DRAFT Minutes from WAP-W3C workshop on mobile
Day 2: Friday, 8 December, 2000
NOTE: there were some changes to the agenda. We began with the panel on security
requirements, carried over from yesterday.
and next steps: Feng
Panel: Security requirements
Philippe, standing in for Eric Bergeron, presented a
high-level overview of security and privacy issues [see slides].
defined as information self-determination
is a sub-set of privacy. You can
address all of your security concerns without addressing privacy.”
for selective disclosure
payment (e-cash) is a subset of private credentials
M: information collection?
a website: opt-in is default.
Analogous to having an opt-in button at bottom of a form.
discussion in public policy session)
Danny Dolev, Hebrew University
to enable both privacy and private communications
phone can be used as a digital signature tool
the cell phone infrastructure as identification devices
a standard method to allow access from software to hardware
standard interface to carry transactions across platforms
Jens Berwanger, Arthur Anderson
is the key to mobile business”
businesses lagging behind wireline in terms of security
Mike M says WAP 1.1 *does* allow for 3 levels of security]
NOTE: there were various criticisms of the prepared slides
-- they did not seem to reflect current WAP models. As Jens was stepping in for Daniela Elsner, he could not respond
to these criticisms
Mark V: WAP gateway only translates between 2
protocols. In principle no difference
from, say, SSL today:
end-to-end relation does not exist in wireline environment either
gateway can (should) be within secured enterprise environment
M: we have the tools already (islands), what we’re missing is the overall
W: as appealing as overall architectures are -- the security world is
filled with grandiose architectural plans -- playing devil’s advocate, I
would say the web has provided a level of security without an overall
plan. I agree with your
assessment that we have all the pieces, but not sure about need for a big
M: my response -- grand plans have been top-down, but we should invert
it, build bottom-up. Provide
hooks into the small things, and build up.
Bevis: we’ve been hedging around how to create trust. It’s ability for enforcement that
gives one trust. It needs to be
the case that privacy statements are enforceable.
W: one of the things that we’ve found in W3C is, we’ve been driven more
and more towards guidelines and best practices -- these are not standards
per se, but they do represent the consensus of a community of developers
I agree with Mike, there are many pieces existing. My question is where and how can we
make this work -- what organization(s) will do this?
D: I agree with Philippe, but want to add that it is a question of at
what level [of OSI layers] that are involved.
Panel: Public Policy
Lukas Gundermann, Independent
Centre for Privacy Protection, Schleswig-Holstein
Lukas gave an overview of data protection laws in Europe,
and key public policy considerations for mobile privacy [see slides].
basic notions privacy/data protection in Europe:
self-determination -- applies only to natural persons, so does not apply
protection = protection of people against unauthorized use of personal
security = ways of achieving data protection
data as “classic” traffic data in telecommunications
who called whom at what time?
aspects in mobile:
-> can find out cell where mobile phone is
fortunately cells are quite large
data on the Internet brings additional privacy dangers
mobile web brings these all together:
more precise location information possible (e.g., as allowed by E911
user’s movement is part of the service, and this can include creating a
services offered by third parties => hence, more (potential)
recipients of data
crucial: users have to give their clear and unambiguous consent
must be an informed consent, meaning that users have to be well informed
data will be collected
data will be deleted
of consent: how to arrange that some services receive location data, but
user must have the possibility to withdraw the consent at any time for
the whole service, or for only parts of it
framework is necessary but not sufficient
also have to exist technical means for this kind of consent-management
profiling would also be permitted according to the German law
(Teleservices Data Protection Act) -- does not require explicit user
consent -- but, only if no way to link back to any real person.
law: 1997 directive (97/66/EG) on protection of telecommunication data
covers location data as an example of traffic data
new directive is underway: it has a special provision for location data,
which states that location data can only be processed if made anonymous
or with the user’s consent
in case of emergency calls, location information MUST be transmitted (cf.
E911 in the U.S.)
framework is important -- work underway in Europe for mobile web
important is to develop mobile devices that give users control over their
for user to have granular control -- not just yes/no options
means to minimize data flows and allow for anonymous mobile web services
should be developed
you said user has to opt-in -- does that apply to aggregation of data too
(e.g., that collected by network operator)?
what is user experience going to be, with these requirements? What features would you like to see (in
UI, for example)?
[clarifying] For example, what would be adequate notice?
about this: could be many forms of notice, but it must be clear to the
the mechanism for retracting consent, does it have to be in the phone?
not necessarily, but it would be good
Le M: for me, it’s a UI question.
