Do Not Track: The Regulators’ Challenge.

This item also appears on the W3C blog. The fine people at the UC Berkeley law school have pulled together an amazing two-day workshop about Web Tracking in Brussels. The conversation kicked off today with European Commissioner Neelie Kroes talkin…

This item also appears on the W3C blog.

The fine people at the UC Berkeley law school have pulled together an amazing two-day workshop about Web Tracking in Brussels. The conversation kicked off today with European Commissioner Neelie Kroes talking about privacy, self-regulation and do not track, and with Director General Robert Madelin and FTC Commissioner Julie Brill on the subsequent panel. Together, the three handed a sizable challenge to the Web standards community: Standardize Do Not Track within a year (or less), be transparent, be inclusive.

Neelie Kroes‘ key points: While the advertising industry’s self-regulatory efforts are important and welcome, they aren’t enough. Tracking protection cannot be limited to just cookies (and cannot ignore other ways to create client state); it cannot be limited to just advertising or other specific sectors; and it cannot be limited to just the use of the data; instead, tracking protection needs to apply to data collection as well. Also, industry needs to address both Web and mobile tracking, and soon. Kroes’ challenge to industry: Standardize Do Not Track by June 2012. Come to the standards table.

FTC Commissioner Julie Brill spoke about the FTC’s efforts in the space over the last several years. She reminded us of the FTC’s staff paper and the five principles for an effective Do Not Track technology: 1. It must be easy to use (in fact, asked Brill, wouldn’t it be nice if the advertising industry was making opt-outs as easy to use as ads); 2. It must be effective; 3. It must be universal; 4. It must deal with collection as well as with use of information; 5. It must be persistent (and not go away after 5 days, or when you delete your cookies). As a significant footnote, Brill pointed out the special sensitivity of geolocation information, and the need for minimization there.

On standardization, Brill’s worry is that industry standardization might be too slow a process, and could possibly take beyond mid 2012.

Finally, Robert Madelin (Director General for the European Commission DG Information Society and Media) put the tracking conversation into the context of Internet regulation overall (“it can’t be a random walk between individual jurisdictions”) and the eG8, and into broader thinking about effective self-regulatory approaches. The sweet spot, according to Madelin, is somewhere in the middle between strongly mandated co-regulation and purely industry-led self-regulation: industry-led, yes – but inclusive, with a clear process, and with clear accountability and transparency to the public, and with a preference for shipping over the sort of perfection that can hold up agreement forever.

Nick Doty blogged about our plans with Do Not Track earlier today. We believe that the standards process provides an appropriate framework for conversations about not just the bits on the wire, but also the broader meaning of do not track.

Time to check in: Government Data Done Well and the Digital Agenda for Europe

This item also appears on the W3C blog. Last October, the European Commission invited to an unlikely unconference: What ideas did the larger community have that would help to drive the Digital Agenda for Europe forward? One idea that came out of t…

This item also appears on the W3C blog.

Last October, the European Commission invited to an unlikely unconference: What ideas did the larger community have that would help to drive the Digital Agenda for Europe forward?

One idea that came out of that meeting (backed, at the time, by W3C and our colleagues down the road at ETSI): Government Data Done Well. Could we join forces between the Digital Agenda’s focus on the use of public sector information as an economic driver on the one hand, and between the Open Data movement’s interests in openness and transparency on the other? And how would all of that translate into technology and standards? Can we drive Europe’s vision of Government data towards the full five stars?

Over the past few months, an impressive set of partners has come together within the Share-PSI initiative, and we’re now on the final stretch toward the Digital Agenda Assembly:

  • We have a Call for Participation out for a workshop on 10/11 May 2011. The workshop will be hosted by the European Commission in Brussels. We’re going to look at the interoperability story for Public Sector Information, broadly: What are the use cases? What are the obstacles that get into the way as public administrations try to put data online? We’re asking that question both from a technical perspective and a legal angle. Position papers due 15 April!
  • As of today, the Open Data Challenge is on. The panel of judges includes W3C Director Tim Berners-Lee and EU Commissioner Neelie Kroes. Prices and awards of a total of EUR 20,000 are sponsored by various partners across industry: For ideas, for apps, for visualizations, and for public sector data sets. Of particular note, the Talis award for best use of Linked Data. Get your submissions ready!

