W3C Workshop on Privacy and data usage control 04/05 October 2010, Cambridge (MA)
ISBN - 978-88-97253-01-3
by Lalana Kagal & Rigo Wenning

Workshop Report

I. Introduction

The workshop on Privacy and data usage control was mainly focused on how to make sure that data, once acquired, is used according to agreements made with the data subject. The participants not only discussed the enabling of privacy enhanced commercial data flows and databases, they also talked about acquiring the data from the data subject in a fair and privacy friendly way. This let to a useful discussion atmosphere where issues from the database people converged with issues of developers of user-facing software. This was augmented by some participants taking a step back and looking at high level issues of the system --- what the privacy requirements in such a system really are and what needs to be done. The result of this discussion are phrases such as the system should not cause harm to me complemented by an explanation of what reasonable expectation of privacy in a legal system means

.

This workshop was part of a continuum of efforts to determine issues and possible remedies to privacy protection on the Web. This means, this report has to be seen in context of two other reports:

The report from the W3C Workshop on Access Control Application Scenarios, where W3C assessed issues around access control and found that in order to make XACML compatible for Web consumption, it has to be improved and needs richer semantics to achieve a higher level of interoperability. The workshop also explored privacy-friendly access control and credential mechanisms and stressed that one must avoid sending all credentials over, and only provide the ones that are needed. The community involved in this workshop is now actively working with TC XACML to improve the standard.

The report from the W3C Workshop on Privacy for Advanced Web APIs explored privacy issues around advanced Web APIs currently being developed at W3C. As APIs increasingly access data and device capabilities that are traditionally outside the browser sandbox, privacy challenges and risks of personal harm arise. For the first time, user interface issues were also discussed. Workshop participants considered implementation experience with current APIs such as geolocation, including how user interface considerations affect the privacy properties of APIs. Several candidate technologies were proposed, but no consensus emerged. Participants agreed to continue this conversation on a public mailing list, public-privacy@w3.org (with public archive).

The W3C Workshop on Privacy and data usage control focused on the fact that access control is not enough. How would data acquired in the context of an API be handled. How can the conditions acquired during an access control event be transported throughout the exchanges that take place between several services in our world based on division of labor? Though it partly considered the entire life cycle of personal data, the focus of this workshop was different from the earlier workshops, as it concentrated on the way we use data to accomplish tasks. Are those tasks legitimate? How can we make sure that the system helps us to distinguish between legitimate and not-so-legitimate tasks? How can we make sure that personal data is used in a responsible way? This necessarily includes discussions about the user's influence on the system that led to some overlap to the preceding workshops.

II. User support

The opening talk of the Workshop by Frederick Hirsch reported issues raised by the W3C Workshop on Privacy for Advanced Web APIs and challenged the participants to think about possible remedies. This was complemented by Frank Wagner's report of real life challenges that arise in telecommunication providers' massive data processing environments.

Those challenges acted as ideal use cases exemplifying the life cycle of personal data, how it is acquired/transferred and how it is handled, used, retained and erased. The use cases were further explored in depth during the presentation on cross-site personalization.

The big question that arose was how to present these complex privacy choices and information to end users. The first conclusion was that relying solely on an analysis of context, network and protocol chatter to give privacy feedback to the user is not enough (aka cookie blocker). So privacy is more than just restricting access to the user data via an API. What is the purpose for which the API needs to have that information and how can this additional information to be expressed and handled ? Nick Doty showed a candidate design for the geolocation API that was passing basic privacy information to the API call. That data could then be used by the service to inform the user of the purpose or intention of the data collection. This was complemented by a position paper from Dave Raggett that was not presented but introduced to the discussion by the chairs. Dave Raggett proposed a simple JSON serialization for establishing privacy semantics. Raggett's approach could be easily combined with Doty's design pattern to leverage existing semantics. Appropriate forums for a further discussion of these proposals are the public-privacy mailing list, and the Device API Working Group.

Getting more information from the service will lead to the development of richer and better user interfaces that enable end users to make informed choices about how, why and for what purpose data about them is collected. It also allows end users to decide if they are data controllers on behalf of others, namely if a service wants to access the address book of a user. Workshop participants agreed that simplicity is key, yet hard to achieve. Providing a simple interface for developers and users alike that can adequately capture the complexity of the privacy constraints, remains a challenge, and a topic for future workshops.

III. B2B is different

As the Workshop was on data usage and data handling, presentations also focused on how to create privacy metadata, how to leverage its use in business databases and how to accompany the flow of personal data and privacy metadata within and across enterprises. Presenters in this area proposed comparably complex solutions. Unlike in the consumer-facing use cases, the complexity was not felt as an inhibitor, but generally people felt that research in simplification would also help in this space. This need for simplification is tangible in the semantics as well as in the protocols for sticky metadata and policies that need to remain associated with the actual data record they refer to. There is still a need to agree on semantics in the B2B environment. The suggested improvements from the Luxembourg Workshop were discussed and further refined at the margins of this Workshop.

IV. Further interdisciplinary Workshops suggested

Hal Abelson gave a high level presentation on our expectations of privacy and discussed common myths of privacy. This triggered a fundamental discussion on the meaning of privacy in a networked digital society. It cumulated in the phrase from Hal Abelson: Users expect that software and use of personal data should not harm me. This was complemented by Erin Kenneally's presentation on Reasonable Expectations of Privacy or REP where she explored what courts see as a reasonable expectation of privacy. We found a rather heterogeneous landscape. What are the things we should preserve ? What has been proven to not be too harmful but generating a large overhead ?

Both Keynotes of the workshop were relatively high level views of privacy issues and requirements and how to tackle the current lack of attention to privacy in our systems:

On the first day, Jacques Bus gave an overview of six years at the head of the European Commission (EC) DG Information Society Trust & Security Unit. He gave an overview of the Future Internet initiatives of the EC and how trust and security are critical parts to further development. The Web creates a transformational change in data collection and processing, as well as in communication and transactions. The solution to this challenge needs an interdisciplinary approach. This approach could also be referred to as Web Science. Concerning Privacy, Bus insisted on controllability that is inherent to the concept of data self-determination. But he said privacy alone is not enough. RISEPTIS was cited with the words:Trust is the core of social order and economic prosperity

Ken Anderson reported from the Ontario Privacy Commissioner's initiative on Privacy by Design. Privacy by design is rather straightforward if dedicated systems are created. But what is less clear is what it means for general purpose systems. Where do we apply the fair information principles ? In the discussion, the question was raised that W3C is currently designing infrastructure that will be part of a highly generative, highly flexible application development platform. We, therefore, need to ask which of the design principles apply to the applications designed on top of our technology platform, and which ones apply to the platform itself. Ken summed up his presentation by noting the crucial point that Privacy by design makes: Namely to think about what privacy means when designing a system instead of bolting it on after the first incidents occur. The latter won't work and we have sufficient precedent for this fact.

The workshop demonstrated a breadth of approaches to privacy on the Web with conflicting goals: User facing technologies that demand simplicity versus supporting complex context-specific and rich interactions for b2b scenarios. Approaches based on notice and consent that focus on data collection versus approaches based on accountability that focus on data use, not collection. The need for a privacy-aware evolution of the Web platform versus the need to design universally useful, generative technologies that can take the platform to the next level. And policy imperatives versus an economic framework that is fueled by personal data. Reconciling these perspectives is no easy task, and will require further discussion across different communities. The chairs recommend that this conversation between policy experts, legal scholars, and implementers continue in the short term on the public-privacy@w3.org mailing list, and in the mid to long term at follow-up privacy workshops.