Consortium takes a shot at sorting out Web user privacy and business
By Ellen Messmer
The World Wide Web Consortium (W3C) is trying to strike the
balance - a balance between Web site operators' need to collect
about visitors for marketing purposes and visitors' right to privacy.
However, as work on the group's Platform for Privacy Preferences
project gets under- way, some observers are concerned that the W3C's
ideal of user privacy may be falling victim to the more base desire
making a buck off valuable user data.
Yep, that's us, Basic instincts and all. BTW, W3C's _demographics_
interests have fallen off the map in the rush to 'privacy'. No one
even has the invaluable mass of anonymous user data, or even a
pointer to the efforts that exist (which we *did* have at W3C before
I handed it to Joseph).
The P3 specification is supposed to define a common format for
releases end-user data. The W3C said it hopes to have its
out by fall.
Close enough one-liner overview. Not for lack of trying: W3C doesn't
have a quick one-liner to offer anyway for this project (primarily
due to the uneasy inclusion of OPS; see below).
Quiz: try to find a page on w3.org with *one-line* summaries of all
Profiles in privacy
The P3 format includes a range of privacy profiles, such as
the Web merchant will resell the data the user discloses or otherwise
recycle it for marketing purposes, according to Tim Berners-Lee, W3C
director and inventor of the Web.
'The basis of P3 is that on the user side, there is a right and
choice to how that information is used,' Berners-Lee said.
Too broad a range. IMHO, there appears to be thought inherited from
IPWG that P3's vocabulary should be all-inclusive, leading to one of
these 34-way checkbox UIs. There are actually a very few useful
policies, but it's easier to get consensus by shoving everyone's
variant in there instead of holding the line at 3 levels.
Berners-Lee announced the P3 initiative at last month's Federal
Commission (FTC) hearings in Washington, D.C.
The FTC, which is concerned that consumer privacy has been
ignored as Web-based electronic commerce grows, last month spent a
hearing testimony about current online marketing practices.
Engineering Task Force's (IETF) Internet Privacy Working Group.
The IETF group came up with the concept 'as the first attempt to
implement notice and choice within the framework of the Internet,'
Deidre Mulligan, staff counsel at the Center for Democracy and
(CDT), an IETF participant.
The idea is that Web site operators can detail their privacy
practices, even creating different policies for each Web page.
At the FTC hearings, Berners-Lee gave a demonstration of what he
called a P3 mock-up, showing how an end user could call up a Web
'Mock' is right. I don't think it's visible to the public (damn
little of the Technology & Society domain is...), but it's a
gargantuan two-page HTML table of preferences with a band-aid on top
for setting 3 or four levels by macro. Admirable mockup, but it's
plainly the result of an MIT undergrad attempting to fathom what
'users' are, much less UI.
OPS in question
However, observers said it is questionable whether this
privacy element actually will make it into the P3 specifications
for release within a few months.
The outcome is questionable because the technical foundation for
the Open Profiling Specification (OPS), which mainly focuses on how
efficiently transfer user data, not keep it private.
OPS was submitted to the W3C as the basis for P3 by Netscape
Com-munications Corp. and Cambridge, Mass.-based start-up Firefly
Inc. OPS is based on Firefly's client/server Passport technology,
Klein, Firefly's vice president of marketing.
The Passport client software lets end users quickly transmit
about themselves to Web servers running Passport software.
This setup can simplify credit card processing or the delivery
information of interest to end users.
Barnes & Noble, Inc. and Yahoo, Inc. are among the sites using
Passport, Klein said.
However, privacy advocates stressed that OPS has no mechanism
reviewing privacy policies - P3's stated goal.
Rabbit in hat, rabbit out of hat. Watch as we skate around this one:
'P3 is about protecting privacy. It would let me ask, 'What are
data practices?' ' Mulligan said. 'But OPS doesn't give me any
information about the data protection practices of the entity you are
dealing with. OPS is about transferring data.'
'That observation is not completely incorrect,' said Joseph
a policy analyst at the W3C.
He conceded that the privacy part of P3 needs work.
Whoops, I take that back. Joseph hides the truth in plain sight.
But OPS will definitely be a part of P3, said Philip DesAutels,
managing the P3 effort. 'We are not modifying OPS,' he said.
Stubborn and indefensible, that's my Phillip. In the standards
process, never say never. Especially when you're grafting a llama
onto a swordfish -- OPS and privacy profiles are different beasts
entirely. Not modifying it just makes your life harder. A similar
last-minute hardline position on including PKCS-7 in DSIG has led..
well, where exactly has it led? Last I talked to Philip, he had me
specifically promise in the print edition that the 'DSIG arch' paper
would be obsoleted by July 1. No new paper exists. I have similar
questions about 'DSIG 2.0'.
About 30 W3C member companies - including AT&T, Microsoft Corp.,
and Netscape - met two weeks ago to hold the first meeting regarding
Although Netscape arch rival Microsoft has publicly voiced
OPS, there could still be a dogfight over P3 at the W3C. Microsoft
submitted a P3 proposal of its own.
Where there's smoke, there's flames...
PS. There's a new book out on LDAP by the creators: "LDAP:
Programming Directory-Enabled Applications" by Tim Howes and Mark
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
-----END PGP SIGNATURE-----
--- Rohit Khare /// MCI Internet Architecture (BOS) /// email@example.com Voice+Pager: (617) 960-5131 VNet: 370-5131 Fax: (617) 960-1009