- From: Robin Wilton <wilton@isoc.org>
- Date: Tue, 2 Jul 2013 17:05:33 +0100
- To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
- Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Message-Id: <ED2D7581-F691-440E-B9D3-BA95D9A8FC04@isoc.org>
Hi Hannes - Sorry for taking a while to respond, and many thanks for doing the work on this draft, which I think will be a very useful resource. I just have comments on a couple of the early sections which - as you note - need some clarification. Hopefully my comments will contribute towards that. Robin Wilton Technical Outreach Director - Identity and Privacy Internet Society email: wilton@isoc.org Phone: +44 705 005 2931 Twitter: @futureidentity On 26 Jun 2013, at 07:29, Hannes Tschofenig wrote: > <privacy-questions-markup.pdf> Am I able to have actions on this personal record? [karl] Further clarification is needed here. What type of actions should be applied to the personal data? > At one level, there's a technical question here about whether or not there's a user interface to the data in question. For example, supposing a mobile handset periodically records its location and sends that to a third party: at one level, we might just be interested in whether there's any way for the user to access the data in question. > > At another level, there's a regulatory/compliance question here. If we assume that, in this use-case, data about the end user is collected by a third party who, in doing so, fulfils the role of data controller, then the third party may have obligations to allow the user access to the data, correction of errors and (if the EU has its way) enforcement of the data retention period. May I fake it? (think about fuzzy geolocation or voluntary fake location) [karl] Further clarification is needed here. In general, information from end devices can be faked in a variety of ways. For information that is provided by a third party this might be more difficult. Which case are you referring to? > I think there's a general point here about data that is generated or collected with no explicit action on the part of the user. The degree to which the user can preserve their privacy under those circumstances varies depending on the data and how it is collected. A couple of examples might help the discussion along. For instance, passively collected facial biometrics via CCTV would be quite hard to fake. At the other end of the spectrum, user self-asserted attributes can often be faked (the technical term sometimes used is "lying" ;^) ). In between, there are (as Karl suggests) attributes that could be "disclosed to a certain level of accuracy" - such as location, age, creditworthiness and so on, or "disclosed to a certain level of assurance" - such as identity. > > From a privacy perspective, especially if one is aiming for "privacy by design", there needs to be careful thought if "accurate" attributes are being disclosed about the user, without the user's knowledge or consent. That's not to say it shouldn't happen. For example, citizens who drive a car have to accept the condition that they drive around with a permanent, publicly-visible identifier on the vehicle. However, if you start from an assumption that anonymity online should be possible (whether or not it's the default), then some privacy designs might need to incorporate a trusted third party, who preserves the end user's anonymity under normal circumstances, but can confirm the user's identity if accountability is needed (and under the right legal conditions). > Just a couple of thoughts, but I hope this helps. As I say, I think the document is going to be a very useful resource, so wanted to chip in with my 2c-worth. > Best wishes, Robin
Received on Tuesday, 2 July 2013 16:09:49 UTC