:41 ? 12:00:48 zakim, code? 12:00:48 the conference code is 75464 (tel:+1.617.761.6200 tel:+33.4.26.46.79.03 tel:+44.203.318.0479), rigo 12:00:55 caribou has joined #pling 12:00:58 Zakim, I am +44.122.333.aaaa 12:00:58 +spreibus; got it 12:01:03 +??P1 12:01:10 + +358.504.87aabb 12:01:11 +Carine 12:01:30 +Rigo 12:02:18 zakim, ??P1 is Hannes 12:02:18 +Hannes; got it 12:02:30 +Ashok_Malhotra 12:02:55 amalhotr has joined #pling 12:02:55 zakim, ??P2 is Marco 12:02:55 +Marco; got it 12:03:16 Rigo on the call yet? 12:03:22 sure 12:03:31 zakim, who is here? 12:03:31 On the phone I see spreibus, Marco, Hannes, +358.504.87aabb, Carine, Rigo, Ashok_Malhotra 12:03:33 On IRC I see amalhotr, caribou, spreibus, RRSAgent, Zakim, rigo, renato 12:04:08 zakim, aabb is really Hannes 12:04:08 +Hannes; got it 12:04:39 zakim, Marco also holds Pete_Bramhall 12:04:39 +Pete_Bramhall; got it 12:07:04 scribenick: rigo 12:07:56 Pete Bramhall presenting Project Encore 12:08:05 http://lists.w3.org/Archives/Public/www-archive/2010Sep/att-0014/EnCoRe_slides_for_PLING_presentation_14-09-2010.pdf 12:09:18 OECD principles, about organizations handing privacy 12:09:50 in EU it is part of human right, a much wider set of thing, remaining in control of who knows what about you 12:10:13 which leads to informational self determination 12:10:26 PB: it is large area, kind of boiling the ocean 12:11:19 ...encore is trying to handle trust and consensus on data handling and privacy preservation 12:11:51 slide 4 a couple of examples. Individuals really care and are concerned 12:12:04 slide5: organizations partly care about privacy 12:12:45 ..risk of not gaining the economic efficiency (privacy roadblock) 12:13:03 ...also a differentiater, better privacy, happier customer 12:13:39 ...but most strive for regulation compliance. Increasing awareness that privacy is a liability, cost of remedies 12:14:26 ..governments have different view: have strange view of things, sometimes doing it wrong but funding htings like Encore 12:14:43 http://www.privacyinternational.org/article.shtml?cmd%5b347%5d=x-347-559597 for the PI ranking 12:15:21 PB: Law and Regulation => Directive 95/46 translated into UK law 12:16:00 ..Information Commissioner, are the regulator, but also making codes of best practices 12:16:20 consent definition 12:16:31 the role of consent is central 12:16:49 The overall vision of this project is to 12:16:50 make giving consent as reliable and 12:16:51 easy as turning on a tap… 12:17:44 ...mostly giving consent implicitly, mean consent to be something very specific, precise and limited goes right to the backend of enterprise services that can deal with it 12:18:08 ...needs to be easy for the enterprise to respect privacy and cost effective 12:18:55 ...make sure that consents that were given will be honored, also revoking should be respect, All has to be reliable and vigurous 12:19:38 ...not solved yet, most of the time giving consent is given before you know what will happen, mostly ok 12:20:05 ...but e.g. in an ehealth scenario that may be tricky, may be want to come back to the decision to allow 12:20:28 ...revokation and change have to be enabled => life cycle management of consent 12:21:14 PB: give enterprises the ability to manage privacy in a convenient and cost effective way 12:21:46 ...meaningful information for individuals, restore confidence 12:22:11 ...Encore project setup reported 12:22:14 ...Partners 12:22:56 slide 16: Overview slide with all flows, very interdisciplinary work. start left bottom 12:23:06 ...doing awareness campaigns 12:23:44 ... policy regulation, best practices, standards, does not mean necessarily new regulation, 12:24:17 ...in order to make all that easy the enablers come into play, fitting those enablers into systems and paradigms 12:24:38 deliverables: 12:24:42 • 12:24:43 • 12:24:45 • 12:24:46 • 12:24:48 Technical architectures and prototypes 12:24:49 Regulatory recommendations 12:24:51 Proposals for compliance and certification 12:24:52 Taxonomy and requirements formalisation 12:25:23 compliance scheme that measures effectiveness of protections and correctness 12:26:41 Encore has done case study on first three challenges, not on the techno challenges yet 12:27:00 there is no legal right to privacy in UK unless you are a celebrity 12:27:22 consent has to