67
edits
Privacy/Policy/NTIA RFC: Difference between revisions
Jump to navigation
Jump to search
→III. Mozilla's Experience: Considerations for Implementing Multi Stakeholder Processes
| Line 127: | Line 127: | ||
From our analysis, we would end up ranking privacy considerations for online services directed at teenagers as an ideal area for a code, given the maturity and number of accountable industry and public interest groups already working on kids privacy as a result of the Children's Online Privacy Protection Act. Likewise, looking to codes in the area of collecting personal data via multiple technologies (e.g., cookies, LSOs and cache) is another area where we see technology standards groups being well positioned and public interest groups having substantial experience working together with business and consumers to be a potentially good area for a code of conduct. | From our analysis, we would end up ranking privacy considerations for online services directed at teenagers as an ideal area for a code, given the maturity and number of accountable industry and public interest groups already working on kids privacy as a result of the Children's Online Privacy Protection Act. Likewise, looking to codes in the area of collecting personal data via multiple technologies (e.g., cookies, LSOs and cache) is another area where we see technology standards groups being well positioned and public interest groups having substantial experience working together with business and consumers to be a potentially good area for a code of conduct. | ||
====Mozilla supports a process that is open and transparent while at the same time develops effective and meaningful codes of conduct.==== | ====Mozilla supports a process that is open and transparent while at the same time develops effective and meaningful codes of conduct.==== | ||
=====A. Open Participation===== | |||
A. Open Participation | |||
To maintain an open, transparent process, first and foremost, it is critical to make available all relevant documents, drafts, ideas, etc. on process, guidelines, meeting plans, and meeting notes through the following suggested methods: | |||
* Post information on an open, accessible site, such as a wiki. See https://wiki.mozilla.org/ for example. This will promote transparency and participation. | |||
* Hold open discussions on the web (e.g., webcast), via Internet Relay Chat (IRC) or by an open conference call for anyone to dial in, in order to maximize inclusiveness. As additional options to holding meetings in person, these formats may enable those who lack resources to send delegates to in person meetings may still participate. | |||
* Do not require pre-requisites, such as position papers, to attend meetings. However, such optional papers can and should be submitted by posting them openly on the web, in an open format (preferably HTML) in a way humans can easily view them on any web browser, and search engines can easily index. | |||
* Communicate with stakeholders through an email list that is open for anyone to join. | |||
* Foster broad community participation early and often. | |||
=====B. Transparency===== | |||
======Technology====== | |||
Mozilla believes that the technology used to promote the process can affect the transparency of the process as much as the procedural rules. Therefore, we would recommend that all documentation use open web standards like HTML that can be implemented in multiple viewers and rendered in ways that are searchable and accessible at the lowest cost to stakeholders and the public. | |||
======Process====== | |||
To facilitate a transparent process, we recommend that discussions during in-person meetings be documented in meeting minutes by voluntary minute-takers (as designated by the chair of the meeting). A technology that may be useful for this is Etherpad (e.g. https://etherpad.mozilla.org ), where others in the meetings can also add to the minutes and make corrections as necessary in real-time. | |||
======Procedures stakeholders should follow to explain decisions====== | |||
Stakeholders should publish their explanations of decisions on issues discussed on the web, preferably on an open wiki, and cite sources for their reasoning (using URLs). Stakeholders should also cite the minutes/notes of their meetings with other stakeholders to explain decisions they have reached in concert. | |||
There are several lessons from existing consensus-based, multi-stakeholder processes in the realms of Internet policy or technical standard-setting that could be applied to the privacy multi-stakeholder process. We recommend a study of the W3C, IETF, WHATWG and microformats.org organizations. Many of the points those processes have come up with are summarized in this blog post by one of our contributors, Tantek Çelik: http://tantek.com/2011/168/b1/practices-good-open-web-standards-development. | |||
======Defining & Incentivizing Consensus====== | |||
There are numerous factors in reaching consensus and they tend to differ based on the people involved and the issues at hand. For example, the W3C defines consensus roughly as a position which is either absent of objections, or has the least significant objections among several options. | |||
The NTIA can encourage consensus by requiring that all proposals be posted publicly and all discussions be posted publicly which will encourage stakeholders to think with a broader perspective than simply their own self-interests. Let sub-groups of stakeholders form organically rather than attempting to facilitate anything in particular. To keep the overall process transparent, make sure that all materials discussed are published openly on the web, and that meeting plans/attendees/minutes/notes are similarly published openly on the | |||
web. | |||
====Requirements for a multi-stakeholder process==== | |||
Mozilla supports efforts to implement codes of conduct that would bring at least the level of technological and legal principles around privacy afforded to users of the web to the development of mobile apps. | |||
Therefore, the key requirements that a multi-stakeholder process will need to identify for privacy considerations to be addressed adequately are: | |||
# What are the privacy best practices that should influence the design of mobile apps and associated hosted services to provide user transparency and choice? | |||
# What are the legal or regulatory ramifications for failing to follow the codes of conduct? | |||
# How much will such codes of conduct continue to allow for innovation around novel uses of data that have user benefit? | |||
==== Current illustrative privacy practices ==== | |||
Mozilla continues to implement a variety of consumer data privacy innovations in the creation of its products that we believe may help provide examples of potential areas for codes of conduct. We design our products with the following principles in mind (paraphrased from http://www.mozilla.org/en-US/privacy/ ): | |||
* No Surprises | |||
** Certain collection, use or disclosure of data sometimes unexpectedly suprises users. This means that, for unexpected collection, use and disclosure of data, we work hard to implement product-level notices and interactions that let users know and understand the data we collect and how we use it. | |||
* Real Choices, User Control and Sensible Settings | |||
** We give our users actionable and informed choices. We establish default settings that we try to align with user expectation as much as possible. | |||
* Limited Data | |||
** We collect and retain the least amount of information necessary for the feature or task. | |||
* Third Parties. We make privacy a key factor in selecting and interacting with partners. | |||
From a design perspective, we take into account a three-level approach to privacy notifications as we roll out and update our products: | |||
# In-product disclosures as the behavior of a feature or privacy notification. | |||
# Settings that allow users to opt-in or opt-out of various collections, uses or disclosures of their data either separate from default or after they have made a privacy impacting choice. | |||
# An understandable but sufficiently detailed Privacy Policy. | |||
Mozilla is in the process of launching an open HTML5 application marketplace (https://marketplace.mozilla.org ). We are considering a range of privacy-related features including the following guidelines for application developers to improve the privacy of their applications: | |||
* design your app so that what you want to do with user data is what users think you are actually doing with it. | |||
* give the user as much control over their data as you can. | |||
* limit your data collection and use to only the data that you need. | |||
* design your app to protect the security of your user's data in its collection, storage and use. | |||
* respond to user questions and concerns about your privacy practices. | |||
* avoid 'secret' updates | |||
* make your use of social or local features transparent and give (i) people a way to turn automatic sharing off and (ii) granular control over these features | |||
* obtain consent from users when necessary, especially for location and other sensitive information | |||
that | |||
====Accountability==== | ====Accountability==== | ||
We believe that a clear accountability framework is necessary to help make a resulting code of conduct a meaningful exercise. Such an accountability framework should, at a minimum, involve: | |||
We believe that a clear accountability framework is necessary to help make a resulting | * clear, consistent rules around what constitute a violation of the code of conduct, and | ||
* balance user-centric innovation for uses of data with the need for more transparency and user control around their data. | |||
===IV. Public Resources from Mozilla on Privacy and Security=== | ===IV. Public Resources from Mozilla on Privacy and Security=== | ||