fbpx


Most websites now have privacy policies and it is a good idea to read them, especially if it is a company you have not done business with before. Some privacy policies amount to "We capture data about you and we sell it or give it to anyone we choose". Other companies have a policy like "We will always tell you if we are capturing your personal data. We will never give it away or sell it. If we want to use it in any way other than to fulfill an order or something you asked of us we will ask your permission first. We guard all data with extremely tight backup and security procedures to insure your data is never compromised". That is a good policy but how does a company insure they are actually complying with their own policy?

In effect what is required is to be able to drive IT via the company privacy policy. Easy to say — a lot of work to do. The key thing is to have a standard way of doing it and fortunately such a standard has just been finalized by the World Wide Web Consortium. The W3C has formally accepted the Enterprise Privacy Authorization Language (EPAL) as a Royalty Free Member Submission from IBM. This puts EPAL in the public domain, and is the first step on the road towards standardization.

IBM Research and Tivoli have been working on EPAL for a long time. EPAL creates a traceable link between natural language text and machine readable policies and thereby ensures consistency of policy enforcement across a wide variety of IT infrastructure. One result will be the ability to react quickly to changes in law and interpretations of law. The launch of EPAL is very significant. “A major milestone along the road to effective policy has been achieved”, said Steve Adler, Market Manager for Privacy and Compliance in the IBM Tivoli Security & Privacy group.

Another standard from the W3C called P3P, the platform for privacy preferences, provides a way for companies to communicate what their privacy policy actually is and users a way to have a simple, automated way to gain more control over the use of their personal information on Web sites they visit. At its most basic level, P3P is a standardized set of multiple-choice questions, covering all the major aspects of a web site’s privacy policies. Taken together, they present a clear snapshot of how a site handles personal information about its users. P3P-enabled web sites make this information available in a standard, machine-readable format. P3P enabled browsers can then “read” this snapshot automatically so that the user can compare it to their privacy preferences. P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see. P3P will allow you to establish the degree of privacy you want to have. Some of us may want to be anonymous. That’s okay. Some may conclude that they really like the idea of getting e-mails and personalized web pages. Some may even like the idea of an e-business which sorts through past web purchases and then makes buying recommendations based on the history. They may be very busy and don’t have time to shop so if somebody can make suggestions for them it may be a valuable service. That’s okay too. P3P will enable us all to express our preferences in the browser and then help us to find those services that meet our individual privacy requirements. If a web site doesn’t meet our privacy requirements, we will be advised and have the choice to move on to a different site.

How does EPAL relate to P3P? You can think of EPAL as the “back end” for privacy policy management and P3P as the “front end”.The interaction of EPAL and P3P in effect allows promises to become practices and practices to become promises.

What about privacy when using instant messaging? Yes, there is a dark side of IM – it can be abused like any good tool can. Most instant messaging systems on the market have privacy options to help with this. For example, you can select who can see you when you are online. Options include anyone and everyone, only a specified list of people, everybody except a specified list of people, or nobody. You can also set modes of operation such as “I am away” or “Do not disturb”. It is mostly self-regulating. People are generally sensitive and follow the golden rule of instant messaging — do unto others as you would have them do unto you.

Part of Trust comes from seeing people up close and personal. Looking into their eyes. Observing whether they look back into yours. Body language. I often get asked whether the Internet as a new medium will reduce people’s desire to get together in person or whether people will just sit in front of their PC and never go anywhere. I don’t think so. Perhaps the ultimate proof point is web sites for seniors like SeniorNet and ThirdAge that have been responsible, at least in part, for numerous marriages. People will have a lot of e-meetings but I don’t think people will give up on meeting in person as a result. There is too much that would be missed.