RE: new security/privacy review questions from Katie Haritos-Shea GMAIL on 2015-07-01 (public-privacy@w3.org from July to September 2015)

From: Katie Haritos-Shea GMAIL <ryladog@gmail.com>
Date: Wed, 1 Jul 2015 16:43:32 -0400
To: <norcie@cdt.org>
Cc: "'public-privacy $W3C mailing list$'" <public-privacy@w3.org>, <ryladog@gmail.com>
Message-ID: <22fd01d0b43e$98f1f470$cad5dd50$@gmail.com>
I think this is a very good first pass, however, I think that we should give the localized name as (e.g, ?) after the internationalized term. 

 

As and example:

 

Where you have “high-value data” I ould like to see (e.g, PII, <whatever PII is referred to elsewhere>, PIFI, PHI) – so that users in each country can better understand what is being said……..

 

* katie *

 

Katie Haritos-Shea 
Senior Accessibility SME (WCAG/Section 508/ADA/AODA)

 

Cell: 703-371-5545 |  <mailto:ryladog@gmail.com> ryladog@gmail.com | Oakton, VA |  <http://www.linkedin.com/in/katieharitosshea/> LinkedIn Profile | Office: 703-371-5545

 

From: Greg Norcie [mailto:gnorcie@cdt.org] 
Sent: Wednesday, July 1, 2015 4:22 PM
To: Greg Norcie
Cc: public-privacy (W3C mailing list)
Subject: Re: new security/privacy review questions

 

Also I went through and made a pass at removing the instances of "PII" and replacing with more inclusive language.

 

On Wed, Jul 1, 2015 at 4:20 PM, Greg Norcie <gnorcie@cdt.org <mailto:gnorcie@cdt.org> > wrote:

Hi Frank,

Please send your feeback to the list so it can be discussed.

Thanks for the help!

 

On Wed, Jul 1, 2015 at 4:17 PM, Dawson Frank (Nokia-TECH/Irving) <frank.dawson@nokia.com <mailto:frank.dawson@nokia.com> > wrote:

PS…

 

Under §4 Mitigations, it occurred to me that another mitigation is “data minimization”. An example was in work that ex-colleague Frederick Hirsch did in Devices API work. For example, on addressbook lookup, rather than allow functionality of API to transfer full addressbook entry via an identifier, you had to access entry and retrieve partial information, parameter by parameter, out of the entry. This data minimization decreased the attack surface of the API by limiting amount of entry that could be retrieved at once.

 

Another would be the classic “Privacy by Default”. For example, when you would use WebRTC to open a video connection, the microphone and video sensors should be muted and privacy lid enabled by default. 

 

Another would be “Contexual or Timely User Control” (you might have better term). In the same example as previous, user should have ability to toggle off microphone and video, on-demand, even if consent has already been granted for the session.

 

From: ext Greg Norcie [mailto:gnorcie@cdt.org <mailto:gnorcie@cdt.org> ] 
Sent: Wednesday, July 01, 2015 10:27
To: Dawson Frank (Nokia-TECH/Irving)

Cc: public-privacy (W3C mailing list)
Subject: Re: new security/privacy review questions

 

Hi Frank,

Thanks for the input. I definitely agree we should try to remove US centric language. I can try to go through and be a little more general, but it might be useful for a non-US person to make a pass as well.

I will make a second pass today and try to alter anything that seems especially tied to US law.

Also, while I'm sure there are many techniques aside from questionnaires that can be used when reviewing a new standard, I think for right now we'll focus on refining the questionnaire - other techniques can certainly be developed to supplement the questionnaire once it is mature.

(The addition of new sections would be something that probably should be saved for discussion in Prague)

I'll send out a revised question set with revised language later today.

-Greg

 

On Wed, Jul 1, 2015 at 10:50 AM, Dawson Frank (Nokia-TECH/Irving) <frank.dawson@nokia.com <mailto:frank.dawson@nokia.com> > wrote:

Hei Greg.

 

Looks like a hard crowd to please at SOUPS events :)

 

SOUPS acceptance rates: 2005: 10/39 (25%); 2006: 14/39 (35%); 2007: 12/41 (29%); 2008: 13/43 (30%); 2009: 15/49 (30%); 2010: 16/65 (24%); 2011: 15/45 (33%); 2012: 14/67 (20%); 2013 15/51 (29%)

 

At least maybe you can escape the heat/humidity of summer time in DC for a while.

 

I looked at the questionnaire that you Joe and Mike updated. Have you read PRIPARE paper from IWPE15 event on goal-based versus risk-based approaches to analyzing privacy impact? Net-net is that both approaches are important and a hybrid of the two makes for better privacy engineering. 

 

The questionnaire approach is good when system is well known and true table of knowledge exists for problem determination and solution selection (e.g., A380 engine #4 shows fire light, what to do). But with the privacy impact analysis for new web technologies this might not be the case. 

 

I was wondering if the questionnaire might be complemented by some additional section with more systematic guidance. For example, pre-analysis work involving assembly by editors of worksheet with data inventory that can be used for analysis of the data flows involved. Attached is an example, but this could be specified in other ways than XLS, such as questions. Obviously, the attached example columns are specific to a deployment of a standard (ie, implementation or product) but can be generalized to capture the more generic nature that a W3C web specification would creation.

