W3C Logo

W3C Workshop on Privacy and User–Centric Controls

20–21 November 2014, Berlin, Germany


W3C gratefully acknowledges Deutsche Telekom, for hosting this workshop.

Deutsche Telekom

Thanks also to the Mozilla Foundation for their Support

W3C also thankfully acknowledges the STREWS project and the Practice projectfor supporting this workshop

strews logo

practice logo


Important things

Registration is open until 18 November: Please register using the registration form

7 November 2014:
Program and position papers posted on the workshop website

Logistics: The logistics page is now available

20-21 November 2014:

Minutes published:.


We are currently facing the transformation of the Web towards a more mobile use. These days, more users access the internet using their mobile devices than using conventional computers (notebooks, desktops, etc). It can be observed that web based services are used on mobile devices more often and more intensely. Mobile devices tend to be always on. At the same time these mobile devices are extremely personal devices: we carry them with us almost constantly, and we use them as personal assistants, trainers, banking terminals, memory-extenders and more. Smartphones know many details about our life: They know our location, carry a unique number, pictures and other very private information. They have a microphone and a camera.

As a result, privacy is a common concern with mobile devices and the mobile Web. A recent documentary from ARTE in cooperation with the CNIL and INRIA showed how apps acquire, consume and distribute user data. Often, not all the data gathered is really needed for the functioning of the application.

As a result, the user's trust will evolve with the issues on privacy and security in the Open Web Platform. A great potential is wasted because the lacking trust leads to collection restrictions in various forms, being it ad blockers, stickers on cameras, metallic cases, removable batteries or just regulation. Instead, we should give users more tools to allow them to feel confident and in control. One the one hand, rigid restriction will also spoil opportunities including location based services, predictive agents, statistics for better product planning, the Internet of things or big data. On the other hand, services have to take the user's fear seriously and communicate their intentions in a comprehensive way. There will be an ever more increased need to be transparent about what happens to the users' data.

The meeting on trust and permissions for Web applications, that was held in Paris on 3-4 September 2014 has provided insights on a way for a roadmap towards a broad consensus on trust and permission handling for the Open Web Platform. There was agreement, that browsers are in a position to examine the APIs used by a given app and apply heuristics to determine signs of attempts to "finger print" the device. This could be flagged to the user as well as to potential reviewers. Already in March, the STRINT workshop addressed issues of pervasive monitoring.

User studies have shown that users are more interested in what sites plan to do with the data they collect rather than with the full space of possibilities arising from the use of APIs. It is unreasonable to expect end users to understand lengthy terms of conditions and privacy policies. While the Paris meeting explored models on how to delegate trust decisions, this Workshop will explore ways to directly help the user understand what is going on. This includes appropriate ways of translating complex issues involving fine grained permissions in APIs into something that users understand.

Workshop Goals & Topics

The Workshop on User Centric App Controls intents to further the discussion among stakeholders of the mobile web platform, including researchers, developers and service providers. This workshop serves to investigate strategies toward better privacy protection on the Web that are effective and lead to benefits in the near term. This includes discussing basic privacy UI features that will, on the long run, create a user experience that loops with user expectations. We expect certain controls and dashboards in a car. Perhaps we can create a similar clarity for the privacy dashboard of our devices.

The Workshop is user centric as it will also look at user experience, user behavior and how we can offer controls that provide the necessary transparency of privacy-affecting interactions. But it also addresses app developers and the need for usable and implementable APIs to address privacy protection within the Open Web Platform that allow developers to address user's privacy needs.

State management
  • Improving the UI for stateful services, overview of states
  • Defaults for expiration of stateful situations
  • How to convey state information to the User
  • How to deal with logging and how to provide interfaces for logged data?
Mobile Interfaces
  • Requirements for private browsing on mobile
  • A privacy ontology for mobile apps and their use of personal data
  • The value of privacy in paradigms for mobile UI
  • Helpers to understand the privacy impact or a privacy policy
  • Machine assisted lying to counter unfair data requests
  • Selective release of personal information to apps
  • Controlling the geo-location interfaces, including UI challenges
  • enforcing data expiry
  • What data should remain on the device, what can be stored into the cloud?

Who Should Attend?

  • Researchers with an interest in mobile privacy
  • UI and UX experts interested in privacy interfaces
  • Browser makers
  • App developers
  • Device vendors
  • Network operators
  • Cloud platform vendors with an interest in mobile interfaces to their services
  • Governments and regulatory agencies interested in evolving the regulatory framework for privacy to respond to mobile challenges

Questions? Rigo Wenning <rigo@w3.org>