This report summarizes the main points of discussion from the Joint Workshop on Mobile Web Privacy, held 7-8 December 2000 in Munich, Germany. The workshop was jointly hosted by the Wireless Application Protocol (WAP) Forum and the World Wide Web Consortium (W3C). The goal of the workshop was to bring together members of the mobile and web communities to discuss how privacy could be better protected, especially as mobile web services begin to proliferate.
For an overview of the workshop, including a list of participants, please see the workshop homepage. See also the workshop minutes, which include links to the presentations made in Munich.
The following points were considered crucial by most or all workshop participants:
The remainder of this report goes into further detail on the above points.
This report is directed primarily at the technical community, e.g., members of WAP, W3C, IETF, and other standards groups and organizations. It seeks to provide a broad overview of relevant technical and policy issues discussed during the mobile privacy workshop. We hope it will be of use to the public policy community as well.
Privacy is a broad topic that connects with many other issues. For the purposes of the workshop and this report, however, our focus is on privacy. This means that a number of issues -- while relevant to privacy discussions -- are out of scope for this report. These include:
Privacy has emerged as one of the key issues in the worlds of electronic commerce and communications. Privacy stories make the news on an almost daily basis these days. Surveys and opinion polls consistently show privacy to be one of the biggest concerns of citizens, especially in North America and Europe.
It is within this context that WAP and W3C jointly organized its workshop on mobile web privacy. Computer users continue to express concerns about their privacy while on the Internet, and mobile device users have particular information that may be privacy sensitive (e.g., location information). Members of the WAP-W3C coordination group felt it was important for these two organizations to work together to identify what steps should be taken, to assure that the standards underlying mobile Web services have the architectural capacity to address privacy concerns of users.
A key concern of many users is the fear that personal information might used for the wrong purposes or leak out to the wrong people. In general many Internet users suffer from a feeling of loss of control -- in the “information age,” who has control over my personal information? Such fears have prompted many public discussions and led to some changes in business practices. Many websites now post privacy policies. Furthermore, several of the biggest computer/Internet companies have created new positions of “chief privacy officer” -- a person hired to oversee privacy issues specifically. These are significant starts, but many feel we still have a long way to go before users feel “in control” of their personal data.
A key theme that recurred throughout the workshop was the need for user empowerment. There was widespread agreement that developers of mobile technology need to empower the user. That is, developers need to provide mobile users maximum control over their personal information, with a special emphasis on location and state information. The question is: what functions need to be built into the mobile web architecture in order to ensure this?
Clear, easy to understand explanations of a business’ privacy policy go some way towards user empowerment, by making clear what information is being collected and why. Tools that assist in the reading of policies and blocking of personal information would help even more (more on this in §3). In addition, businesses that follow fair information practices (see below) are much more likely to gain their customers’ trust.
Questions about who should be in control of personal information may be complex in the mobile environment. Sometimes the party paying for a service is not the same as the person using it. For instance, consider an employee who uses a company cell phone -- in this case, who is the “user”? And does it depend on where the person is (e.g., at the office vs. at home on a weekend)? In fact, various “users” may have conflicting interests when it comes to the collection and distribution of data. Thus, an employer who pays for the mobile phone may want to know location of his/her employee at all times, but the employee may value privacy and not want to be tracked everywhere he or she goes.
Businesses, especially those involved in mobile services, need to be concerned about privacy for several reasons. First, concerns about privacy have persistently been cited as the main barrier to further adoption of Internet services. The success of future web ventures -- including the mobile web -- may depend critically on being able to assure user privacy.
Second, as was pointed out during the workshop, users have high expectations for trust in the mobile environment. Most people regard their mobile phone, for example, as a trusted device -- they carry it with them everywhere, and do not want to receive calls that are intrusive or annoying. If mobile web services cannot guarantee user privacy, they are likely to find themselves facing a lot of angry customers.
Third, privacy has become a major issue in countries around the world, one that governments and businesses are paying more and more attention to. Privacy has been recognized as a basic right by almost all Western democratic countries, and therefore needs to be taken seriously if businesses want to stay on the good side of the law (not to mention the good side of their customers).
It was noted during the workshop that privacy is not the same as security: secure communications is only one part of ensuring users’ privacy. A perfectly secure system that was still privacy-invasive. It is therefore important to give careful consideration to what data is to be collected and for what purpose, not just how data is encrypted or stored.