be provided to be able to legally process data, but handy exceptions 12:27:41 limited right to revoke consent, Commissioners finds it ambiguous 12:27:52 +??P6 12:27:54 there isn't any effective legal codification 12:28:05 no ownership of data 12:28:44 zakim, ??P6 is David_Chadwick 12:28:44 +David_Chadwick; got it 12:29:38 HT: ownership of data, there is no concept of ownership of data in other countries, still under debate within privacy scholars, difficult to claim ownership on data 12:29:56 ...typically data relevant to privacy is not only generated by you 12:30:14 PB: what the issue is not the data, but the association of data. 12:31:15 DC: University degree can removed years after, so University can revoke 12:31:48 PB: external stakeholders are businesses and individuals 12:31:54 business challenges: 12:32:03 some buy in, some don't 12:32:26 quote: 12:32:26 “I know when I did my training one of the 12:32:28 things I was told was that processing under 12:32:30 consent is what the desperate resort to” 12:32:40 user challenges: 12:33:04 (usability, understandability) 12:33:12 technology challenges: 12:33:31 obligations, e.g. notifications, how to make them personalized 12:33:46 how to make them respected in very large orgs 12:34:28 various degrees of riguor applied adapted to the situation 12:35:26 ...cloud computing: in many jurisdictions notion of data controller that makes sure that data processors are complying with the requirements of data protection 12:35:35 is this done in real world? Somewhat 12:35:55 how to keep track of all copies 12:36:37 policy matching and individuals preferences into a single system, how to bring this into machine language, make it executable 12:37:04 how to enforce, to prevent that it can be broken, there is some major crypto needed 12:37:36 linking reputation to the initial consent, how can you revoke back all along the chain 12:38:16 Encore based on three case studies, have nearly finished first one Enhanced employee data sharing 12:38:44 biobanks less actors, better organized, long jeopardy issues at hand 12:39:10 oh zakim, reparse :) 12:39:29 assisted living, share some data not other data 12:39:43 rich area, terms of engagement with external partners 12:39:48 current status: 12:40:06 Case Study 1 complete 12:40:14 ongoing: 12:40:25 Taxonomy and Formalisation work 12:40:35 Compliance process 12:41:04 Technical Architecture D2.1 12:41:18 picture with lots of arrows and pipes 12:41:52 already simplified 12:42:23 going for another 18 month 12:42:40 more information on 12:42:51 http://www.twitter.com/encore_project 12:42:52 thanks, Pete, very interesting presentation 12:43:05 http://www.encore-project.info/newsletters/newsletter01/EnCoReJuly2010.htm 12:44:46 SP: working on similar projects: technical insights, what language using 12:45:09 PB: looking into extending XACML framework, incorporate a number of extension 12:45:49 ...whatever the outcome is, to be useful, we need agreement what we want to solve, and what is the best way 12:45:57 we hope to contribute to that discussion 12:46:06 q? 12:46:11 ack sp 12:47:50 DC: nobody owns personal: but there are artefacts in real world, and those are owned by institutions, University, driving license 12:48:03 ...some aspects of PII that have an owner issue 12:48:28 PB: legal problem is larger than that, 12:48:47 ...good example is IP personal data? 12:49:18 some people think it is others think it is not, IP addresses should be randomly generated and assigned 12:49:22 to complement my earlier question: I'm currently investigating the ability to enforce data protection with information flow control -- very deeply down on the rechnical side 12:49:42 some thoughts into how technical approaches into enforcing consent needs combining with empirical evidence what users actually want to see enforced: http://www.cl.cam.ac.uk/research/dtg/privacy-calculus/ 12:49:47 other end of the spectrum is that IP is unique identifier 12:50:00 PB: is an ocean boiling problem 12:50:02 q+ 12:50:19 ...ownership rather on a right to use data 12:50:41 DC: types of data and ontology to classify them 12:50:51 PB: may be a way forward 12:51:11 imho, taxonomies are a good idea, but not close enough to the data handling processes to have some real impact 12:51:15 ...if you try to produce categories it