W3C home > Mailing lists > Public > public-privacy@w3.org > January to March 2015

Re: On the european response to Snowden

From: Ambarish S Natu <ambarish.natu@gmail.com>
Date: Tue, 27 Jan 2015 22:17:02 +1100
Message-ID: <CAO6L_b770_NAP6xq5o4h7U1DZfn-Szdv7fy96ZG6MmXqqt+hFw@mail.gmail.com>
To: David Singer <singer@apple.com>
Cc: "Mike O'Neill" <michael.oneill@baycloud.com>, Danny Weitzner <djweitzner@csail.mit.edu>, Rigo Wenning <rigo@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>
Here is a list of requirements to start thinking of a framework ! The
problem could easily spiral out of any proportion !

 Privacy-Abusive Data Collection and Retention

   - *Demands for User Data*
      - identity data
      - profile data
      - contacts data
      - location data
   - *Enticement of the Disclosure of User Data*
      - about the user
      - about the user's location
      - about others
   - *Collection of User Data *
      - about users' online behaviour
         - when transacting with the particular social media service
         - even when transacting with other services
      - about users' reading, interests, opinions and attitudes
      - about users' locations over time
      - from third parties:
         - without notice to the user and/or
         - without meaningful consent
      - *Retention of User Data*
      - without meaningful consent
      - without a deletion-cycle
      - compiling an intensive track of users' readings, behaviours and
      movements

Privacy-Abusive Service-Provider Rights

   - *Terms of Service Features*
      - substantial self-declared, non-negotiable service-provider rights
      - a right to exploit users' data for the service-providers' own
      purposes
      - a right to disclose users' data to other organisations
      - a right to retain users' data permanently, even if the person
      terminates their account
      - a right to change Terms of Service:
         - unilaterally
         - without advance notice to users; and/or
         - without any notice to users
      - *Exercise of Self-Declared Service-Provider Rights*
      - in ways harmful to users' interests
      - in order to renege on previous undertakings
      - without notice of the action being provided to the user
   - *Avoidance of Consumer Protection and Privacy Laws*
      - location of storage and processing in data havens
      - location of contract-jurisdiction distant from users
      - ignoring of regulatory and oversight agencies
      - acceptance of nuisance-value fines and nominal undertakings as 'a
      cost of doing business'

Privacy-Abusive Functionality and User Interfaces

   - *Privacy-Related Settings*
      - non-conservative default settings, such as default-open for
      profile-data, postings, and even location-data
      - inadequate granularity
      - complex and unhelpful user interfaces
      - changes to the effects of settings
         - without advance notice
         - without any notice and/or
         - without meaningful consent
      - *'Real Names' Policies*
      - denial of anonymity
      - denial of pseudonymity
      - denial of multiple identities
      - enforced publication of 'real name' and associated profile data
   - *Changes to Functionality and User Interface*
      - frequent
      - without advance notice to users
      - without any notice to users
      - without meaningful consent
   - *User Access to Their Data*
      - lack of clarity about whether data can be accessed
      - lack of clarity about how data can be accessed
      - failure to implement effective processes for user access
      - unreasonable limitations on a right of access
      - denial of a right of access
   - *User Deletion of Their Data*
      - lack of clarity about whether each category of data can be deleted
      - lack of clarity about how each category of data can be deleted
      - failure to implement effective processes for user-initiated deletion
      - unreasonable limitations on a right of deletion
      - denial of a right of deletion

Privacy-Abusive Data Exploitation

   - *Exposure of User Data to Third Parties*
      - wide exposure, in violation of previous Terms of Service, of:
         - users' profile-data - even to the point of publishing
         street-address and mobile-phone number
         - users' postings
         - users' advertising and purchasing behaviour
         - users' declared social networks
         - users' inferred social networks, based on messaging-traffic
      - changes to the scope of exposure:
         - without advance notice to users
         - without any notice to users; and/or
         - without meaningful consent
      - ready access by government agencies, without demonstrated legal
      authority for the demand
   - *Exposure of Data about Other People*
      - upload of users' address-books, including:
         - their contact-points
         - other personal data, such as children's names
         - comments about them
         - by implication, their social networks
      - exploitation of non-users' interactions with users



Regards
Ambarish S Natu

This list is from one of roger clarke's paper
http://www.rogerclarke.com/II/COSM-1301.html


On Tuesday, 27 January 2015, David Singer <singer@apple.com> wrote:

>
> > On Jan 27, 2015, at 11:46 , Mike O'Neill <michael.oneill@baycloud.com
> <javascript:;>> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > There is also a international dimension, with transatlantic agreements
> on privacy,  cybersecurity and surveillance being publically discussed, and
> it is clear these things are interrelated, addressing one will always
> involve consideration of the others.
> >
> > There does not have to be a trade-off, no need to forgo privacy for the
> sake of security. We should be able to build a system with them all.
> >
> > What is needed is a clearly expressed “statement of requirements” i.e.
> we want to protect privacy and security within a transparent and
> democratically  accountable framework which, for example, allows law
> enforcement to do its job (using warranted surveillance if necessary), but
> rules out mass surveillance.  Because the net knows no borders there has to
> be a transnational component.
> >
> > The W3C could then do its part helping to create the necessary protocols
> and standards, while the politicians take charge of the oversight process
> and creating the legal environment.
> >
>
> If you have even vague visions for what protocols and standards could help
> here, could you sketch them out?
>
> David Singer
> Manager, Software Standards, Apple Inc.
>
>
>

-- 
अंबरीष श्रिकृष्ण नातू


Sent from Gmail Mobile
Received on Tuesday, 27 January 2015 12:56:07 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 27 January 2015 12:56:16 UTC