and

Report from WAP-W3C Joint Workshop on Mobile Web Privacy
7-8 December 2000, Munich, Germany

Contents:

1. Overview and Summary
   • Main points from workshop
   • Scope of report
2. Key Privacy Issues
   • User empowerment and user control
   • Business needs and concerns
   • Fair information practices
3. P3P and Other Tools
   • Overview of P3P
   • Interest in P3P from WAP
   • Other tools
4. Special Concerns in the Wireless Environment
   • Location
   • State
   • Device capabilities/profiles
   • Wireless business models
5. Next Steps
   • Common themes
   • Upcoming challenges
   • Follow-up items

1.  Overview and Summary

This report summarizes the main points of discussion from the Joint Workshop on Mobile Web Privacy, held 7-8 December 2000 in Munich, Germany.  The workshop was jointly hosted by the Wireless Application Protocol (WAP) Forum and the World Wide Web Consortium (W3C).  The goal of the workshop was to bring together members of the mobile and web communities to discuss how privacy could be better protected, especially as mobile web services begin to proliferate.

For an overview of the workshop, including a list of participants, please see the workshop homepage.  See also the workshop minutes, which include links to the presentations made in Munich.

Main points from workshop

The following points were considered crucial by most or all workshop participants:

General Observations:

1. Users must be in control of their personal information.
   • users are increasingly demanding privacy as an essential element of web interactions
   • privacy is consistently cited as one of the key issues that needs to be addressed before e-commerce (and m-commerce) can take off
   • governments and regulators are increasingly concerned about privacy, and privacy legislation has been enacted in most Western nations
   • given this, user control and user empowerment are essential; the granularity of control users have is a crucial issue
2. There is a need for privacy tools and privacy architectures.
   • tools could include agents that help read/write privacy policies, as well as control/block the flow of personal information
   • underlying information architectures need to be designed so that they (1) allow for user control over specific fields/types of personal information; (2) prevent leakage of information, as data gets passed user to gateways, proxies, and intermediate servers
   • while there was a great deal of interest at the workshop in privacy tools and architectures, companies have yet to develop these -- rather, they remain to be built
3. There is a desire for a consistent user experience across wireline and wireless environments.
   • consistency of user's experiences, based on his or her privacy preferences, is an important aspect of the equation
4. Privacy should not be seen as just a legal requirement. Rather, it is a business opportunity (some might even say a business imperative) that needs to be addressed, if the mobile web and m-commerce are to reach their full potential.
   • Neither laws nor technology alone will solve privacy -- they must work together if privacy is to be protected

1. A high level of trust is expected in the mobile environment.
   • users expect the mobile web to be a space that is "safe" for personal transactions
   • vendors envision mobile devices becoming "trusted agents" for communications and business transactions; this means that privacy protection is a MUST
2. There exist special privacy concerns in the mobile environment.
   • some types of data (e.g., location, state, and device capabilities/profiles) are more sensitive in the mobile environment than in "traditional" wireline models
   • the particular characteristics of mobile devices (e.g., smaller CPU capacity and storage space, lower bandwidth, smaller screen size, etc.) means privacy solutions from the wireline world may not work as well in the mobile environment
3. Different business models entail different privacy protection mechanisms.
   • for example, in a "gateway" model, are network operators (who provide the mobile user with access to the Web) responsible for protecting their customers' privacy?
   • what about intermediaries -- might protection mechanisms be needed at various points (e.g., network operator, proxy servers, websites)?
   • some businesses may be able protect privacy by limiting and/or anonymizing the data they collect; others will have to take steps to ensure personal data is not used for purposes other than for which they were intended
4. Tools such as P3P provide a good starting point for discussing privacy, but will need to be adapted for the mobile environment.
   • question: what's missing in P3P, that needs to be built in so that it can work in the mobile environment?
   • a general note on tools: good user interfaces are critical for informing and empowering users
5. There needs to be more coordination between WAP, W3C, and other standards organization.
   • coordination is needed so that underlying mobile web architecture is privacy-friendly and compatible with numerous privacy protection mechanisms
   • who will build this architecture? Should a joint WAP-W3C activity be formed for mobile web privacy?

