6.1 Standards and policies Standard-setting allows industry-wide cost savings thanks to economies

of scale (cf. e.g. [281]), and so is generally speaking a good thing. But there are potential pitfalls [36]. It may be that one or two large firms have the capability in an industry to dominate standards, and ensure that smaller competitors and suppliers follow. Market leaders can use such standards to stay one or two steps ahead of the pack. Standards wars can be wasteful of R&D effort (cf. the recent battles over the next generation of DVD formats). Negotiated standards, where every- one prefers a standard to no standard, are likely to produce the best outcomes in an industry, and the existence of effective bodies, perceived to be neutral, whose only agenda is an engineering one, is an important aspect of Web governance.

In the case of the Web, standards are needed to ensure the preserva- tion of its essential architectural properties, combined with decentrali- sation, flexibility and usability, in a sphere where the social aspects of use are not yet fixed. Information-sharing has traditionally been lim- ited, and embedded within well-understood contexts. So, for instance, sharing a photograph has traditionally involved handing over a physical object. The trajectory of such an object is relatively easily traceable. Misuse of the object is relatively detectable. And even if the actual

6.1. Standards and policies 99 misuser cannot be found, culpable individuals (i.e. the person who lent

the photograph without permission) can be. Digital technologies have changed all that. Sharing a digital photograph facilitates massive copy- ing and dissemination with little recourse to the user, even if it is dis- covered.

Standards and policies designed to make good behaviour easier and more likely are therefore required. Such policies, typically, will specify who can use or modify resources, and under what conditions. Pol- icy awareness involves ensuring users have accessible and understand- able views of policies associated with particular Web resources, which will not only support good behaviour but make it possible to identify breaches and thereby root out bad behaviour. The space for policy aware infrastructure will be in the deployment of the upper layers of the Semantic Web, as shown in Figure 3.2. Rules should be deployable which will enable the scalable production and exchange of proofs of rights of access [287].

Policy awareness, because of the particular context of the Web, will have to be markedly different from current approaches to informa- tion security and access control, which exploit mechanisms that require coordination and costly maintenance (e.g. PKI systems), and which therefore are over-prescriptive for general use on the Web. Even rou- tine password-controlled access can be irksome. Weitzner et al describe the dilemma of someone wanting temporary access to restricted mate- rial. Raising that person’s security grade risks allows him or her to see other restricted material, while declassifying the material risks allows others access to it [287].

The Web requires creative description of security measures, rather than prescriptions and mechanisms, and a number of approaches have been developed for framing policies. Ponder is an expressive pol- icy description language for distributed systems, but being mainly syntactically-based may not work well in a more semantically-enabled future [68]. KAoS, a policy representation language based on OWL [275], and Rei, which allows agents to control access using policies described using OWL ontologies [161], also make interesting sugges- tions about access control and information sharing in distributed sys- tems of agents or Web services. Work on the Policy Aware Web goes

100 Web Governance, Security and Standards

beyond this agent/service-based paradigm; a beginning has been made on infrastructures appropriate to the decentralised and democratic Web, but much remains to be done (for example, on appropriate user interfaces) to ensure that transparency and accountability of informa- tion use are properly in place.