Introductions
Nick Doty, http://npdoty.name
Microsoft, iSchool, IO Lab, PhD: how are privacy and other values considered in technical design?
W3C: "Privacy", in practice this means corralling people and processes (Staff Contact and recruiting) more than engineering, a distinction I'll come back to later.
I'm speaking here as an iSchooler, not on behalf of W3C.
What I'll cover
- Expose you to the standardization process
- Walk through some case studies (P3P, Geolocation, Do Not Track)
- Describe how privacy is and should be considered
Expose you to how this works so that you might be able to get involved, or understand how it works so that you could represent your organization in these discussions at some point.
Present early arguments to a friendly audience to try to get your feedback.
Hope to answer any questions you might have as I now have a sort of insider role.
The Standardization Process at W3C
History
- Tim Berners-Lee
- the "browser wars" and interoperability
- patent protection
- anti-trust concerns
The Standardization Process at W3C
Consensus
- "rough consensus and running code"
- Who participates?
- email, IRC, face-to-face meetings
Member-driven organization; Alternatives to a consensus decision-making process?
The Standardization Process at W3C
What is a standard?
Examples:
Key properties:
- maturity: Working Drafts, Last Call, Candidate Recommendation, Proposed Recommendation, Recommendation
- interoperability of implementations
- humility of technical standards
P3P
Platform for Privacy Preferences Project
- proposed solution to the problem of unread privacy policies
- a 5-year standardization process Much more depending on how you measure
- a failure?
Examples:
From tpl notes: what technical means does it propose? non-self-enforcing
what's notable about the process? what was cut?
Potential reading: Overview from Cranor and Reagle in Communications of the ACM, 1999
Geolocation
W3C Geolocation API
- JavaScript API agnostic to geolocation method
- contentious debates over privacy provisions
- how well does a W3C spec guide web site behavior?
First of many Web specs that will implicate a particular type of privacy concern, which is one reason so many of us have gotten involved in it. More device APIs, etc. Geolocation is NOT part of HTML5, but HTML5 also has its own set of privacy implications, particularly around tracking (local storage, etc.).
Geolocation
These debates were over who was making relevant privacy disclosures to the end user, but we also identified issues with minimization, aggregation, transparency which could fall more in the spectrum of self-enforcing.
Do Not Track
Tracking Protection Working Group
- proposed solution to the problem of cross-site behavioral tracking mostly for ad purposes
- a consumer choice mechanism
- regulatory, public and media interest
DNT:1
Tracking Protection/Selection/Filter lists in addition to Do Not Track; a Compliance document in addition to purely technical specs
Use of HTTP headers as a question of Web architecture, granular to the request level. Should there be a response header?
Preliminary conclusions
- Success criteria potentially in conflict adoption and ease-of-use can be in tension with privacy; questions about self-enforcing mechanisms
- Privacy has its own specs and cross-cutting minimization in APIs; fingerprintability; Privacy Interest Group
- Necessary but not sufficient conditions:
- representation of multiple stakeholders
- requirements on and interest from browser vendors
- sustained public and regulatory pressure
Beyond tracking and beyond privacy
"open, multi-stakeholder process" as a regulatory strategy
- Danny Weitzner
- Deputy Chief Technology Officer for Internet Policy, Office of Science and Technology Policy
- Formerly Technology & Society Domain Lead, W3C
- John Morris
- Director of Internet Policy, National Telecommunications and Information Administration
- Formerly Director of CDT's Internet Standards, Technology and Policy Project
Questions?