All of this will feed into the Commission-organized Digital Agenda Assembly in June. We hope that we’ll have a great story to tell there, about the value of standards and the Web, about open data, and about the great applications that will come out of the Open Data Challenge.

Web Tracking Protection and User Privacy: Next Steps

This item also appears on the W3C blog. There’s a lot of movement about Web Tracking and User Privacy lately, and it’s been almost two weeks since the last update. We’ve since announced the W3C workshop on Web Tracking and User Privacy for 28/29 A…

This item also appears on the W3C blog.

There’s a lot of movement about Web Tracking and User Privacy lately, and it’s been almost two weeks since the last update.

We’ve since announced the W3C workshop on Web Tracking and User Privacy for 28/29 April 2011. The good people at the Center for Internet Technology Policy at Princeton have agreed to host us for this workshop. As always with W3C workshops, we’ll seek position papers from a broad community. We’ve lined up a great program committee (thanks all!) that will help us pull together the agenda of the workshop based on those position papers. Position papers are due by 25 March.

Earlier this week (see Alex Fowler’s announcement over at Mozilla), the IETF has published two relevant Internet-Drafts. Both are individual submissions, i.e., starting points for a broader community discussion. In the Overview of Universal Opt-Out Mechanisms for Web Tracking, Alissa Cooper and Hannes Tschofenig paint the larger landscape of available opt-out mechanisms — required reading for the April workshop. In Do Not Track: A Universal Third-Party Web Tracking Opt Out (also known as draft-mayer), Jonathan Mayer, Arvind Narayanan (both at Standford), and Sid Stamm (Mozilla) propose a technical specification for a Do Not Track header.

How does their proposal compare to Microsoft’s Web Tracking Protection Member Submission? A few observations. Most importantly, draft-mayer focuses on the opt-out header; it doesn’t cover either the tracking list idea or the DOM property defined in the submission. Further, the draft distinguishes between three (not two) states: DNT: 1 (“I don’t want to be tracked”), DNT: 0 (“it’s ok to track me”), and no header — the latter case is called out explicitly as “no preference.” Another interesting addition is the use of DNT as an HTTP response header: The protocol proposed here is that Web sites that support “do not track” play the header back when they send a page, and that clients (and others) can use that to keep statistics about who’s respecting an opt-out.

Also worth comparing: The two statements on what “do not track” actually means. At first glance, they’re quite different in scope and in level of detail; Mozilla’s version has a long initial set of exceptions. Drilling down on what direction the definition of “do not track” should take will be an important agenda item for April.

Meanwhile, on the political stage: As the BBC reports, EU Member States aren’t prepared to actually enforce a European Directive about cookies and user tracking. Instead, we can expect the debate about behavioral advertising, opt-outs, and tracking protection lists to take center stage in Europe as well.

All of this suggests some interesting discussions in the Web Tracking space at the April workshop: Which of the tracking protection mechanisms are a good idea? What are the merits of the various design options? How do they interact with different cultural and legal expectations around the globe? Which ones should we take up for standards work at the W3C? What’s the right coordination story for this work?

Serendipitous reuse of data is good. Finality of data collection is good. Discuss.

I’m at the PrimeLife workshop on Open Data and Privacy. We’ve been trying to even frame the discussion all morning. Here’s my framing of the interesting space of the discussion: Let’s posit that public datasets are likely to include personally ide…

I’m at the PrimeLife workshop on Open Data and Privacy. We’ve been trying to even frame the discussion all morning.

Here’s my framing of the interesting space of the discussion:

  • Let’s posit that public datasets are likely to include personally identified or identifiable information.
  • Let’s posit that the datasets are available for re-use, and that there are overwhelming public policy and economic incentives for that to happen.
  • Let’s posit that the data is actually re-used in a way that involves identifying the individuals the data are about.

Put differently, let’s assume that we have a hard clash between privacy principles and open data principles. What does a meaningful privacy conversation look like in this space?

Some quick links: Egypt, Tunisia, SSL, and the CA system.

In the context of the latest protest in the Middle East, we hear of governments launching man in the middle attacks against social network services — for example, we hear of JavaScript code injection on Facebook in Tunisia. Many of us are quick t…

In the context of the latest protest in the Middle East, we hear of governments launching man in the middle attacks against social network services — for example, we hear of JavaScript code injection on Facebook in Tunisia.

