Apologies that, as I've been away/doing other things, mail has built up.
I'll try and keep comments reasonably short as they may have been
overtaken by events.
Note that I'm approaching this from a user perspective, and may not
adequately distinguish between network protocols which facilitate or
provide the mechanisms for applications to use seemlessly end to end.
>
> I think that opt-in vs. opt-out is an oversimplified model of the
> privacy issues that we face. I would strongly prefer that we try to
> ensure that the requirements encompass or address some instance of the
> fair information practices (notice, consent, limits on collection and
> use, quality requirements, security, openness, accountability.) Some
> of these (accountability) are hard to meaningfully encode, although
> p3p may offer ways to encode the idea of "go here to ask questions or
> raise complaints."
The scenario is one of 100s (if not 1000s?) of regular and occasional
relationships a user may have, and where users' mobility is such that a
range of different access channels may be used - from home, on the move,
at work, at play, shopping, etc., and need not be from fixed points
(although there may well be a deal of predicatble behaviour here).
Machines or devices used may be static, may be shared/public, may be
mobile, and owned or operated by a variety of organisations as well as
an individual user or their employer. In many cases the location
information may not be an issue of interest. Credit card companies
looking for unusual patterns of spending (which may indicate fraud)
would legitimately require (perhasp!) as a condition of use that a
customer provide a continuous authority to enable
identification/location data to be supplied with every transaction. That
should not automatically allow the company to build a usage profile (or
share data with others to do similar) to enable offers to be targeted to
individuals, should it?
We need a workable model which is flexible, which doesn't require
constant confirmation of ID/authority to release for established
relationships, which is flexible so that this can be changed, which
allows the user to authorise for individual transactions, and which is
safeguarded and secures an individual's identity and related information
(say bank account details, etc).
OK - would a model (possibly this is a form of delegation referred to in
another thread?) which has a trusted/trustworthy party holding
identification data, which enables the user to confirm either on each
occasion or for a particular supplier - entirely at the users discretion
- that the verifying information can be released be a way forward?
Several layers could be provided: simple, basic, which provides the
release of enough data which allows the user say access to a mail
account. Higher levels and additional data may be required by a supplier
to allow the user to sign up for premium content, news, video content,
or purchase/download video content, music, or access bank account, tax,
medical records, and other details. In all cases the data needs to be
secured - whilst passing between one end and the other, transitting
multiple networks, and also when stored by suppliers or trusted parties
(where not the supplier).
This is opt-in - i.e. it is not automatic unless a user has conciously
already authorised this (like for say a long-term relationship for
banking, payment of taxes, etc). It doesn't prevent a supplier from
acting as a trusted agent, but any trusted agent in this way would need
to meet reasonable standards as to the secure collection and storage of
identity and related data. I guess it would be regarded as beyond the
boundaries of the network, but a two-part authorisation - say a
smartcard coded for access coupled with some password protection would
form one part, which needs to be linked to the previously authorised
trusted party - would confirm sufficient information to enable access to
the service and then the higher levels. There's an assumption that the
identity information (and optional related data like credit/debit
payment details) is valid, validated, etc., by means which are not
directly the responsibility of the transport mechanisms, of course. So
false information/identities would be equally protected once
established.
> The notice and consent practices mean that we're looking at something
> like opt-in, but even opt-in means "ok, here's my data, have fun."
> We can do better.
>
We have to do better!
-- Dominic Pinto ------------- ---------------------------------------------------------------------- Check out FITCE - the Federation of European Telecom Experts and Engineers at http://www.fitce.org ----------------------------------------------------------------------Received on Thu Sep 6 15:41:04 2001
This archive was generated by hypermail 2.1.8 : Thu Jan 22 2004 - 12:32:22 EST