The mobile phone is being envisioned to doing more than it was
ever envisioned. We might have a
button [on the handset] that says private, or open.
the ultimate goal is to have this in the handset
Le M: but do you mean option in the handset, or the handset
the only way I see this working is if it’s in trusted entity
somewhere. Too complex to have
all controls in handset -- remember that your phone may be shared by
family, have multiple preferences
important distinction here: there’s the functional appearance to the user,
and then how this functionality is implemented
I think UI is critical
M: I don’t think the UI problem is that big. Think back to web surfing with lynx many years ago. UIs will get better over time -- we
don’t have to specify everything in the UI.
Le M: I want to take an in-between position: yes, the technology’s
getting better, but no, we’re not where we need to be yet.
also, you don’t want to do everything on your mobile. There will be times when I want to use
a wireline device (computer), because of the display, etc. [Don’t have to make phone do
but, there will be many cases where all you have is a mobile phone.
a lot of data has to be archived for network management. So, my question is: anonymity under
as long as there’s the possibility of linkage to a real identity, then
data is not anonymous.
M: how far does the law reach?
Suppose I set up my server in a not-nice place -- they put out my
data, I can’t get it back.
that’s why there was a proposal by data commissioners to @@??@@
W: The Yahoo! case in France is interesting, for this reason.
Henry Ryan, IPSE
IPSE = Initiative for Privacy Standardization in Europe
started by CEN/ISSS (March 2000 -- Open Seminar “Standardization: A
business tool for data privacy”)
Nick Mansfield (ICX); deputy chair: John Borking (Registratiekamer); other
members include businesses, ETSI, etc.
project team: Stephanie Perrin, chair; Henry Ryan; [etc] -- consumer
expert, TBA [should now be filled]
issues (resistance to including it in ISO 9000, though)
others@@ First draft report: 12/2000; open workshop: 3/2001; public
L: is this part of EU?
Yes and no -- CEN funded by EU, but standards organizations do not
develop standards, are just the framework for initiating work
Kremer (Ericsson): wouldn’t ISO certification be something companies would
want, to show consumers that they are taking privacy seriously?
you’re making the argument that some on the project team made. Yes, but we have to see whether
previous standards (e.g., ISO 9000) really helped companies, or if they
just imposed hurdles on business.
WIPO has said individuals have intellectual property rights over personal
data -- why aren’t they here at this workshop?
my personal view is, I think copyright is a terrible way to protect
privacy. I don’t think property
rights is the way to go, and so I guess that explains why WIPO isn’t
Panel: Technology integration
gateway/proxy: anonymization is enabled, but complete profile of user
activities is available (i.e., user ID, CPI, user location)
serious privacy problems
harmonization of privacy laws has been difficult
CC/PP and P3P:
request with minimal profile information
should be able to define P3P preferences for whole CPI (profile
information) or for CPI components or attributes
preferences for CPI: computer, preferences, location
for P3P enhancements:
alone does not fulfill several EU-Directive requirements: legitimacy;
adequacy; right of access; adequate protection for transborder data flow
on formal task-based privacy model, which (with third-party assurance)
could protect P3P data at the server site
L: if I roam, do I use same WAP gateway?
why would you want to use the same gateway?
M: I would turn around -- why would you want to use multiple web servers?
about WAP gateways and how content is served up in Europe versus in the
U.S. -- this was off-scope]
protection at WAP gateway site is possible, e.g., using anonymizing
proxies or mix net concepts (such as that used in Zero-Knowledge’s
what is the purpose of anonymity -- to protect the subscriber, or make
user completely unknown to origin server?
Seems like that making user unknown would be
from the user’s standpoint, the optimal situation would be to allow for
anonymity whenever user wants to be anonymous
M: even having a pseudonym does not protect me from spam
true, but this is not quite the same as privacy. Spam is intrusion, yes, but it’s not
the core of data protection.
Protecting against identity theft is more like a core privacy
concern. Question is how user
can keep control over his/her identity.
L: also, you can walk away from a pseudonym [if it gets spammed], but
you can’t just walk away from your real life identity
Scott Alperin, DoubleClick
[no slides, but see Fiona’s @@paper@@]
Scott, stepping in for Fiona Walsh (who was ill), presented
the Internet ad companies’ perspectives.
for ad companies to have a solid position on privacy: “users really just
have the right to know what we’re doing”
users have more control in online world?
For instance, following the DoubleClick-Abacus merger, you can now
opt-out of Abacus databases, which previously had tracked you offline
companies need to be able to track:
-- number of unique users who saw ad (“reach is everything”)
-- how many times has user [= target] seen this ad?