Many of us are quick to point at SSL as the defense of choice.

Alas, SSL is only as secure as the CAs you trust, and so this is the right time to recall Chris Soghoian’s and Sid Stamm’s work on certified lies (according to Soghoian and Stamm, Tunisia was (is?) one of the governments implicitly trusted by IE!), and the EFF’s SSL observatory.

Many — too many! — parties are trusted by today’s browsers, and the assumption that any particular government isn’t able to intercept your traffic just because the browser’s SSL indicators show up is, unfortunately, not always warranted.

Using VoIP with Viber & co? Better read the privacy policy.

If you’re following TechCrunch at all, then you’ll have seen its coverage of the Viber iPhone app: Another VOIP solution, reputedly with extremely good voice quality, using phone numbers as identifiers. When you start the viber app, it’ll actually…

If you’re following TechCrunch at all, then you’ll have seen its coverage of the Viber iPhone app: Another VOIP solution, reputedly with extremely good voice quality, using phone numbers as identifiers. 

Screen_shot_2011-01-21_at_12

When you start the viber app, it’ll actually transmit all mobile phone numbers in your address book to the service, and match them to other Viber users.  You’re then given a menu that shows you those entries in your address books who correspond to Viber users.  All very intuitive and nice, and a great user experience. Who wants five different phone books that aren’t in synch?

But, of course, there are a few questions to be asked here: What does Viber do with those data?  Am I signing up my colleagues and friends for free telephone harrassment? What if I change my mind and move on? What’s the business model? (apparently, spending VC money and coming up with value added services later)

Cue the viber privacy policy.  It’s pleasantly short, doesn’t come in unreadable gray small print, and sounds fairly reasonable as far as the use of the address book data is concerned.  That’s all very good.

But then there’s this: “Viber also maintains call and connection logs to the system. These logs contain your internal Viber identification which is a combination of your account identification (i.e., your phone number) and Apple Unique Device Identification (“UDID”) or Android Device ID. All call and connection logs are maintained indefinitely.”  Traffic data retention, here we come.

The lessons?

At least two come to mind.  The first one is that, as network applications offer useful services based on highly private data (like my address book), they need to be extremely clear about the implications. When I first tried Viber, it didn’t tell me anything about the way in which those data would be used. While Viber’s privacy policy is fairly reasonable as far as the contact data are concerned, I needed to search for it online. I shouldn’t have to, the app should be clear right away about what it promises (or doesn’t promise).

The second one relatest to data retention. NGOs like EDRI are rightly upset at EU plans at long-term and broad telecommuniations data retention. But what does this particular game look like with VOIP companies? Some players, like Google Voice, give users a lot of control, and (beyond that) make sure they anonymize call data that they keep for their own purposes. Some players (like Skype, or Apple with FaceTime) are less than clear on what happens to call histories.  Yet others, like Viber, retain your communication behavior indefinitely, without any anonymization, but at least tell their users, if they know where to look.

It’s a shame that, as users of these services, we can’t just assume that call histories will be treated as the highly sensitive data they are.  It’s also a shame that we apparently can’t even expect to be told up front (and outside a policy document — even a well-written one) what the VoIP service providers will do with those data.  That needs to change.

 

Europe’s social networks meet industry meet the commission. #EUsocialnetworks

I’m in Brussels today, for another EU Commission workshop. This time, the goal is to get the more successful European social networks and others in industry into one room to talk about innovation and research, and do some matchmaking. Mind you, th…

I’m in Brussels today, for another EU Commission workshop. This time, the goal is to get the more successful European social networks and others in industry into one room to talk about innovation and research, and do some matchmaking.

Mind you, the commission facilities at 25 avenue Beaulieu aren’t the best dating site, and many here are making it unnecessarily difficult — folks, if you go to an event like this, make sure your e-mail address and twitter account is on every single slide you show, and make sure you pack lots of business cards!