The remainder of this report goes into further detail on the above points.

Scope of report

This report is directed primarily at the technical community, e.g., members of WAP, W3C, IETF, and other standards groups and organizations.  It seeks to provide a broad overview of relevant technical and policy issues discussed during the mobile privacy workshop.  We hope it will be of use to the public policy community as well.

Privacy is a broad topic that connects with many other issues.  For the purposes of the workshop and this report, however, our focus is on privacy.  This means that a number of issues -- while relevant to privacy discussions -- are out of scope for this report.  These include:

• Security issues -- While data security is obviously related and relevant to privacy protection, this is a huge topic that demands separate discussion.  We note, however, that technology companies have traditionally paid much more attention to security than privacy (sometimes even conflating the two).
• Legal/regulatory requirements -- During the workshop, a cursory overview of general legal/regulatory concerns was given (mainly from U.S. and German viewpoints), but this was not pursued in great detail.  Again, this is a topic that demands separate discussion. As was made clear during the workshop, improved dialogue between technical and policy communities is crucial to advancing the privacy agenda.

 

2.  Key Privacy Issues

Privacy has emerged as one of the key issues in the worlds of electronic commerce and communications.  Privacy stories make the news on an almost daily basis these days.  Surveys and opinion polls consistently show privacy to be one of the biggest concerns of citizens, especially in North America and Europe.

It is within this context that WAP and W3C jointly organized its workshop on mobile web privacy.  Computer users continue to express concerns about their privacy while on the Internet, and mobile device users have particular information that may be privacy sensitive (e.g., location information).  Members of the WAP-W3C coordination group felt it was important for these two organizations to work together to identify what steps should be taken, to assure that the standards underlying mobile Web services have the architectural capacity to address privacy concerns of users.

User empowerment and user control

A key concern of many users is the fear that personal information might used for the wrong purposes or leak out to the wrong people. In general many Internet users suffer from a feeling of loss of control -- in the “information age,” who has control over my personal information? Such fears have prompted many public discussions and led to some changes in business practices.  Many websites now post privacy policies.  Furthermore, several of the biggest computer/Internet companies have created new positions of “chief privacy officer” -- a person hired to oversee privacy issues specifically.  These are significant starts, but many feel we still have a long way to go before users feel “in control” of their personal data.

A key theme that recurred throughout the workshop was the need for user empowerment.  There was widespread agreement that developers of mobile technology need to empower the user.  That is, developers need to provide mobile users maximum control over their personal information, with a special emphasis on location and state information.  The question is: what functions need to be built into the mobile web architecture in order to ensure this?

Clear, easy to understand explanations of a business’ privacy policy go some way towards user empowerment, by making clear what information is being collected and why.  Tools that assist in the reading of policies and blocking of personal information would help even more (more on this in §3).  In addition, businesses that follow fair information practices (see below) are much more likely to gain their customers’ trust.

Questions about who should be in control of personal information may be complex in the mobile environment. Sometimes the party paying for a service is not the same as the person using it.  For instance, consider an employee who uses a company cell phone -- in this case, who is the “user”?  And does it depend on where the person is (e.g., at the office vs. at home on a weekend)?  In fact, various “users” may have conflicting interests when it comes to the collection and distribution of data.  Thus, an employer who pays for the mobile phone may want to know location of his/her employee at all times, but the employee may value privacy and not want to be tracked everywhere he or she goes.

Business needs and concerns

Businesses, especially those involved in mobile services, need to be concerned about privacy for several reasons.  First, concerns about privacy have persistently been cited as the main barrier to further adoption of Internet services.  The success of future web ventures -- including the mobile web -- may depend critically on being able to assure user privacy.

Second, as was pointed out during the workshop, users have high expectations for trust in the mobile environment.  Most people regard their mobile phone, for example, as a trusted device -- they carry it with them everywhere, and do not want to receive calls that are intrusive or annoying.  If mobile web services cannot guarantee user privacy, they are likely to find themselves facing a lot of angry customers.

Third, privacy has become a major issue in countries around the world, one that governments and businesses are paying more and more attention to.  Privacy has been recognized as a basic right by almost all Western democratic countries, and therefore needs to be taken seriously if businesses want to stay on the good side of the law (not to mention the good side of their customers).

It was noted during the workshop that privacy is not the same as security: secure communications is only one part of ensuring users’ privacy.  A perfectly secure system that was still privacy-invasive.  It is therefore important to give careful consideration to what data is to be collected and for what purpose, not just how data is encrypted or stored.

Privacy rights are often addressed through various fair information practice principles. One more widely recognized set of principles is that issued by the OECD (see below). However, regulatory agencies in various countries have also weighed in on the subject.  For instance, the Federal Trade Commission (FTC) in the U.S. has suggested four principles that are crucial for businesses to follow. These are: notice, choice, access, and security. (See the FTC’s report to Congress, May 2000.)

These principles, along with the OECD's FIPs, provide a good starting point for businesses trying to incorporate privacy protection into their business model, and technologists trying to build strong privacy protection into their products.

Finally, one point stressed throughout the workshop was that privacy protection should not be seen as just a legal requirement.  Rather, it should be seen as a business opportunity -- those businesses that are able to provide their services while protecting privacy should be able to gain a market advantage. As European data commissioners are fond of saying, privacy makes good business sense, as well as legal sense.

Fair information practices Announcing which data one collects is only part of what’s needed to protect users’ privacy.  The OECD has proposed a set of eight principles, known as Fair Information Practices (FIPs), that governments and businesses should follow when collecting and handling personal data.  These FIPs have been widely adopted by countries around the world, including Canada, the U.S., and all EU countries. The eight OECD principles are: Collection Limitation: There should be limits on the collection of personal data, and such data should be gathered legally, and with the knowledge or consent of the data subjects. Accurate Data-keeping: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. Purpose Specification: The purposes for which personal data are collected should be specified not later than at the time of data collection, and all subsequent uses should be limited to those purposes. Use Limitation: Personal data should not be disclosed, made available or otherwise used for alternative purposes without consent from the data subject or by the authority of law. Security: Personal data should be protected from unauthorized access, destruction, use, modification, or disclosure. Openness: There should be a general policy of openness about developments in data collection and use. Means should be readily available to ascertain the existence and nature of personal data, the main purpose of their use, and the identity and location of the data controller. Individual Access: An individual should be able to contact a data controller about what information the controller has about that person, and be able to correct inaccurate records. If an access request is denied, a reason must be given, and the individual must be able to challenge the denial. Accountability: A data controller should be accountable for complying with the measures which give effect to the principles stated above.

 

3.  P3P and Other Tools

During the workshop we discussed the Platform for Privacy Preferences Project (P3P) (a standard being developed by W3C) and other up-and-coming privacy tools that may be of help in protecting individuals’ privacy online.  Participants expressed substantial interest in applying P3P to the mobile environment, but also expressed concerns about whether P3P will work “out of the box” in the mobile world.  Perhaps P3P is a good starting place, but not the final solution?

Overview of P3P

P3P is intended to help simplify and automate the announcement of a website’s privacy policies.  It does this by providing a standardized vocabulary that websites can use to encode their privacy policies in a machine-readable format.  P3P-enabled user agents can then automatically fetch these policies and pass this information on to users in an easily understandable way.  (For more on P3P, see workshop slides.)

Currently, a number of products are being developed that will incorporate the P3P draft standard.  These include browsers, user tools, and policy generators.   Microsoft, for example, has said the next version of its Internet Explorer browser will have support for P3P.

Proponents of P3P expect that this standard will be useful because:

• It will make privacy policies easier to understand for end-users: don’t have to read through pages and pages of legalese;
• In process of translating written policies into XML, businesses will be forced to think carefully through their privacy policies -- this, in itself, could improve privacy protection;
• Future versions of P3P may allow for automated decision-making based on user’s privacy preferences.

Interest in P3P from WAP

WAP members at the workshop were very interested in P3P, but expressed concern about a few issues:

• Performance:how much extra time is required to fetch web page with P3P?
  • Answer: depends on environment, but there have been a number of performance optimizations in the P3P spec, including compact representation of P3P policies for cookies.
• Security of policies:can P3P ensure that a policy arrives intact (e.g., with digital signatures)?
  • Answer: no support for DSig’s in P3P 1.0. This is planned for future versions. Recently, a W3C Note was written describing how this might be accomplished.
• Vocabulary:does P3P vocabulary need to be extended for mobile environment?
  • Answer: most likely, but not clear who should do this, W3C or WAP?
• User interface:how to set and change preferences with small devices such as mobile phones -- how to make a simple UI for informing the user?
  • Note: this is one of the big challenges facing the mobile industry. The P3P spec does not define user interface characteristics, leaving this to competitive implementations.

Despite these concerns, WAP members felt that P3P could provide a good starting point for addressing privacy in the mobile world, and agreed to raise the issues of privacy and P3P to the WAP Specification Requirements Committee.

Note that, even for the wireline world, P3P is only a starting point.  It is meant as a user-empowerment tool, but it is not a complete solution.  Other pieces of the puzzle include laws and regulation, business best practices, etc. -- these must all fit together if privacy is to be protected on the web.

4.  Special Concerns in the Wireless Environment

Privacy has dominated Internet policy debates for some time, but is only beginning to be discussed in the context of mobile services.  In addition to the regular concerns users have about sensitive information such as their age, health records, credit card numbers and history, etc., mobile devices often collect other data that may also contain sensitive information.  Three such types of data were discussed in depth at the workshop: location information, state information, and device capabilities/profiles.

Part of the reason why location, state, and device C/P are sensitive is because they are not “static” information.  Instead, they are more like “sensor” data that is updated frequently.  Consider location data compared with a person’s age -- a user’s location changes constantly, which in turn requires constant updating of location information.  Because of this “inherent character” of frequent updating, these types of data are potentially more privacy invasive, in the sense that they are more suited towards the purpose of “real-time” tracking of users’ preferences and behaviors. Some users may find this constant “tracking” to be very invasive. (This was also mentioned in the WAP-W3C workshop on position dependent services -- see the minutes that from workshop.)

In the next sections we take a brief look at location, state, and device capabilities/profiles. In reviewing these special types of data, we should ask:

• Why is the data potentially sensitive?
• What scenarios are predicted for its use?
• What ways are there to protect this data?
• What architectures are required to provide privacy protection?

Location

The collection of location information in the mobile environment is common, motivated, and in some cases required, by business opportunity, regulatory requirements, and larger design choices made in mobile device infrastructures. Mobile service providers see real business opportunities arising out of location information, such as "I'm lost" services, an many others. W3C and WAP Forum recently sponsored a Workshop on Position Dependent Information Services. Aside from business drivers, many jurisdictions require that mobile service providers be able to deliver location information to public safety officials when users make emergency calls for help (Consider, for example the United States FCC E911 requirements.) Finally, network architectures may have easy access to location information as a side effect of their oveall design. For example, the fact that wireless carriers relay transmissions point-to-point via the closest transmitter, and also frequently bill users based “roaming” charges, mean that location information (i.e., knowing where the cell phone is) is critical to current mobile services. (Of course, this might change in the future with new technologies such as BlueTooth™ -- a BlueTooth device doesn’t need to know the GPS position of another BlueTooth device, only that it is sufficiently “close by” to receive transmissions.  Perhaps a paradigm shift in-the-making?)

Location information is potentially sensitive because certain people, under certain circumstances, may not want to have their location divulged.  For instance, people hiding from abusive relationships.  More generally, the idea of being tracked (no matter how “benignly”) is disturbing to many people.  As one participant said during the workshop, “where you are and what you’re doing -- you can’t get much more personal than that!”