-- did user buy/do something because of this ad?
advertising is needed to pay for content
large advertisers, precise location not that important. More general location information --
such as what country, state, or city you’re in -- is sufficient, and these
can be obtained without locational services
common website now exists for opting out of all advertising services
(DoubleClick, Engage, Avenue A, etc.)
are still misunderstandings about cookies among the public
I just want to clarify the question about whether you can do profiles on
pseudonyms -- it depends on what the purpose is for. But the point I want to make is that
German law would not allow a DoubleClick to do such profiling --
DoubleClick would be a third-party to the data in this case, and this is
Eric Brunner, Engage
Eric presented his take on the of results of the workshop:
Suggested action items from Eric:
side (WAP and W3C) provide the other with access to specs
deploy P3P on their content sites
to have policy reference files, etc., on their hardwire sites
- P3P WG
needs to prototype a mobile/WAP extension and implement it
browsers need to try to implement “P3P core” -- i.e., policy reference
files, etc. @@see requirements of CR draft@@
community should do a IPv6 draft
Other observations from Eric:
that we don’t have a shared, common taxonomy
that we don’t have a consistent idea of architecture
need use cases
to come up with (or reference) fair location information practices
- Do we
need a query mechanism?
wouldn’t I need scenarios first, to know what’s needed for an extension of
P3P? Seems like prototyping an
extension is premature.
M: are you saying that P3P 1.0 is the only option?
that’s why we’re here. If you
don’t want to use P3P,
you should opt out by walking through that door
- Patrick: I’m going to overrule
that comment. P3P is, we hope, a
good starting point, but we don’t mean to suggest it is the whole or only
between Eric and me on necessity of P3P@@]
M: P3P 1.0 will not work for mobile -- should not assume a priori
that this is what will work in mobile environment
W: could someone explain the difference between bandwidth and roundtrips
V: bandwidth is throughput; roundtrips are what really slow down mobile.
Le M: latency depends on type of mobile device, e.g., GSM is not as bad
L: I want to question the need for a query mechanism (i.e., a way to
negotiate between site’s policies and user preferences). It might be a nice feature, but I don’t
really see use scenarios.
Le M: a use case would be: a vendor can get you a dinner and a movie
package versus just a movie, if you are willing to give out some data
that you normally would not.
L: I don’t see that as negotiation.
They offer me something, and if I accept it, fine.
another use case would be a friend-finder -- do you want friends to be
able to locate you by your mobile?
L: I don’t see how this is different from today. Maybe we don’t have the same
definition of negotiation -- what I mean is automated negotiation
[between server and client]
Le M: I still think a requirement is to have audit/record of
“negotiations” that take place, when these go beyond user’s preferences
[Note: there was considerable disagreement/misunderstanding
about what “negotiation” means. For
Marc L, it is automated negotiation that takes place in background, between
client (UA) and server (website). For
Marc Le M, it is whenever a service prompts user for data that normally would
not be given out, based on that user’s preferences.]
Note: the Friday afternoon session was more of a discussion
than a presentation. Patrick’s slides
changed over the course of the afternoon, to reflect comments from workshop
Common themes and next steps,
Patrick Feng (RPI)
Patrick summarized some common themes that had emerged
during the course of the workshop [see slides]:
control is underlying goal for all of us
have high expectations for trust in mobile environment
- P3P is
an important starting point, but does not address all problems
between “walled garden” and web model?
as a business opportunity, not just legal obligation
- Need to
expand dialogue with legal and public policy communities
for further collaboration between WAP and W3C
Let’s talk about first two slides and see what we need to add, and what we
need to take away. Does this seem
like it reflects our consensus?
V: We need to address roaming
Le M: Need common experience across mobile and wired environments
Solutions should also work in isolation, i.e., if user only has a single
experience (only uses mobile phone)
Le M: So roaming also includes different devices, not only different nets
Different business models
What is meant by “walled garden” tension?
My impression is that there exists a set of complicated @@issues@@. Users on the one hand have the
expectation that wireless device is trusted gateway to trusted
environment, but at the same time wireless network operator can not
always guarantee that trust.
Because of business models, there are various approaches to @@providing
mobile service@@. We need to
recognize that while we are in competition, we must also cooperate. We would fail if we didn’t
partner. We need to have those
“walled garden” fans work together with those who want an “open
Along the lines of Marc, might say that there are multiple devices,
multiple access models for mobile web
Le M: Yes, there are different value models -- sometimes carrier adds
value, sometimes carrier is just a pipe.
I’m not sure if I agree with Bryan [about partnering across
companies] -- we don’t know who are our partners are, who our competitors
People talk about “walled gardens”, but I haven’t seen anybody having
Maybe the way to say this is like Marc and Bryan have done -- that there
will be a variety of models out there, and we have to deal with this.
