The W3C work on policy languages
Rigo Wenning
Rigo Wenning (W3C) <rigo@w3.org>
<>Fundamentos Web 2007
3-5 October 2007
Gijon, Spain
What the user expects upon HTTP GET
Web Interaction is opaque
What really happens
200 OK
Cache-Control: max-age=21600
Connection: close
Date: Mon, 01 Oct 2007 07:50:36 GMT
ETag: "PUB1ba66883ff5e056e7e2763fa6894b363"
Content-Type: text/html
Expires: Mon, 01 Oct 2007 13:50:36 GMT
Last-Modified: Mon, 01 Oct 2007 07:50:36 GMT
Client-Date: Mon, 01 Oct 2007 07:50:37 GMT
Client-Peer: 128.30.52.51:80
P3P: policyref="http://www.w3.org/2001/05/P3P/p3p.xml"
Set-Cookie: cookieb2evosession=12430653_flMPkrWveJavRqhpmzT7BPcGyXHCJ9kR; expires=Thu, 28 Sep 2017 07:50:36 GMT; path=/; domain=.w3.org
Users want to know what's happening
Understanding the impact before the click
- Will the content after the click be harmful to me?
- Will it collect personal data, what will happen to it, who can see it?
- Who will have access to my photos; can I use found pictures in my document?
We want a radar, we want to know before it happens
Making the Web predictable
We are still on a learning curve
- PICS to determine whether a page is harmful
- P3P to determine the privacy impact
- Rights description like Creative Commons to know what one can do with the content
- …
The generic metadata model
Common to all approaches: Label data and give the User feedback
How can we use metadata
- To help with privacy and data collection
- Deal with illegal and harmful content?
- Know about data re-use on the Web?
- get stuff done?
Solutions?
- P3P, PICS, Creative Commons?
- What about SAML, XACML, Microformats?
- How to integrate?
PRIME
User centric Identity Management
- Negotiation protocol and anonymous credentials
- Data governance in the backend
- managing multiple identities with privacy in mind, not only SSO
Backend data governance
Access Control driven by metadata
- Role based access control to data
- Obligations on processing and deletion
- Sticky policies, Privacy ontologies
The Ispra Workshop
Do not create yet another language
- Many use cases, using multitude of languages
- P3P, SAML, XACML, XML Sig, EPAL, how do they work together
- Feeling that interoperable constraints are needed
The common ground for policy
Allowing for interoperable constraints on the Web
- By using a common way of using metadata
- by allowing common metadata models to work together
- Show my photos to people that attended Fundamentos Web?
Usable in Social Networks?
Do you think people understand what it means to publish?
- Secret Service would not have dared asking for FOAF, now it is there
- People think
talking to friends
while they are talking to the world
- No way to have limitations on groups without big brother
Usable in Blogging?
Everybody suffers of SPAM
- Reputation by individual knowledge today
- Reputation not transportable
- Not enough security considerations
What about DRM
DRM is just yet another constraint with specific semantics
- Labelling approach: Creative Commons
- Governance approach: ODRL
- Paternalistic approach: Content scrambling
PLING
Policy Languages Interest Group
- Not there to develop new languages
- Acting as a coordination point about use cases
- How can we make things work together (mixing & mangling & meshing up)
Find out approach
- OpenID and Blogging and Liberty?
- interoperable data governance for social networks?
- Very loose access control (control outreach)
- A platform for community building
Gracias
Feedback to rigo@w3.org
Already very early in the development of the Web, W3C addressed policy issues. PICS was the first initiative to deal with illegal and harmful content. P3P followed addressing the privacy issues and the tracking of users on the Web. W3C did a workshop on DRM and the web in 2001 and followed the development of that issue since then. To get more insight on the privacy challenge on the web and to find out about new ways for solutions, W3C participated in research activities in Europe and the US. The talk will report from those activities from the PRIME IST project and from the Policy Aware Web project. Both activities lead to a workshop on privacy in October 2006. Outcome and perspective of this workshop will present the auditorium with an outlook of developments of the near and not-so-near future.
My general idea is to show the hidden data collection, the problem with publication and the unknown audience that is behind, that people would not publish if advised how many people can read that etc turning, passing on through social networks, finding good images for your presentation (CC and DRM) and blogging into electronic health card to finally show how many policy languages there are and that there is no way to combine them.