Submitted by: Karen Coyle --------------------------------- Bio Librarian, author, active in standards development with Library of Congress, NISO, ePUB, W3C. Representing Dublin Core Metadata Initiative in W3C: SHACL WG, DXWG (co-chair). http://kcoyle.net. Commented on W3C's Platform for Privacy Preferences (P3P)[1] standard in 1999. See: http://kcoyle.net/p3p.html, and other writings at http://kcoyle.net/topiclist.html#privacy. [1] https://www.w3.org/P3P/ --------------------------------- Your goals As I wrote in my criticism of P3P, the factors that are key relating to privacy are often not solvable by technology. We already see that most users accept defaults and do not act on privacy options; that users are unable to determine at any given moment what the future use of their data may be nor how it may be combined with other data; that users needing access to specific content may not have bargaining power with the content provider. One additional complication that we have today is that different jurisdictions have different -- or no -- privacy laws to back up user choices. My assumption is that technology alone cannot solve this problem, so a legal basis is needed. It is important not to over-promise what a technology standard can provide, especially in countries that do not support strong privacy practices. My goal would be to review the previous W3C effort, P3P, and understand the promises and problems that arose from that (nearly 20 years ago). The general conclusion was the privacy negotiation between users and online providers was not tenable using the technology that was being proposed. An analysis of this "prior art" could help direct the current effort in a more useful direction. --------------------------------- Workshop Goals Pay attention to: 1) The human element: we know that user behavior shows that most users will not take actions beyond accepting defaults 2) The power differential: even users who are privacy-aware can relinquish information about themselves when that is the only way to access needed services 3) The unknowns: data is forever, and one cannot predict all future uses of one's personal data or how it may be aggregated. This makes informed decision-making very difficult 4) Facilitating personal data sharing: a big issue with P3P was that it offered ways to facilitate personal data sharing. Given 1-3 above, this is likely to result in LESS privacy, not more, and users may believe that their data is protected when it is not. These difficulties have to be included in any planning for a technology of privacy. --------------------------------- Your interests Please select the rank-order (1 to 10) for the options you think are acceptable (i.e. you can live with it), where 1 is the most preferred, 2 the next best and so on... * Vocabularies to model privacy policies, regulations, and involved (business) processes: [ Don’t mind ] * Identity management vocabularies: [ Don’t mind ] * Modeling personal data usage, processing, sharing, and tracking: [ Don’t mind ] * Interlinking aspects of privacy and provenance: [ Don’t mind ] * Modeling consent and making it transportable: [ Don’t mind ] * New ways to put the user in control benefiting from semantic interoperability of policy information: [ Don’t mind ] * Modeling permissions, obligations, and their scope: [ Don’t mind ] * Reasoning about formally declared privacy policies: [ Don’t mind ] * Exploring links and synergies using Linked Data vocabularies in the context of related efforts: [ Don’t mind ] * Visualizations of data and policy information to help data self determination: [ Don’t mind ] Honestly, this looks a lot like P3P and I am worried that the social and personal and financial implications of such technology are not on the agenda. --------------------------------- Other Thoughts I think I've said it all above, but I do recommend that you read my piece on P3P,[1] the CDT response[2], and my reply.[3] These documents give a good overview of the difficulties that the P3P effort ran into, and that may be as relevant today as they were then. If they are around, it would be good to have at the meeting folks who worked on the P3P proposal. [1] http://kcoyle.net/p3p.html [2] https://web.archive.org/web/20011003015614/http://www.cdt.org/privacy/pet/p3pprivacy.shtml [3] http://kcoyle.net/response.html