Security and privacy
D: We need to distinguish between privacy and security preferences. And that there will be exceptions to
users’ preferences. If you are
able to allow in my preferences that I’m willing to accept exceptions,
then you can have business models.
We should conceptually agree that there are security and privacy
preferences, and that there are exceptions that I will have in my
W: So you want flexible privacy relationships?
D: Yes, but under user control!
We not only need to talk about user experiences, but also merchant
Can we phrase this as “question on UI issues”?
Yes, we need to identify issues, come up with designs, and see how this
fit into a regulatory environment.
Le M: I agree this is an important item.
I just want to point the limitations in the W3C process of being able to
standardize or restrict the UI -- there’s generally no process for this.
Le M: We could do the same as what Phone.com did with style guides -- if
they wouldn’t have done that we would have no guidelines [in our
How about “guidelines”? We
already have this concept in the WAP Forum.
OK, guidelines is good
Seems to me they are separate things, UI guidelines and user experience…
Le M: Yes, we also need to talk about experience!
OK, so a consistent experience across devices, operators, etc. is
P3P as starting point
We need to expand on P3P as a starting point -- what is missing, what are
P3P is part of the solution, but entire solution needs to be defined
About P3P as starting point -- I’m not sure what alternatives exist for a
policy publishing announcement vehicle.
But there is more to privacy than P3P…
But it is the only announcement vehicle available, so if it’s just a
starting point, I need alternatives.
No, we might agree that P3P is a good announcement vehicle, but there’s
more to privacy than announcement.
yes, certainly, as we recognize for wireline too
I would have a problem with the idea of optimizing P3P for wireless
environment. There are definite issues that P3P left out -- and rightly
so -- and we have to address them. For example, enforcement of policies.
But P3P is only an announcement tool.
Right, but we need this [enforcement of policies] for a complete privacy
So we need regulatory support.
Look at our bullet “expand dialogue with legal and public policy
communities.” We might want to
get more “feedback” from them about our proposed requirements.
Patrick proposed possible next steps for WAP-W3C [see
vocabulary extension for mobile Web environment:
Where to do the work?
Discussion: additional vocabulary?
This seems to be asking for additional language for dependencies
Not sure I understand
of day, location, etc. -- then there needs to be a way to represent
“context” in the P3P vocabulary.
If we go back to changing the vocabulary, we would be punching ourselves
in the face. We already have an extension
mechanism in the P3P specification, we should use this.
I think that’s what we meant by the slide.
People should certainly feel free to use the extension mechanism. In addition, we might consider making
extensions to the P3P vocabulary in future versions.
I also want to point out that if we attempt to add to the vocabulary
itself, we put at risk the P3P timeline for both wireline and wireless
We are only talking about extensions mechanisms for now.
[More next steps]
for integration of CC/PP, UAProf,
and P3P specifications. (How and
where to do this?)
to identify appropriate groups to work further on privacy issues. Is WAP able to suggest a specific
Danny: Let me give an example: while developing XHTML, we
had WAP people sit in on the W3C oversight group. So, in this instance we created a special liaison group. So, in terms of action items, this group
could answer “Who should be in charge at W3C of doing this?” -- and the same
was true for WAP. What we’re looking
for is the interface, how WAP and W3C can collaborate.
use cases for mobile privacy and architectural requirements
zone for exchange of docs (Danny takes action item to investigate)
user interface: what are best practices for informing mobile users about
and W3C should identify process for moving ahead with joint work
Discussion: where to do work?
There is an organization that’s not in WAP, but is close to WAP, which is
MET. MET has been looking at
security guidelines for WAP. They
are the handset manufacturers in WAP.
I don’t think this work should be done outside WAP.
Well, WAP has a strict policy of not doing UI, so MET might be your best
MET is nice place, but it is quite (industry?) oriented. Maybe user
interface question might be handled by MET, but they certainly shouldn’t
deal with more than that. There
should be a separate “requirements” group that enumerates what [those
requirements are], and then have this resolved top down rather than
Let me be very candid: the question is, who’s responsibility is it to
sketch larger privacy requirements?
W3C does not have an overall privacy architecture. I hear some interest from WAP for doing
this, at least for the WAP sphere of interest. But I don’t want to create the expectations that W3C would
go ahead and do this. WAP might
have a larger interest in this than W3C -- I don’t want people to think
that there is symmetrical interest in this.
I agree, and that’s why we need to have groups like WAP and [others who
represent industry] figure out where we are going to do such kind of
Maybe privacy can be the first item that could be solved by a joint group
between WAP and W3C?