Fortunately, location information, while perhaps necessary to mobile services, need not always be passed on to other entities.  As well, such information could be dissociated from any particular user.  In other words, location information could be anonymized.  Do service providers really need to know this is John Q. Public at location xyz, or would it be sufficient to know that someone (a male, aged 30-55) is at location xyz? Careful thought should be paid to what is needed -- and what is optional -- for a particular business model.

State

An important counterpart to location information in many networks is state information that describes the status of a users device, willingness to receive calls, or whether the user is in business or personal mode. Some argued that location information without state is a recipe for spam.  Certain business models envision using location information to “push” ads and services onto users, when they enter a certain shopping zone, for example. But does the user want to be contacted?  Is the user on business time or personal time?

Because mobile phones are perceived as highly personal, trusted devices, intrusions (such as unwanted phone calls or ads) are highly resented by users.  Thus, the importance for those who would push ads, is to know when a user wants to receive ads or not.

Also important is the fact that a single device may have multiple users (e.g., a family), and even the same user may have different states (e.g., during business hours it’s a certain kind of device, but after hours it’s meant for personal time).  Thus, a single device may be perceived as being, in fact, many devices.  Push services that utilize personal information need to take this into account.

Participants at the workshop agreed that users must have control over their information and their mobile devices -- this is absolutely crucial.  The challenge will be to build UIs and infrastructures that allow users to indicate when they do and do not want to be disturbed -- otherwise, push ads will become spam, and kill the market.

Device capabilities/profiles

Device capabilities/profiles (C/Ps) are another example of seemingly mundane, technical information that may be linked to sensitive information.  Because mobile devices don’t have the bandwidth, display, or computational capacities of wireline devices, many technology analysts expect C/Ps to become essential for optimizing content delivery over wireless networks. Currently, a number of standards including CC/PP are being developed in order to handle device capability/profile information.

The issue is that device C/Ps may contain information that could be considered sensitive.  For instance, information such as “preferred language” is probably not terribly privacy-sensitive, but what about profile information such as a person’s home town, employer, and favorite restaurant?  What about frequent flyer numbers and other unique IDs that might be stored in a C/P file?  These data have their uses, of course, but if they leaked out or were linked to each other without the user’s permission, it would be a serious privacy concern.

Workshop attendees discussed the CC/PP specification in some depth (e.g., see minutes and Mikael Nilsson’s slides).  In its early work, the CC/PP working group did concentrate on privacy issues, but the Working Group is now spending much more time on this. Clearly, privacy will need to be taken into account by developers aiming to make use of C/P information. CC/PP deals with seemingly technical details (e.g., device name), and yet might tie this to sensitive information (location, user name, etc.). Without careful thought to mobile web architecture, we may end up creating standards/infrastructures that inadvertantly compromise personal privacy.

Wireless business models

Many of the WAP participants at the workshop talked about business models, where they envisioned mobile phones as being a kind of “ultimate smart card” in the future, allowing web access from anywhere.  “Pervasive computing” could be another way to describe this. As mobile devices become common/ubiquitous, they risk becoming de facto tracking devices, unless underlying infrastructure is built to prevent this.  Hence, the call from several workshop participants for a comprehensive privacy architecture.  However, it was not clear which organizations, if any, should be responsible for designing such an architecture.

Another point to keep in mind is that the mobile infrastructure and mobile market is more developed in Europe and Asia than in North America (e.g., compare number of mobile users).  Thus, while Internet policy debates have been strongly driven by U.S. concerns in general, in the mobile web world these debates might perhaps be driven by the concerns of other countries.

As mentioned earlier, network operators may have an important role to play in protecting the privacy of their customers. If it is the case that a customer always goes through the network operator to access the web, then potentially much personal information will be passing through this “gateway.” Do network operators then become trusted “infomediaries” through which personal information is passed? Or can sensitive information simply bypass the network operator (i.e., be passed along without anyone knowing what's inside) and proceed directly to the website, perhaps being encrypted as well? And what are the relative responsibilities of network operators, website operators, and operators of intermediary services when it comes to protecting a customer's privacy? These are some of the questions to be resolved as the mobile web environment develops.

Depending on one’s business model, different requirements for privacy protection will be envisioned.  For privacy advocates, the first question is always: is it necessary to collect personal data in the first place?  Several participants came in with the assumption that the collection of personally identifiable information is a necessity from the get-go.  Clearly, in certain cases (e.g., delivery of goods), it is necessary to collect PII, and we could all agree that PII can be valuable -- to marketers, for instance.  But it is questionable whether PII should be the first thing that businesses try to collect.

For instance, an alternative model could start with user being anonymous, waiting until he or she is comfortable (i.e., has built up a relationship with business), before asking for PII -- an opt-in model.  A number of companies at the workshop (ad companies such as Engage and DoubleClick, for instance), said that they achieved many of their relationship-management functions without using PII.  For example, they can target their ads using anonymous cookies and non-personal information such as user’s home state or zip code.

Two particular concerns were alluded to during the workshop.  First, the infrastructure for tracking mobile users is being built.  As an example, the E911 directive in the U.S. is well-intended, but may end up unwittingly leading to an infrastructure of mass tracking and surveillance.  Mario Tapia (XYPoint) explained that companies in the U.S. are currently afraid to use E911 infrastructure for business purposes because of fears of a public backlash against privacy invasion.

Second, “pervasive computing” changes the landscape of privacy debate: the goal of having users be aware of and control each and every transaction in which they give out data becomes problematic when users are continually "tuned into" the network.  The approach of many web companies so far has been to try to be very specific about when data is collected and used, e.g., by writing privacy policies that have the feel of a “contract.”  P3P can help in this regard.  However, it seems likely that additional tools such as anonymizers, pseudonymous transactions, encryption, digital signatures, and so forth, will be needed to better empower users.  As well, businesses must become consumer advocates, figuring out ways to collect valuable information without compromising the privacy of their users (e.g., through the use of anonymous cookies).

5.  Next steps

Many participants said they found the workshop useful -- it provided a space for initiating discussion on a crucial issue for upcoming mobile web services.  Naturally, the workshop organizers were pleased to hear this.  However, participants also noted the lack of a clear space for further development of these ideas.  The concern is there, but who is working on privacy?

Specifically, there appears to be:

• lack of a home in WAP for privacy issues
• no clear collaboration zone between standards organizations (including W3C and WAP) for coordinating technical specifications
• no one ready to say “we are doing/will do this work”

(On this last point, workshop participants were not alone; similar concerns were expressed at a recent FTC workshop on mobile privacy.) 

Obviously, these issues will need to be addressed if we are to move forward on the wireless privacy front. Still, there appears to be some common ground from which to build further discussions:

Common themes

Here are some points that almost everyone at the workshop seemed to agree with:

• The key goal we all share is to provide mobile users maximum control over their person information, with special emphasis on location and state data.
• P3P is an important starting point for addressing privacy, but it does not address the whole privacy challenge, especially for the wireless environment.
• We face challenges of assuring privacy given different business models
• We should view privacy as an opportunity rather than just legal obligation

In addition, participants all expressed belief that privacy and security were crucial to the future of wireless services. What is less clear is whether companies are prepared to do something about this. For example, while there was consensus on the need for privacy tools and architectures, participants were less clear on what tools were actually needed, or who would take the initiative to push forward the mobile privacy agenda.

Follow-up items

Finally, here are the follow-up items that were discussed during the workshop's wrap-up session (see workshop minutes). These action items are directed at both WAP/W3C and the broader technical community.

For WAP-W3C:

• develop an extension to the P3P vocabulary
• explore integration of CC/PP, UAProf, and P3P. How/where to do this?
• create a workable IPR collaboration zone. (FYI, the Location DC was unable to present the bulk of its work given this restriction)
• pursue further collaboration between WAP and W3C: this will require that WAP identifies a clear 'home' for privacy work and that WAP and W3C identify areas of common work.

For technical community in general:

• map out a privacy architecture, along with use cases, technical requirements, and dependencies
• expand dialogue with legal and public policy communities

It was agreed that WAP would report back to W3C-WAP coordination group after the next WAP Forum meeting (to be held in February 2001).