Still, the event is useful, and some common themes are emerging from social network providers’ presentations:

  • Regulation as a disproportionally heavy competitive disadvantage. Europeans will go to US social networking sites that don’t comply with European ideas and laws about privacy; social network providers in Europe struggle to comply, and struggle to develop competitive business models.
  • Without going into the details of how that mixes with privacy, many of the social networks that presented this morning based their business models on targeted advertising, often with US-based advertising partners.
  • Some (like XING) are trying to move away from the advertising model. In XING’s case, 80% of the revenue comes from subscribers and recruiters that use the service.
  • Most of the networks that presented here were directly linked to a natural or cultural identity. They typically focused on few countries; several of the largest ones are invitation-only, i.e., you need to be asked by an existing friend to join.

The constant subtext is that not just are they unable to compete with Facebook: It’s unlikely that Europe’s regulatory culture would have permitted a social network of the same popularity to thrive.

Striking, then, the short presentation in the afternoon by Zed Group, a digital entertainment and social gaming company: Time to market and global reach mean that country and culture specific social networks don’t cut it for them as a delivery mechanism — they’re going with Facebook right away.

What does this mean for Europe’s social network providers?

They might be able to survive in a national niche, serving the business needs of a telecom operator or publishing house that provides the requisite financial backing. They might end up as a Facebook or Google application. But in the current environment it’s unlikely that they’ll benefit from the global network effects that the Googles and Facebooks can leverage when they sell advertising, or serve as identity provider, or mine data to build new services.

Mining data is one of the concerns that the commission’s Stefano Bertolo brought up early in the day: Large social networks and large numbers of interactions imply an incredible scale in the data that can be used to train advanced algorithms, and that can serve to build innovative services. As those data are collected in the US, Europe’s research landscape suffers what might become a serious competitive disadvantage.

How can we collectively solve the problem, then? The commission is certainly doing the right thing in trying to bring the social networks together, and in trying to bring them into the Framework Program, and getting them to collaborate with other players in Europe. Yet, the framework program’s culture doesn’t necessarily match the sort of environment a startup wants to play in.

Looking at the big picture, though, the small players in this space need to find their own way to enable and benefit from network effects; as an aside, even the Facebooks and Googles will have a long-term interest in having a healthy and diverse Social Web ecosystem that they compete within. Key elements of that ecosystem will be:

  • A shared vision toward user privacy. Yes, many business models in this space are built on targeted advertising. Yes, some targeted advertising might be socially worrisome. But how meaningful is privacy (and child and youth protection) regulation when it will simply make US players dominant, even in the European market? This problem is hard.
  • Web Identity. An interoperable identity layer for the Web will enable more services to occur as identity providers, and will enable a broader set of applications to be built on top of social networks.
  • Advertising standards, perhaps. One of the interesting requests brought up by several speakers at the conference today was toward shared advertising standards — both to package ads, and to express user preferences and enable better ad targeting.
  • Federation of social Web transactions. The W3C Social Web Incubator Group has spent the last year surveying the space. The group is now working on another incubator that looks specifically at the federation use cases. If you’re interested in participating in this work, take a look at the Federated Social Web draft charter.

The big picture here is to enable the plethora of small-ish social networks to be able to serve as a shared social layer for both users and applications (that includes advertising, I suppose), at scale, while continuing to differentiate based on culture and target group and language and country and whatever else they’re differentiating on today.

Dear Scrabble, Put Away That Dictionary!

Some of the best fun while playing Scrabble are the strange word discussions: Does that word really exist? Can you find a book that it appears in? Can you find a dictionary that has it? (And can somebody please dust off that 19th century dictionar…

Some of the best fun while playing Scrabble are the strange word discussions: Does that word really exist? Can you find a book that it appears in? Can you find a dictionary that has it? (And can somebody please dust off that 19th century dictionary before we get it out?!) Is it a neologism or just plain antiquated? Or can you even convince your fellow scrabblers that a word exists…. that doesn’t?

Alas, no such fun with the electronic version: While it’s on first sight fine if the game looks up things in the dictionary, it takes out the doubt (the machine becomes the referee), and quickly gets frustrating when the players’ vocabulary is larger than the machine’s (yup, got there pretty quickly). In a game that’s all about playing with words, give my fellow players a chance to accept that strange word even if it isn’t in the dictionary — or even better, memorize it and use it against me when I play against the machine!

But don’t force us all to stick to the limits of the computer dictionary’s linguistic imagination, please. Back to those wooden bricks again.

