Skip to content

Is there a way to really help manage online privacy?

29 June 2011
by Guest author

Click to see the conference website

Today’s post is contributed by John Sabo, Chair, OASIS IDtrust Member Section Steering Committee and Director of Global Government Relations at CA Technologies. John will be addressing the OECD High Level Meeting on the Internet Economy: Generating Innovation and Growth, taking place on 28-29 June. Ministers, internet experts and internet economy business leaders will discuss and adopt shared principles for a continued open and trusted Internet. 

How can business and policy makers address data protection and privacy issues as innovation spurs the creation every week of new Internet technologies and business models? 

It’s not as if the policy and technology communities are sitting on their hands.  Major organizations such as the World Economic Forum have published studies bringing attention to the issue, for example examining privacy and cloud computing. The work underway to revamp the European Data Protection Directive is a significant effort.  Likewise, government initiatives, such as the U.S. National Strategy for Trusted Identities in Cyberspace, prominently include data privacy as a core component.  And in the technical community, we see initiatives designed to enhance privacy and trust in federated identity systems such as those sponsored by the Kantara Initiative and the Open Identity Exchange.  Unfortunately, while valuable, ad hoc initiatives represent an incomplete path for actually delivering Internet-scale online privacy and trust.  

A huge complicating factor is that the expectations of individuals about how their personal information should be collected, communicated, used, protected and deleted are anything but uniform and are heavily context-and time-dependent.  Such dependency is replete with twists and turns that make data protection and privacy management difficult.  My smartphone helps me navigate, but in the process is collecting, storing and transmitting personal information to…to whom?  Who is aggregating it, what privacy and security controls are in place, and is it even possible to trace the data flows?  My favorite social network site has made me happy for a while, but now I’m worried about my professional image, and I want my social graph expunged.  Unfortunately, while I may now choose an offline social world, my personal information may live forever in cyberspace to be used in other contexts.  Individuals have few capabilities to manage their context-dependent privacy choices, and yet the online systems and devices they rely on likewise have virtually no technical mechanisms available to support privacy policy management across systems, applications and jurisdictional boundaries.    

It would be naïve to argue that there is a simple, elegant solution to these problems.  But there is a path forward, which is the greater use of the expertise and resources of standards development organizations that are addressing privacy risk management issues from a framework-level perspective.  ISO/IEC is developing a privacy framework (ISO/IEC 29100), a privacy capability assessment framework (ISO/IEC 29190), and a privacy reference architecture (ISO/IEC 29101). In the OASIS standards organization, the Privacy Management Reference Model Technical Committee, which I co-chair, is developing a standard that will address systemic, lifecycle privacy management and provide a tool to help manage contextual privacy policies and requirements. 

A very important characteristic of these framework-level initiatives is ongoing and close collaboration among policymakers and technical standards experts, through which interdependent data privacy policy and technical management requirements will become better understood and defined.  This is the kind of collaboration that we need to move from never-ending privacy discussions toward harmonized policies, internationally-recognized standards, new technical solutions and increased privacy trust.

Useful links

OECD work on the Internet economy

You can follow the discussions via live webcast at:

Comments are closed.