The WAP forum also has procedures on how to tackle larger scale
requirements. This is what
happened 8 months ago with the location drafting committee: we looked
around for who’s responsible and created the location drafting committee. Maybe, along the same lines, we would
come to the conclusion this time that it might not be sufficient to have
a WAP-only group tackle this issue.
P3P vocabulary extension?
Is there someone who wants to work on the vocabulary extension for P3P?
V: This MUST be done before we start this.
Maybe I heard that the exact way of doing this might be disputed, but it
is clear that we need to have such an extension to talk about these
In WAP, there are many people who have thought about how location affects
their business model. Do you
imagine working through your cases and creating a list of requirements
that you pass on to the P3P group, or do you see yourselves using the P3P
extension mechanism and doing it yourself?
I’d rather work out from the use-cases, and then find requirements from
We are meeting with some WAP Forum people [during the WAP Forum meeting]
and can bring this up, to talk about finding a place in WAP that would be
responsible for defining these.
There are already use cases, for example in the location drafting group.
And we do have liaisons already [between WAP and W3C], so there is
nothing to stop us doing something like this again [i.e., hold a
workshop] for privacy.
Right, so we’ve brought our two groups together in this workshop, that was
our first action item [from the WAP-W3C coordination group]. Now, what is our second action item?
To find a group in WAP to be responsible for privacy.
about what would be appropriate group in WAP@@]
The question is, when do you want to come back together, and what do you
promise to come back with?
there is a Specification Requirements Committee (SPECCOM, or SRC) -- they
can identify what to do next if an issue comes up.
Right, my proposal would be to take this to SRC. I will initiate this and then they
would come back with some form of liaison statement.
I agree, they are the right people to take this to.
To whom should they report back?
To the WAP-W3C coordination group.
Who is in the W3C portion of that coordination group?
The chair (Jean-François Abramatic), all 4 domain leaders, and Johan
I’m concerned about lack of dates for these action items. We [W3C] will
circulate minutes, and present a report by the end of January. What is the timeline for other action
There seems to be consensus that P3P does not solve all privacy issues for
mobile environment. Is anything
planned in terms of future work on P3P?
No, nothing planned.
We [WAP] are afraid to take P3P and add things to it, and then be accused
of adding things that are incompatible with other specifications.
P3P invites addition -- that’s why there’s an extension mechanism -- so
there’s no problem from our side.
Any concerns from your side that we might run with your additions
later and use them in ways you don’t like?
No, our main concern is not to do work twice. So, we might come back with our work and show you “here’s
what was missing,” and in this way add some form of a WAP-stamp to the
rest of the work.
Well, you could just go ahead and make your own additions, and then we
would look at them. It’s a
dialogue. WAP has some requirements,
and we touched on them today.
These could be sorted out purely in a WAP context, or they could
be sorted out in a broader web context.
What I am pushing for here is timelines, because it would help us
in P3P planning process.
What’s the timeline for P3P after 1.0?
There’s no committed timeline after 1.0 yet. It would be nice, since we’ve identified action items on
both of our sides, to get timelines on when we could solve these items.
Since we hadn’t really had discussed these in WAP, we need to be fair to
WAP members and allow them to discuss things.
I agree. I just want some
deliverables that we can measure.
If WAP comes back in several weeks with a timeline, then I’m happy.
So Stefan, is this a possible scenario?
I can bring this up at the next meeting, and in maybe 2 months or so they
might be able to produce a document with some market requirements.
I just want to get a date for when to check back with each other.
V(?): What I’m hearing here, no one from WAP is willing to take the lead
here. So Stefan, if you are able to get back to Danny here in 2 weeks or
so, and let him know where the SRC stands…
Yes, I don’t want to create pressure here, I just don’t want to say “we
had a nice talk, thanks” and leave it at that.
In all fairness, we need some time to socialize, to put things on the
calendar. So maybe by next Friday, we could give you a date at which to
What I’d like is not a date, but a reason to get back together. I’d like to be clear on who is
committing to what. We need a
collective feedback from WAP on where we go from here -- what parts are
separate, and what parts do we do together? I’d like this to be the question on which we hear back from
WAP. And I’d like a date for when
I would need to pay attention to this again. <grin>
So Stefan will get the ball rolling -- try to get a response from WAP
SRC. He, or someone else in WAP,
could be the informal liaison to us in the meantime.
What I’d like to know is something along the lines of “In x number of
weeks we’ll get back to you.”
The earliest time would be the WAP February 2001 meeting, when we next
That’s great, that’s enough for now.
We will supply minutes and documents of this meeting. Thanks everybody!
[Meeting ends at 15:20]