The World Wide Web Consortium (W3C)  published a Privacy Workshop Report and minutes that recommend next steps for keeping privacy promises when exchanging sensitive information on the Web. Privacy and access control experts from America, Australia, Asia and Europe met in October 2006 in Ispra, Italy, to study Web privacy issues and solutions. W3C would like to thank the Joint Research Center of the European Commission for hosting that Workshop on Languages for Privacy Policy Negotiation and Semantics-Driven Enforcement.

On the Web, information collection and transfer are routine, often conducted by multiple parties in a manner transparent to the user. As more parties are granted access to information, it becomes more challenging to track chains of privacy promises and to enforce them. Tools can help, but tools require descriptions of access privileges, and such descriptions can be hard to formulate when so many parties are involved.

Though we may be familiar with scenarios such as a doctor exchanging patient information with a laboratory, these issues are not limited to large-scale enterprises. More individuals are sharing personal information (photos, blog entries, etc.) on the Web. They too recognize the need for more effective approaches for managing personal information, for describing who can access their information, and for learning who is to be held accountable when a given service does not respect their privacy preferences.

Previous W3C work on Web privacy, the Platform for Privacy Preferences Project (P3P), focused on how to express privacy preferences in a way that allows software to enforce those preferences. The Workshop explored a different set of questions: How can privacy promises be maintained as information changes hands? How can access control decisions and accountability mechanisms leverage the Web to help manage obligations and actions arising from the data exchange? How can community and user driven Web sites leverage access control and accountability frameworks? Workshop participants suggested that W3C charter an Interest Group as a forum for continued discussion of these questions.

One common obstacle toward progress on integrated privacy approaches for both enterprise processes and the Web is the lack of interoperability between different policy languages. Current policy mechanisms are tailored to specific use cases and serve those use cases well. But today's enterprise and Web environments require a tight coupling of different approaches. Participants in the Workshop agreed that the community should embrace the reality of policy language diversity and work on facilitating connections among these multiple languages, rather than trying to create a single combined policy language to cover the entire field of personal information processing and access control. W3C is participating in the PRIME and PAW projects, which promise to provide valuable input into future work in this area.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access