Privacy rights are often addressed through various fair information practice principles. One more widely recognized set of principles is that issued by the OECD (see below). However, regulatory agencies in various countries have also weighed in on the subject. For instance, the Federal Trade Commission (FTC) in the U.S. has suggested four principles that are crucial for businesses to follow. These are: notice, choice, access, and security. (See the FTC’s report to Congress, May 2000.)
These principles, along with the OECD's FIPs, provide a good starting point for businesses trying to incorporate privacy protection into their business model, and technologists trying to build strong privacy protection into their products.
Finally, one point stressed throughout the workshop was that privacy protection should not be seen as just a legal requirement. Rather, it should be seen as a business opportunity -- those businesses that are able to provide their services while protecting privacy should be able to gain a market advantage. As European data commissioners are fond of saying, privacy makes good business sense, as well as legal sense.
Fair information practicesAnnouncing which data one collects is only part of what’s needed to protect users’ privacy. The OECD has proposed a set of eight principles, known as Fair Information Practices (FIPs), that governments and businesses should follow when collecting and handling personal data. These FIPs have been widely adopted by countries around the world, including Canada, the U.S., and all EU countries. The eight OECD principles are:
|
During the workshop we discussed the Platform for Privacy Preferences Project (P3P) (a standard being developed by W3C) and other up-and-coming privacy tools that may be of help in protecting individuals’ privacy online. Participants expressed substantial interest in applying P3P to the mobile environment, but also expressed concerns about whether P3P will work “out of the box” in the mobile world. Perhaps P3P is a good starting place, but not the final solution?
P3P is intended to help simplify and automate the announcement of a website’s privacy policies. It does this by providing a standardized vocabulary that websites can use to encode their privacy policies in a machine-readable format. P3P-enabled user agents can then automatically fetch these policies and pass this information on to users in an easily understandable way. (For more on P3P, see workshop slides.)
Currently, a number of products are being developed that will incorporate the P3P draft standard. These include browsers, user tools, and policy generators. Microsoft, for example, has said the next version of its Internet Explorer browser will have support for P3P.
Proponents of P3P expect that this standard will be useful because:
WAP members at the workshop were very interested in P3P, but expressed concern about a few issues:
Despite these concerns, WAP members felt that P3P could provide a good starting point for addressing privacy in the mobile world, and agreed to raise the issues of privacy and P3P to the WAP Specification Requirements Committee.
Note that, even for the wireline world, P3P is only a starting point. It is meant as a user-empowerment tool, but it is not a complete solution. Other pieces of the puzzle include laws and regulation, business best practices, etc. -- these must all fit together if privacy is to be protected on the web.
Privacy has dominated Internet policy debates for some time, but is only beginning to be discussed in the context of mobile services. In addition to the regular concerns users have about sensitive information such as their age, health records, credit card numbers and history, etc., mobile devices often collect other data that may also contain sensitive information. Three such types of data were discussed in depth at the workshop: location information, state information, and device capabilities/profiles.
Part of the reason why location, state, and device C/P are sensitive is because they are not “static” information. Instead, they are more like “sensor” data that is updated frequently. Consider location data compared with a person’s age -- a user’s location changes constantly, which in turn requires constant updating of location information. Because of this “inherent character” of frequent updating, these types of data are potentially more privacy invasive, in the sense that they are more suited towards the purpose of “real-time” tracking of users’ preferences and behaviors. Some users may find this constant “tracking” to be very invasive. (This was also mentioned in the WAP-W3C workshop on position dependent services -- see the minutes that from workshop.)
In the next sections we take a brief look at location, state, and device capabilities/profiles. In reviewing these special types of data, we should ask:
The collection of location information in the mobile environment is common, motivated, and in some cases required, by business opportunity, regulatory requirements, and larger design choices made in mobile device infrastructures. Mobile service providers see real business opportunities arising out of location information, such as "I'm lost" services, an many others. W3C and WAP Forum recently sponsored a Workshop on Position Dependent Information Services. Aside from business drivers, many jurisdictions require that mobile service providers be able to deliver location information to public safety officials when users make emergency calls for help (Consider, for example the United States FCC E911 requirements.) Finally, network architectures may have easy access to location information as a side effect of their oveall design. For example, the fact that wireless carriers relay transmissions point-to-point via the closest transmitter, and also frequently bill users based “roaming” charges, mean that location information (i.e., knowing where the cell phone is) is critical to current mobile services. (Of course, this might change in the future with new technologies such as BlueTooth™ -- a BlueTooth device doesn’t need to know the GPS position of another BlueTooth device, only that it is sufficiently “close by” to receive transmissions. Perhaps a paradigm shift in-the-making?)