Instagram is way too much fun.

I’ve been having way too much fun with instagram lately. On its face, it’s an iPhone app that applies all sorts of filters to make bad photos look worse (including an imitation of the lomography look, and including several others that seem intende…

Img_0273Img_0274Img_0277Img_0281Img_0283Img_0318Img_0319Img_0279Img_0325Img_0327Img_0329Img_0333Img_0343Img_0340Img_0345

I’ve been having way too much fun with instagram lately. On its face, it’s an iPhone app that applies all sorts of filters to make bad photos look worse (including an imitation of the lomography look, and including several others that seem intended to negate any progress in camera construction since 1890), in square format, and at an embarrassingly low resolution. (Who needs that 5MP camera in the new iPhone any sort of color fidelity anyway…)

But under the surface, it’s a huge encouragement to really play with image composition, to try extreme colors and contrasts, and to try finding the beauty and interest in the bleak and underexposed. The ancient steel mill in Völklingen turns into a picture with few, if any hints, of being recent. The lights of the neighboring village, reflected in the Mosel river on an entirely too early and entirely too bleak evening, turn into something that almost looks like a painting.

If anything, I’ll keep playing, and I’ll probably start playing much more with some of the Lightroom options I haven’t yet started using, for the “real” photos.

If you’ve got an iPhone, give it a try!

Government Data Done Well, the EU Digital Agenda, and an unlikely unconference.

Last Monday, the European Commission held an unlikely unconference in Brussels, about “My big Idea for the Digital Agenda.” (In Brussels-speak, it was a “stakeholder day.”) The idea: In order to help implementing Commissioner Kroes’ grand strategy…

Last Monday, the European Commission held an unlikely unconference in Brussels, about “My big Idea for the Digital Agenda.” (In Brussels-speak, it was a “stakeholder day.”)

The idea: In order to help implementing Commissioner Kroes’ grand strategy for the Internet’s and Web’s future in Europe, crowdsource ideas, and let those who submitted them (and a few others) do the bake-off. Anybody could get into the room for this invitation-only event by submitting an idea on the Web. Ideas were refined and triaged in several rounds of ever growing groups (with some professional facilitators doing a fairly good job) during the morning, then presented to the plenary (and the Commissioner) in the afternoon.

Among the surviving ones: Beyond Raw Data: Public Sector Information, Done Well (with kudos to Jeni Tennison‘s talk at the ICT 2010 conference a few weeks ago).

The gist of the idea: Innovation based on public sector information will require massive data integration across diverse silos. Integration works best when there’s interoperability. Interoperability demands standards work. What standards, then, should be used for public sector information? And how can we forge agreements on what these are?

At this point, it’s worthwhile thinking a bit about the larger context, and about the directions these discussions could take.

In Europe, the Digital Agenda is emphasizing the importance of public sector information as an economic driver. One of the actions under the agenda is the commission’s review of the 2003 Public Sector Information Directive; the commission is seeking input till 30 November in a public consultation. That public consultation is asking a lot of good questions, for example around the cost for public sector information. (Imagine there’s a 1 euro price tag per data set…) That’s important.

At the same time, we’re finally seeing a lot of government data get out in the open. Some of it might just be in Excel sheets, some of it might be in documents, and some of it might even get four or five stars on the scale of linked, open government data.

As pointed out in Tim Berners-Lee’s Putting Government Data Online Design Issues paper and the W3C eGov IG’s Publishing Open Government Data Note, putting out some data is the first, important step in getting public sector information available, and opening it up for innovation and use by outside parties (and by those inside the government, too!). It’s a step that shouldn’t be waiting for the data inventory, the standards roadmap, and the standards development, all of which can take a lot of time.

But that doesn’t mean that raw data is enough, or that, with the raw data out there, everything will fall in place: Governments need to go all the way to the five stars, and we need to collectively — geeks and governments! — figure out the path to getting there. In the puzzle that the commission’s policy review (in Europe), the raw data movement, and the call to go all the way to five star data form, Monday’s idea adds the missing piece: Agreements about formats, agreements about vocabularies, agreements about how to put data online, and do it right.

Let’s start the discussion W3C’s eGov IG mailing list!

Linked_data

%d bloggers like this: