W3C home > Mailing lists > Public > public-privacy@w3.org > July to September 2015

Re: new security/privacy review questions

From: Christine Runnegar <runnegar@isoc.org>
Date: Fri, 3 Jul 2015 11:28:03 +0000
To: Katie Haritos-Shea GMAIL <ryladog@gmail.com>
CC: Tiffany DUMAS <tiffany.dumas@live.com>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <0F2B4F03-359C-48B0-84C2-5ACD2DAF44D9@isoc.org>
Yes, welcome Tiffany, and thank you for sharing your views.

Indeed, the scope of privacy and data protection laws (i.e. the definition of “personal data/personal information”) varies depending on the jurisdiction.

A common, but not universal definition is:

“any information [relating to/about] an identified or identifiable individual” 

(found, for example, in the OECD Privacy Guidelines, Council of Europe Convention 108 and APEC Privacy Framework)

My personal preference is not to use “PII”, but rather, “personal data” or “personal information”, as needed.

As much as possible, we should try to be “law-neutral” in our approach.

Our goal is to help Web specifications authors consider privacy implications and choose privacy-enhancing design choices. To do this, we need to use language that makes sense for that audience. This is often why we see discussions about “identifiers”, “permissions”, “fingerprinting”, “persistence”, “same-origin”, “user agent”, etc. Also, as some of the key privacy-decision points may occur at implementation, it is useful to include guidance for implementors, as appropriate. 

As to first party and third party, I believe there were many many discussions about this in the Tracking Protection WG, but that they were specifically for that context.

Generally, however, the language typically revolves around “origin”, “same origin” and “cross-origin”. However, I will leave this to others to explain in more detail.

Christine

> On 2 Jul 2015, at 5:48 pm, Katie Haritos-Shea GMAIL <ryladog@gmail.com> wrote:
> 
> Welcome Tiffany!  Your English is great….:-)
>  
>  
>  
> * katie *
>  
> Katie Haritos-Shea 
> Senior Accessibility SME (WCAG/Section 508/ADA/AODA)
>  
> Cell: 703-371-5545 | ryladog@gmail.com | Oakton, VA | LinkedIn Profile |Office: 703-371-5545
>  
> From: Tiffany DUMAS [mailto:tiffany.dumas@live.com] 
> Sent: Thursday, July 2, 2015 4:17 AM
> To: public-privacy@w3.org
> Subject: Re: new security/privacy review questions
>  
> Hi Everybody,
> 
> I'm a new in this mailinglist and I feel very honoured that you agreed me. I'm a french attorney passionate and concerned about privacy issues, so please excuse me for my bad english and my ignorance of US law...
> 
> I agree that the specifications should use terms that are not to much related to a national legislation and are more neutral to be more understandable for everybody. "PII" is to close to US Law and  "Personal Data" maybe to close to EU law. However comparing the french and european definition of Personal Data to the definition you give of PII in this specifications, both concepts seems to me quite similar:
> 
> legal definition of Personal data according to EU directive of 1995 about personal data is: "'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity".
> 
> In other words a personal data is also a data that at first sight isn't personally identifying but becomes personally identifying when it's combined or crossed with an other data and as a result permits to identify a person (for example a cookie identifier crossed with a browser history). 
>  
> On the other hand what is not defined in this specifications and seems for me not clear is what you understand under "First" and "Third"- Party? Talking about this in France with developpers, it is a real debate. As a lawyer I understand strictly that first party are exclusively components controlled by the controller (the direct person I think, as an user, I'm talking to and who defines legally the purposes and the collecting of data) and a third party is any other person outside of this relationship, even if the third party has been authorised by the controller but the processing of data isn't completely controlled by the controller (so it materially can't be under his direct authority, for example collected data by Google Analytics). 
> 
> Hereafter the legal definition of Third Party according to EU directive of 1995 : "'third party' shall mean any natural or legal person, public authority, agency or any other body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorized to process the data".
> 
> For the developpers I was talking with, they understand that a Third party is only a person which wasn't  authorised by the controller.
> 
> What is your position?
> 
> Regards, 
> 
> <image001.png>
> Le 01/07/2015 22:43, Katie Haritos-Shea GMAIL a écrit :
>> I think this is a very good first pass, however, I think that we should give the localized name as (e.g, ?) after the internationalized term. 
>>  
>> As and example:
>>  
>> Where you have “high-value data” I ould like to see (e.g, PII, <whatever PII is referred to elsewhere>, PIFI, PHI) – so that users in each country can better understand what is being said……..
>>  
>> * katie *
>>  
>> Katie Haritos-Shea 
>> Senior Accessibility SME (WCAG/Section 508/ADA/AODA)
>>  
>> Cell: 703-371-5545 | ryladog@gmail.com | Oakton, VA |LinkedIn Profile | Office: 703-371-5545
>>  
>> From: Greg Norcie [mailto:gnorcie@cdt.org] 
>> Sent: Wednesday, July 1, 2015 4:22 PM
>> To: Greg Norcie
>> Cc: public-privacy (W3C mailing list)
>> Subject: Re: new security/privacy review questions
>>  
>> Also I went through and made a pass at removing the instances of "PII" and replacing with more inclusive language.
>>  
>> On Wed, Jul 1, 2015 at 4:20 PM, Greg Norcie <gnorcie@cdt.org> wrote:
>>> Hi Frank,
>>> 
>>> Please send your feeback to the list so it can be discussed.
>>> 
>>> Thanks for the help!
>>>  
>>> On Wed, Jul 1, 2015 at 4:17 PM, Dawson Frank (Nokia-TECH/Irving) <frank.dawson@nokia.com> wrote:
>>>> PS…
>>>>  
>>>> Under §4 Mitigations, it occurred to me that another mitigation is “data minimization”. An example was in work that ex-colleague Frederick Hirsch did in Devices API work. For example, on addressbook lookup, rather than allow functionality of API to transfer full addressbook entry via an identifier, you had to access entry and retrieve partial information, parameter by parameter, out of the entry. This data minimization decreased the attack surface of the API by limiting amount of entry that could be retrieved at once.
>>>>  
>>>> Another would be the classic “Privacy by Default”. For example, when you would use WebRTC to open a video connection, the microphone and video sensors should be muted and privacy lid enabled by default. 
>>>>  
>>>> Another would be “Contexual or Timely User Control” (you might have better term). In the same example as previous, user should have ability to toggle off microphone and video, on-demand, even if consent has already been granted for the session.
>>>>  
>>>> From: ext Greg Norcie [mailto:gnorcie@cdt.org] 
>>>> Sent: Wednesday, July 01, 2015 10:27
>>>> To: Dawson Frank (Nokia-TECH/Irving)
>>>> Cc: public-privacy (W3C mailing list)
>>>> Subject: Re: new security/privacy review questions
>>>>  
>>>> Hi Frank,
>>>> 
>>>> Thanks for the input. I definitely agree we should try to remove US centric language. I can try to go through and be a little more general, but it might be useful for a non-US person to make a pass as well.
>>>> 
>>>> I will make a second pass today and try to alter anything that seems especially tied to US law.
>>>> 
>>>> Also, while I'm sure there are many techniques aside from questionnaires that can be used when reviewing a new standard, I think for right now we'll focus on refining the questionnaire - other techniques can certainly be developed to supplement the questionnaire once it is mature.
>>>> 
>>>> (The addition of new sections would be something that probably should be saved for discussion in Prague)
>>>> 
>>>> I'll send out a revised question set with revised language later today.
>>>> 
>>>> -Greg
>>>>  
>>>> On Wed, Jul 1, 2015 at 10:50 AM, Dawson Frank (Nokia-TECH/Irving) <frank.dawson@nokia.com> wrote:
>>>>> Hei Greg.
>>>>>  
>>>>> Looks like a hard crowd to please at SOUPS events J
>>>>>  
>>>>> SOUPS acceptance rates: 2005: 10/39 (25%); 2006: 14/39 (35%); 2007: 12/41 (29%); 2008: 13/43 (30%); 2009: 15/49 (30%); 2010: 16/65 (24%); 2011: 15/45 (33%); 2012: 14/67 (20%); 2013 15/51 (29%)
>>>>>  
>>>>> At least maybe you can escape the heat/humidity of summer time in DC for a while.
>>>>>  
>>>>> I looked at the questionnaire that you Joe and Mike updated. Have you read PRIPARE paper from IWPE15 event on goal-based versus risk-based approaches to analyzing privacy impact? Net-net is that both approaches are important and a hybrid of the two makes for better privacy engineering. 
>>>>>  
>>>>> The questionnaire approach is good when system is well known and true table of knowledge exists for problem determination and solution selection (e.g., A380 engine #4 shows fire light, what to do). But with the privacy impact analysis for new web technologies this might not be the case. 
>>>>>  
>>>>> I was wondering if the questionnaire might be complemented by some additional section with more systematic guidance. For example, pre-analysis work involving assembly by editors of worksheet with data inventory that can be used for analysis of the data flows involved. Attached is an example, but this could be specified in other ways than XLS, such as questions. Obviously, the attached example columns are specific to a deployment of a standard (ie, implementation or product) but can be generalized to capture the more generic nature that a W3C web specification would creation.
>>>>>  
>>>>> Also, the questionnaire could be supplemented by a suggested PII classification scheme. I prefer the Paul Schwartz/Daniel Solove “PII 2.0”, as is incorporated into the XLS attached. 
>>>>>  
>>>>> Lastly, the W3C specifications are for a global web, but the vocabulary in the questionnaire is very US specific (eg, use of PII over Personal Data). Why not go for a more international vocabulary (eg, EU GDPR that is being copied by regional jurisdictions other than US or ISO 29100/Privacy Framework which PDF is freely available from ISO).
>>>>>  
>>>>> Additionally, the questionnaire could be enhanced by a Privacy Recommendations section that listed a set or catalog of principles, controls, implementation criteria. The set would be something that would grow as experienced identified further patterns for best practice. The sectorial standards for the ISO 27001-series for Information Security Management Systems provides in ISO 27009 guidance on how this would be formatted. 
>>>>>  
>>>>> x Data Stewardship
>>>>>  
>>>>> x.1 Data inventory
>>>>>  
>>>>> Control: Personal data collected, processed, stored, transferred or managed by the specification is identified and classified according to its purposes, personal data category, security category, retention/deletion recommendation…
>>>>>  
>>>>> Implementation guidance: Sensitive categories of personal data should be encrypted when transferred and consideration given on encryption when at rest/stored.
>>>>>  
>>>>> Frank/
>>>>>  
>>>>> From: ext Greg Norcie [mailto:gnorcie@cdt.org] 
>>>>> Sent: Tuesday, June 30, 2015 20:51
>>>>> To: Christine Runnegar
>>>>> Cc: public-privacy (W3C mailing list)
>>>>> Subject: Re: new security/privacy review questions
>>>>>  
>>>>> Hi all,
>>>>> 
>>>>> Joe's out of the office this week, but I spoke with him before he left, and he will be at IETF in Prague.
>>>>> 
>>>>> I'd love to join him, but I had made plans to attend SOUPS in Ottawa during that time prior to this idea being raised. (But if anyone will also be at SOUPS I'd be happy to chat)
>>>>> 
>>>>> If anyone has feedback between now and then, please feel free to share it with the list and I will iterate on the current question set.
>>>>>  
>>>>> On Tue, Jun 30, 2015 at 7:52 AM, Christine Runnegar <runnegar@isoc.org> wrote:
>>>>>> Thank you Greg and Joe for all your work on this.
>>>>>> 
>>>>>> One suggestion at the PING call last week is to use at least some of the time at the PING meeting alongside IETF (Thursday 23 July - during the lunch break) to progress this work further.
>>>>>> 
>>>>>> In the meantime, everyone, please continue to share your thoughts on the draft as well as the feedback from Greg and Joe.
>>>>>> 
>>>>>> Christine and Tara
>>>>>> 
>>>>>> > On 24 Jun 2015, at 3:34 pm, Greg Norcie <gnorcie@cdt.org> wrote:
>>>>>> >
>>>>>> > Hi all,
>>>>>> >
>>>>>> > Myself and Joe Hall been working on a rewrite of the TAG security questionaire[1], which incorporates privacy concerns as well as security concerns. (For example, we include some of the questions raised by Nick in his privacy questionnaire.[2])
>>>>>> >
>>>>>> > We also split the questionnaire into a security section and a privacy section (with the implication all new standards should enumerate their privacy impacts as well as their security impacts.)
>>>>>> >
>>>>>> > The goal is that for each question, there will eventually be an explanation and a concrete, real world example.
>>>>>> >
>>>>>> > [1] https://w3ctag.github.io/security-questionnaire/

>>>>>> > [2] https://lists.w3.org/Archives/Public/public-privacy/2013AprJun/0004.html

>>>>>> >
>>>>>> > I've attached a .odt outlining our proposed questions, as well as a PDF in case you don't have an ODT capable editor installed. (I recommend Libreoffice)
>>>>>> > --
>>>>>> > /***********************************/
>>>>>> > Greg Norcie (norcie@cdt.org)
>>>>>> > Staff Technologist
>>>>>> > Center for Democracy & Technology
>>>>>> > 1634 Eye St NW Suite 1100
>>>>>> > Washington DC 20006
>>>>>> > (p) 202-637-9800
>>>>>> > PGP: http://norcie.com/pgp.txt

>>>>>> >
>>>>>> > Fingerprint:
>>>>>> > 73DF-6710-520F-83FE-03B5
>>>>>> > 8407-2D0E-ABC3-E1AE-21F1
>>>>>> >
>>>>>> > /***********************************/
>>>>>> > <PingPrivSecQs..pdf><PingPrivSecQs.odt>
>>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> /***********************************/
>>>>> Greg Norcie (norcie@cdt.org)
>>>>> Staff Technologist
>>>>> Center for Democracy & Technology
>>>>> 1634 Eye St NW Suite 1100
>>>>> Washington DC 20006
>>>>> (p) 202-637-9800
>>>>> PGP: http://norcie.com/pgp.txt

>>>>> 
>>>>> Fingerprint:  
>>>>> 73DF-6710-520F-83FE-03B5
>>>>> 8407-2D0E-ABC3-E1AE-21F1
>>>>> 
>>>>> /***********************************/
>>>> 
>>>> 
>>>> 
>>>> -- 
>>>> /***********************************/
>>>> Greg Norcie (norcie@cdt.org)
>>>> Staff Technologist
>>>> Center for Democracy & Technology
>>>> 1634 Eye St NW Suite 1100
>>>> Washington DC 20006
>>>> (p) 202-637-9800
>>>> PGP: http://norcie.com/pgp.txt

>>>> 
>>>> Fingerprint:  
>>>> 73DF-6710-520F-83FE-03B5
>>>> 8407-2D0E-ABC3-E1AE-21F1
>>>> 
>>>> /***********************************/
>>> 
>>> 
>>> 
>>> -- 
>>> /***********************************/
>>> Greg Norcie (norcie@cdt.org)
>>> Staff Technologist
>>> Center for Democracy & Technology
>>> 1634 Eye St NW Suite 1100
>>> Washington DC 20006
>>> (p) 202-637-9800
>>> PGP: http://norcie.com/pgp.txt

>>> 
>>> Fingerprint:  
>>> 73DF-6710-520F-83FE-03B5
>>> 8407-2D0E-ABC3-E1AE-21F1
>>> 
>>> /***********************************/
>> 
>> 
>> 
>> -- 
>> /***********************************/
>> Greg Norcie (norcie@cdt.org)
>> Staff Technologist
>> Center for Democracy & Technology
>> 1634 Eye St NW Suite 1100
>> Washington DC 20006
>> (p) 202-637-9800
>> PGP: http://norcie.com/pgp.txt

>> 
>> Fingerprint:  
>> 73DF-6710-520F-83FE-03B5
>> 8407-2D0E-ABC3-E1AE-21F1
>> 
>> /***********************************/
>  

Received on Friday, 3 July 2015 11:28:38 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 July 2015 11:28:39 UTC