 

Also, the questionnaire could be supplemented by a suggested PII classification scheme. I prefer the Paul Schwartz/Daniel Solove “PII 2.0”, as is incorporated into the XLS attached. 

 

Lastly, the W3C specifications are for a global web, but the vocabulary in the questionnaire is very US specific (eg, use of PII over Personal Data). Why not go for a more international vocabulary (eg, EU GDPR that is being copied by regional jurisdictions other than US or ISO 29100/Privacy Framework which PDF is freely available from ISO).

 

Additionally, the questionnaire could be enhanced by a Privacy Recommendations section that listed a set or catalog of principles, controls, implementation criteria. The set would be something that would grow as experienced identified further patterns for best practice. The sectorial standards for the ISO 27001-series for Information Security Management Systems provides in ISO 27009 guidance on how this would be formatted. 

 

x Data Stewardship

 

x.1 Data inventory

 

Control: Personal data collected, processed, stored, transferred or managed by the specification is identified and classified according to its purposes, personal data category, security category, retention/deletion recommendation…

 

Implementation guidance: Sensitive categories of personal data should be encrypted when transferred and consideration given on encryption when at rest/stored.

 

Frank/

 

From: ext Greg Norcie [mailto:gnorcie@cdt.org <mailto:gnorcie@cdt.org> ] 
Sent: Tuesday, June 30, 2015 20:51
To: Christine Runnegar
Cc: public-privacy (W3C mailing list)
Subject: Re: new security/privacy review questions

 

Hi all,

Joe's out of the office this week, but I spoke with him before he left, and he will be at IETF in Prague.

I'd love to join him, but I had made plans to attend SOUPS <https://cups.cs.cmu.edu/soups/2015/>  in Ottawa during that time prior to this idea being raised. (But if anyone will also be at SOUPS I'd be happy to chat)

If anyone has feedback between now and then, please feel free to share it with the list and I will iterate on the current question set.

 

On Tue, Jun 30, 2015 at 7:52 AM, Christine Runnegar <runnegar@isoc.org <mailto:runnegar@isoc.org> > wrote:

Thank you Greg and Joe for all your work on this.

One suggestion at the PING call last week is to use at least some of the time at the PING meeting alongside IETF (Thursday 23 July - during the lunch break) to progress this work further.

In the meantime, everyone, please continue to share your thoughts on the draft as well as the feedback from Greg and Joe.

Christine and Tara


> On 24 Jun 2015, at 3:34 pm, Greg Norcie <gnorcie@cdt.org <mailto:gnorcie@cdt.org> > wrote:
>
> Hi all,
>
> Myself and Joe Hall been working on a rewrite of the TAG security questionaire[1], which incorporates privacy concerns as well as security concerns. (For example, we include some of the questions raised by Nick in his privacy questionnaire.[2])
>
> We also split the questionnaire into a security section and a privacy section (with the implication all new standards should enumerate their privacy impacts as well as their security impacts.)
>
> The goal is that for each question, there will eventually be an explanation and a concrete, real world example.
>
> [1] https://w3ctag.github.io/security-questionnaire/
> [2] https://lists.w3.org/Archives/Public/public-privacy/2013AprJun/0004.html
>
> I've attached a .odt outlining our proposed questions, as well as a PDF in case you don't have an ODT capable editor installed. (I recommend Libreoffice)
> --
> /***********************************/
> Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org> )
> Staff Technologist
> Center for Democracy & Technology
> 1634 Eye St NW Suite 1100
> Washington DC 20006
> (p) 202-637-9800 <tel:202-637-9800> 
> PGP: http://norcie.com/pgp.txt
>
> Fingerprint:
> 73DF-6710-520F-83FE-03B5
> 8407-2D0E-ABC3-E1AE-21F1
>
> /***********************************/

> <PingPrivSecQs.pdf><PingPrivSecQs.odt>




-- 

/***********************************/
Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org> )

Staff Technologist

Center for Democracy & Technology

1634 Eye St NW Suite 1100

Washington DC 20006

(p) 202-637-9800 <tel:202-637-9800> 

PGP: http://norcie.com/pgp.txt


Fingerprint:  
73DF-6710-520F-83FE-03B5
8407-2D0E-ABC3-E1AE-21F1

/***********************************/




-- 

/***********************************/
Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org> )

Staff Technologist

Center for Democracy & Technology

1634 Eye St NW Suite 1100

Washington DC 20006

(p) 202-637-9800 <tel:202-637-9800> 

PGP: http://norcie.com/pgp.txt


Fingerprint:  
73DF-6710-520F-83FE-03B5
8407-2D0E-ABC3-E1AE-21F1

/***********************************/




-- 

/***********************************/
Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org> )

Staff Technologist

Center for Democracy & Technology

1634 Eye St NW Suite 1100

Washington DC 20006

(p) 202-637-9800 <tel:202-637-9800> 

PGP: http://norcie.com/pgp.txt


Fingerprint:  
73DF-6710-520F-83FE-03B5
8407-2D0E-ABC3-E1AE-21F1

/***********************************/




-- 

/***********************************/
Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org> )

Staff Technologist

Center for Democracy & Technology

1634 Eye St NW Suite 1100

Washington DC 20006

(p) 202-637-9800

PGP: http://norcie.com/pgp.txt


Fingerprint:  
73DF-6710-520F-83FE-03B5
8407-2D0E-ABC3-E1AE-21F1

/***********************************/
Received on Wednesday, 1 July 2015 20:44:05 UTC