Location information is potentially sensitive because certain people, under certain circumstances, may not want to have their location divulged. For instance, people hiding from abusive relationships. More generally, the idea of being tracked (no matter how “benignly”) is disturbing to many people. As one participant said during the workshop, “where you are and what you’re doing -- you can’t get much more personal than that!”
Fortunately, location information, while perhaps necessary to mobile services, need not always be passed on to other entities. As well, such information could be dissociated from any particular user. In other words, location information could be anonymized. Do service providers really need to know this is John Q. Public at location xyz, or would it be sufficient to know that someone (a male, aged 30-55) is at location xyz? Careful thought should be paid to what is needed -- and what is optional -- for a particular business model.
An important counterpart to location information in many networks is state information that describes the status of a users device, willingness to receive calls, or whether the user is in business or personal mode. Some argued that location information without state is a recipe for spam. Certain business models envision using location information to “push” ads and services onto users, when they enter a certain shopping zone, for example. But does the user want to be contacted? Is the user on business time or personal time?
Because mobile phones are perceived as highly personal, trusted devices, intrusions (such as unwanted phone calls or ads) are highly resented by users. Thus, the importance for those who would push ads, is to know when a user wants to receive ads or not.
Also important is the fact that a single device may have multiple users (e.g., a family), and even the same user may have different states (e.g., during business hours it’s a certain kind of device, but after hours it’s meant for personal time). Thus, a single device may be perceived as being, in fact, many devices. Push services that utilize personal information need to take this into account.
Participants at the workshop agreed that users must have control over their information and their mobile devices -- this is absolutely crucial. The challenge will be to build UIs and infrastructures that allow users to indicate when they do and do not want to be disturbed -- otherwise, push ads will become spam, and kill the market.
Device capabilities/profiles (C/Ps) are another example of seemingly mundane, technical information that may be linked to sensitive information. Because mobile devices don’t have the bandwidth, display, or computational capacities of wireline devices, many technology analysts expect C/Ps to become essential for optimizing content delivery over wireless networks. Currently, a number of standards including CC/PP are being developed in order to handle device capability/profile information.
The issue is that device C/Ps may contain information that could be considered sensitive. For instance, information such as “preferred language” is probably not terribly privacy-sensitive, but what about profile information such as a person’s home town, employer, and favorite restaurant? What about frequent flyer numbers and other unique IDs that might be stored in a C/P file? These data have their uses, of course, but if they leaked out or were linked to each other without the user’s permission, it would be a serious privacy concern.
Workshop attendees discussed the CC/PP specification in some depth (e.g., see minutes and Mikael Nilsson’s slides). In its early work, the CC/PP working group did concentrate on privacy issues, but the Working Group is now spending much more time on this. Clearly, privacy will need to be taken into account by developers aiming to make use of C/P information. CC/PP deals with seemingly technical details (e.g., device name), and yet might tie this to sensitive information (location, user name, etc.). Without careful thought to mobile web architecture, we may end up creating standards/infrastructures that inadvertantly compromise personal privacy.
Many of the WAP participants at the workshop talked about business models, where they envisioned mobile phones as being a kind of “ultimate smart card” in the future, allowing web access from anywhere. “Pervasive computing” could be another way to describe this. As mobile devices become common/ubiquitous, they risk becoming de facto tracking devices, unless underlying infrastructure is built to prevent this. Hence, the call from several workshop participants for a comprehensive privacy architecture. However, it was not clear which organizations, if any, should be responsible for designing such an architecture.
Another point to keep in mind is that the mobile infrastructure and mobile market is more developed in Europe and Asia than in North America (e.g., compare number of mobile users). Thus, while Internet policy debates have been strongly driven by U.S. concerns in general, in the mobile web world these debates might perhaps be driven by the concerns of other countries.
As mentioned earlier, network operators may have an important role to play in protecting the privacy of their customers. If it is the case that a customer always goes through the network operator to access the web, then potentially much personal information will be passing through this “gateway.” Do network operators then become trusted “infomediaries” through which personal information is passed? Or can sensitive information simply bypass the network operator (i.e., be passed along without anyone knowing what's inside) and proceed directly to the website, perhaps being encrypted as well? And what are the relative responsibilities of network operators, website operators, and operators of intermediary services when it comes to protecting a customer's privacy? These are some of the questions to be resolved as the mobile web environment develops.
