Position Paper Submitted to the Joint Workshop on Mobile Web Privacy,
WAP Forum & World Wide Web Consortium,
7-8 December 2000

Privacy is the right of individuals to determine for themselves when, how, and to what extent information about them is communicated to others. This is an issue that becomes more and more important to web sites as awareness in the public is increasing. Web sites selling their addresses, telephone numbers or buying preferences to others often irritate the users. To support privacy of consumer data is especially important for portals, as they have to collect user data to provide personalization and targeted advertisements.

Companies that run web sites that gather user data need to define a privacy policy, publish this privacy policy, adhere to this privacy policy and notify consumers of any changes, and get their approval to policy changes.

Many web sites already have defined privacy policies and published them. Users can review these privacy policies and decide whether or not they want to provide data to a web site under its particular policy. As of today, this is mostly a manual process, where the consumer must read through a document that describes a web site’s privacy policy in natural language. The Platform for Privacy Preferences (P3P, see [1], [2]) will enable partial automation of the decision whether a privacy policy is acceptable to a user or not.

"The Platform for Privacy Preferences Project (P3P) enables web sites to express their privacy practices in a standardized format that can be retrieved and interpreted automatically by user agents. P3P user agents will be able to inform users of site practices and to automate decision-making based on these practices and the user’s privacy preferences. Thus, users will no longer need to read the entire privacy policies of web sites they visit. Instead, the user agent will by able to match site privacy practices and user privacy preferences and to notify the user if there is a mismatch, presenting the relevant part of the web site’s privacy practices. Only if a mismatch occurs, the user will need to read the part of the web site’s privacy practice that conflicts with his preferences and have to decide whether he wants to opt in or opt out." (From http://www.w3.org/TR/P3P/ ).

"The P3P1.0 specification defines the syntax and semantics of P3P privacy policies, and the mechanisms for associating policies with Web resources. P3P policies consist of statements made using the P3P vocabulary for expressing privacy practices. P3P policies also reference elements of the P3P base data schema -- a standard set of data elements that all P3P user agents should be aware of. The P3P specification includes a mechanism for defining new data elements and data sets, and a simple mechanism that allows for extensions to the P3P vocabulary." (From http://www.w3.org/TR/P3P/)

"The goal of P3P version 1.0 is twofold. First, it allows Web sites to present their data-collection practices in a standardized, machine-readable, easy-to-locate manner. Second, it enables Web users to understand what data will be collected by sites they visit, how that data will be used, and what data/uses they may "opt-out" of or "opt-in" to." (From http://www.w3.org/TR/P3P/)

IBM is supports P3P by contributing to the specification and conformant implementations. IBM supports its customers in applying privacy protection by offering consulting and tools.

Special Considerations with Mobile Computing

With the current web access through HTML browsers, the only information that is transferred from the user to the web site or service is data that the user entered plus a few data describing the user's computing environment (Browser name and version, operating system name and version, IP address, etc.).

In addition to the fine-grained control of what information the user chooses to reveal on what page, the user can set up the browser in a mode that informs about any data transfer flowing back to the server. This way the user can make sure that no data is passed back without consent.

With location information, two new qualities arise:

  1. The position information is automatically generated without the user typing it.
  2. On the physical level at least, the position information is unconditionally passed back in many cases, for example by all cell phone systems.
In addition to the location information, another new type of information arises as an issue with wireless connections. The information about the number that called in is available at the carrier. Forwarding this as a caller-identification can on one hand offer the possibility to use this information as additional piece of authentication. On the other hand, when the caller identification would be forwarded unconditionally to every application, the user's anonymity would be lost without the user consciously revealing the own identity. This would be a grave concern.

This might create additional concerns of the users, because they can not enforce or technically control the system in a way that definitely no information is passed back. And for reasons of law enforcement for example, together with special authorization, this information might be rightfully used independently of any user preferences.

Nevertheless, for the everyday commercial use the user will likely expect a configuration choice that

  1. allows to turn of completely all location information passed to any application.
  2. In addition the user will expect a granular choice of granting location information to certain applications.
The complete suppression of location information should be easy and user friendly to change. In the default setting, as with delivery of a new device, it should be "turned on". Technically, if "turned off", the location information ideally should not even forwarded by the wireless carrier. This might often not be feasible. In any case, the first gateway from the device should heed the "off" setting and not pass on further upstream any position information. This type of overall on/off switch is currently found with the GSM phones for example, where such a configuration setting instructs the carrier to either forward or suppress the caller identification.

The fine-grained selection of what applications are allowed to access location and caller identification information can be done is several ways:

The simplest way of fine-grained selection is to prompt the user on the first request for location information from one application, if location information should be passed on ("The site www.com requests information about your current position. Do you agree that your position may be revealed to this application? [Yes/No]"). On subsequent requests from the same application and within the same session, the prompt is bypassed.

Question: Is it possible to find a filter or pattern matching to determine the "same application" as an application that has the same URL with respect to the high-level part? Is it possible to use the term "application" as something that can automatically be determined and compared, or should we use the term "destination"?

A better way of selection can offer following choices to the user:

  1. provide location info to this destination for just this invocation,
  2. provide location info to this destination for the duration of this session,
  3. do NOT provide location information to this destination for this invocation,
  4. do NOT provide location information to this destination for the duration of this session.
The most sophisticated way of fine-grained selection is to apply the mechanism specified in P3P to the location information. P3P already has the ability to talk about location information in a privacy policy. A site can state that it collects a data element that is in the category of "location information". This category was added to P3P to cover exactly this case. What remains to be done is to extend the browsers on the mobile devices in the analogous way as the next versions of the major desktop HTML browsers. Considering the constraint resources on devices like mobile phones, the addition of this function (for example to a WML browser on a WAP phone) might not meet wide acceptance.

Contact Author

Frank Seliger, Security Architect Pervasive Computing Division, IBM
Seliger@de.ibm.com

Co-Authors

Tom Covalla, Martin Presler-Marshall, Joseph Rusnak, Thomas Schaeck and Mark Vandenwauver.

References

[1] The Platform for Privacy Preferences 1.0 (P3P1.0) Specification, W3C, 2000

http://www.w3.org/TR/P3P/

[2] General Overview of the P3P Architecture, W3C, 1997

http://www.w3.org/TR/WD-P3P-arch.html