will be out of date before you can publish 12:51:20 + +1.207.756.aacc 12:51:59 zakim, aacc is Eric Brunner_Williams 12:51:59 I don't understand 'aacc is Eric Brunner_Williams', rigo 12:52:16 zakim, aacc is Eric_Brunner_Williams 12:52:16 +Eric_Brunner_Williams; got it 12:53:34 are IP addresses personal data? even the P3P spec did acknowledge they are 12:53:53 that was more than three years ago 12:54:27 at the W3C Privacy Workshop in Summer at Vodafone, the privacy implications of IPv6 were mentioned 12:54:35 david has joined #pling 12:54:38 RW: Ontology may have a core 12:54:44 q? 12:55:02 ack ri 12:55:34 SP: ontologies and taxonomies and academic stuff is far too high level to have imipact in reality 12:55:48 for the decision of data is processed or not 12:56:26 ...must be drilled down deeply into the technical level, control of information flow, but this may be too complex, it has to fit business 12:56:58 ...good to have enforcement, but have to think about what people want to have enforced 12:57:25 health data vs other data, security of data 12:57:31 ack david 12:58:32 DC: slide 28 using XACML for enforcement, but all goes into a single decision point. How is all merged, how are all systems are using the same language, user using the same language 12:58:42 I second that -- combining policies is a very tricky thing. And I have the feeling there are many instances we need merging of policies 13:00:01 PB: on merging: Suggest download the document and discuss deeply, How assume all systems use the same language. Are more interested in process compatibilities than in the overlap of technology itself 13:00:27 only going to work if trust is sufficiently transitive is going through the system 13:00:45 ...would be ideal to have vigurous enforcement, but this is holy gral 13:00:55 -Ashok_Malhotra 13:00:59 ...business process, certification research 13:01:23 ...how outcome has been reached rather than how to achieve the outcome 13:02:00 is not as ambitious, trying to produce something that is reasonably usable in a reasonable amount of time 13:02:10 -Eric_Brunner_Williams 13:03:01 q? 13:03:08 have explored definition of Encore compliant systems. All other system dealing with PII should also be encore compliant, not necesarily absolutely equal 13:04:33 DC: TAS3 also interested in measuring compliance, have to cooperate 13:05:05 SP: we can't achieve everything at a time, What is your feeling, how fast can we see something in the wild 13:05:59 PB: the best is a feeling: If we can ?? they and their customers will get the benefit in a year or so, the patients and also the clinical researchers that are using the system 13:06:43 the secondary it is rather in the assisted living area, in UK major transition in health care sector. Moving more into independent care service providers 13:07:03 lead to a complex informatics environment, coming 3 categories 13:07:57 local authorities, team looking more generally into informatics models. standards procurement templates, These kind of things iwll find their way into procurement specifications 13:08:30 ...more widely, businesses that want an encore logo, will take a while 13:08:37 SP: on the web? 13:08:42 Although we cannot do everything at once, TAS3 plans to have open source code that will enforce multiple policies in different languages and resolve conflicts between them 13:09:27 PB: industrial companies, the first of those have large consultancies that will use the knwoledge 13:09:41 ...could well be that it is taken up this way 13:09:43 ack sp 13:13:27 I suggest to hear the SWIFTS project next 13:14:43 URL for SWIFTS? 13:14:50 bye 13:14:53 -Rigo 13:14:54 -Marco 13:14:54 -David_Chadwick 13:14:55 -spreibus 13:14:55 -Hannes 13:14:57 -Carine 13:14:57 P3P_PLING()8:00AM has ended 13:14:59 Attendees were +44.122.333.aaaa, spreibus, +358.504.87aabb, Carine, Rigo, Hannes, Ashok_Malhotra, Marco, Pete_Bramhall, David_Chadwick, +1.207.756.aacc, Eric_Brunner_Williams 13:15:08 renato, will provide on hte mailing list 13:15:17 ok 13:15:22 spreibus has left #pling 13:15:24 rrsagent, please draft minutes 13:15:24 I have made the request to generate http://www.w3.org/2010/09/14-pling-minutes.html rigo 13:19:56 caribou has left #pling 13:26:39 zakim, bye 13:26:39 Zakim has left #pling 13:26:46 RRSAgent, bye 13:26:46 I see no action items