Depending on one’s business model, different requirements for privacy protection will be envisioned. For privacy advocates, the first question is always: is it necessary to collect personal data in the first place? Several participants came in with the assumption that the collection of personally identifiable information is a necessity from the get-go. Clearly, in certain cases (e.g., delivery of goods), it is necessary to collect PII, and we could all agree that PII can be valuable -- to marketers, for instance. But it is questionable whether PII should be the first thing that businesses try to collect.
For instance, an alternative model could start with user being anonymous, waiting until he or she is comfortable (i.e., has built up a relationship with business), before asking for PII -- an opt-in model. A number of companies at the workshop (ad companies such as Engage and DoubleClick, for instance), said that they achieved many of their relationship-management functions without using PII. For example, they can target their ads using anonymous cookies and non-personal information such as user’s home state or zip code.
Two particular concerns were alluded to during the workshop. First, the infrastructure for tracking mobile users is being built. As an example, the E911 directive in the U.S. is well-intended, but may end up unwittingly leading to an infrastructure of mass tracking and surveillance. Mario Tapia (XYPoint) explained that companies in the U.S. are currently afraid to use E911 infrastructure for business purposes because of fears of a public backlash against privacy invasion.
Second, “pervasive computing” changes the landscape of privacy debate: the goal of having users be aware of and control each and every transaction in which they give out data becomes problematic when users are continually "tuned into" the network. The approach of many web companies so far has been to try to be very specific about when data is collected and used, e.g., by writing privacy policies that have the feel of a “contract.” P3P can help in this regard. However, it seems likely that additional tools such as anonymizers, pseudonymous transactions, encryption, digital signatures, and so forth, will be needed to better empower users. As well, businesses must become consumer advocates, figuring out ways to collect valuable information without compromising the privacy of their users (e.g., through the use of anonymous cookies).
Many participants said they found the workshop useful -- it provided a space for initiating discussion on a crucial issue for upcoming mobile web services. Naturally, the workshop organizers were pleased to hear this. However, participants also noted the lack of a clear space for further development of these ideas. The concern is there, but who is working on privacy?
Specifically, there appears to be:
(On this last point, workshop participants were not alone; similar concerns were expressed at a recent FTC workshop on mobile privacy.)
Obviously, these issues will need to be addressed if we are to move forward on the wireless privacy front. Still, there appears to be some common ground from which to build further discussions:
Here are some points that almost everyone at the workshop seemed to agree with:
In addition, participants all expressed belief that privacy and security were crucial to the future of wireless services. What is less clear is whether companies are prepared to do something about this. For example, while there was consensus on the need for privacy tools and architectures, participants were less clear on what tools were actually needed, or who would take the initiative to push forward the mobile privacy agenda.
One of the biggest challenge in the immediate future will be for WAP and W3C members to demonstrate to regulators and the public that industry truly believes privacy is important, and that companies are willing to invest in building tools and infrastructures to promote privacy. If not, trust will crumble in the mobile web world.
Public statements of concern are not enough to address privacy -- what's needed is a commitment by technology companies, as well as regulatory bodies and government, to develop infrastructures and services that will (1) protect privacy because the technology itself affords strong privacy protection (e.g., by allowing for anonymization); and (2) allow for legal recourse, so that when privacy-enhancing technologies fail citizens have some means of regaining control over their personal information.
The adoption of what so-called fair location practices may be a good place to start. As mentioned earlier in this report, the development of good user interfaces will also be critical -- how will users set their privacy preferences? As well, much work remains to be done on building tools that would address sensitive data such as location, state, and device capabilities and profiles. These are just some of the challenges that need to be addressed if privacy is to be protected in the mobile world.
Finally, here are the follow-up items that were discussed during the workshop's wrap-up session (see workshop minutes). These action items are directed at both WAP/W3C and the broader technical community.
For WAP-W3C:
For technical community in general:
It was agreed that WAP would report back to W3C-WAP coordination group after the next WAP Forum meeting (to be held in February 2001).
At the end of the workshop, many participants said they had found the event to be useful and interesting. We were pleased to hear that, and hope that the workshop will lead to stronger privacy protection in the standards and architectures of the mobile web environment.
Last modified $Id: report.html,v 1.25 2001/04/20 13:52:37 djweitzner Exp $