W3C home > Mailing lists > Public > public-privacy@w3.org > July to September 2015

Re: new security/privacy review questions

From: Rob van Eijk <rob@blaeu.com>
Date: Fri, 03 Jul 2015 14:11:04 +0200
To: Christine Runnegar <runnegar@isoc.org>
Cc: Katie Haritos-Shea GMAIL <ryladog@gmail.com>, Tiffany DUMAS <tiffany.dumas@live.com>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <c6db2b1092c6773d83cc7d2d34b439cb@xs4all.nl>
>> As to first party and third party, I believe there were many many 
>> discussions about this in the Tracking Protection WG, but that they 
>> were specifically for that context.

In the TPWG we also aimed at law-neutral formulations of the key terms 
[1,2]. As to first and third party, e.g., in the US first and third 
party relates more to a service provider model whereas in the EU this 
relates to data controller/data processor or joint controllership.

Rob

[1] 
http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#first-party
[2] 
http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#third-party

Christine Runnegar schreef op 2015-07-03 13:28:
> Yes, welcome Tiffany, and thank you for sharing your views.
> 
> Indeed, the scope of privacy and data protection laws (i.e. the
> definition of “personal data/personal information”) varies depending
> on the jurisdiction.
> 
> A common, but not universal definition is:
> 
> “any information [relating to/about] an identified or identifiable 
> individual”
> 
> (found, for example, in the OECD Privacy Guidelines, Council of Europe
> Convention 108 and APEC Privacy Framework)
> 
> My personal preference is not to use “PII”, but rather, “personal
> data” or “personal information”, as needed.
> 
> As much as possible, we should try to be “law-neutral” in our approach.
> 
> Our goal is to help Web specifications authors consider privacy
> implications and choose privacy-enhancing design choices. To do this,
> we need to use language that makes sense for that audience. This is
> often why we see discussions about “identifiers”, “permissions”,
> “fingerprinting”, “persistence”, “same-origin”, “user agent”, etc.
> Also, as some of the key privacy-decision points may occur at
> implementation, it is useful to include guidance for implementors, as
> appropriate.
> 
> As to first party and third party, I believe there were many many
> discussions about this in the Tracking Protection WG, but that they
> were specifically for that context.
> 
> Generally, however, the language typically revolves around “origin”,
> “same origin” and “cross-origin”. However, I will leave this to others
> to explain in more detail.
> 
> Christine
> 
>> On 2 Jul 2015, at 5:48 pm, Katie Haritos-Shea GMAIL 
>> <ryladog@gmail.com> wrote:
>> 
>> Welcome Tiffany!  Your English is great….:-)
>> 
>> 
>> 
>> * katie *
>> 
>> Katie Haritos-Shea
>> Senior Accessibility SME (WCAG/Section 508/ADA/AODA)
>> 
>> Cell: 703-371-5545 | ryladog@gmail.com | Oakton, VA | LinkedIn Profile 
>> |Office: 703-371-5545
>> 
>> From: Tiffany DUMAS [mailto:tiffany.dumas@live.com]
>> Sent: Thursday, July 2, 2015 4:17 AM
>> To: public-privacy@w3.org
>> Subject: Re: new security/privacy review questions
>> 
>> Hi Everybody,
>> 
>> I'm a new in this mailinglist and I feel very honoured that you agreed 
>> me. I'm a french attorney passionate and concerned about privacy 
>> issues, so please excuse me for my bad english and my ignorance of US 
>> law...
>> 
>> I agree that the specifications should use terms that are not to much 
>> related to a national legislation and are more neutral to be more 
>> understandable for everybody. "PII" is to close to US Law and  
>> "Personal Data" maybe to close to EU law. However comparing the french 
>> and european definition of Personal Data to the definition you give of 
>> PII in this specifications, both concepts seems to me quite similar:
>> 
>> legal definition of Personal data according to EU directive of 1995 
>> about personal data is: "'personal data' shall mean any information 
>> relating to an identified or identifiable natural person ('data 
>> subject'); an identifiable person is one who can be identified, 
>> directly or indirectly, in particular by reference to an 
>> identification number or to one or more factors specific to his 
>> physical, physiological, mental, economic, cultural or social 
>> identity".
>> 
>> In other words a personal data is also a data that at first sight 
>> isn't personally identifying but becomes personally identifying when 
>> it's combined or crossed with an other data and as a result permits to 
>> identify a person (for example a cookie identifier crossed with a 
>> browser history).
>> 
>> On the other hand what is not defined in this specifications and seems 
>> for me not clear is what you understand under "First" and "Third"- 
>> Party? Talking about this in France with developpers, it is a real 
>> debate. As a lawyer I understand strictly that first party are 
>> exclusively components controlled by the controller (the direct person 
>> I think, as an user, I'm talking to and who defines legally the 
>> purposes and the collecting of data) and a third party is any other 
>> person outside of this relationship, even if the third party has been 
>> authorised by the controller but the processing of data isn't 
>> completely controlled by the controller (so it materially can't be 
>> under his direct authority, for example collected data by Google 
>> Analytics).
>> 
>> Hereafter the legal definition of Third Party according to EU 
>> directive of 1995 : "'third party' shall mean any natural or legal 
>> person, public authority, agency or any other body other than the data 
>> subject, the controller, the processor and the persons who, under the 
>> direct authority of the controller or the processor, are authorized to 
>> process the data".
>> 
>> For the developpers I was talking with, they understand that a Third 
>> party is only a person which wasn't  authorised by the controller.
>> 
>> What is your position?
>> 
>> Regards,
>> 
>> <image001.png>
>> Le 01/07/2015 22:43, Katie Haritos-Shea GMAIL a écrit :
>>> I think this is a very good first pass, however, I think that we 
>>> should give the localized name as (e.g, ?) after the 
>>> internationalized term.
>>> 
>>> As and example:
>>> 
>>> Where you have “high-value data” I ould like to see (e.g, PII, 
>>> <whatever PII is referred to elsewhere>, PIFI, PHI) – so that users 
>>> in each country can better understand what is being said……..
>>> 
>>> * katie *
>>> 
>>> Katie Haritos-Shea
>>> Senior Accessibility SME (WCAG/Section 508/ADA/AODA)
>>> 
>>> Cell: 703-371-5545 | ryladog@gmail.com | Oakton, VA |LinkedIn Profile 
>>> | Office: 703-371-5545
>>> 
>>> From: Greg Norcie [mailto:gnorcie@cdt.org]
>>> Sent: Wednesday, July 1, 2015 4:22 PM
>>> To: Greg Norcie
>>> Cc: public-privacy (W3C mailing list)
>>> Subject: Re: new security/privacy review questions
>>> 
>>> Also I went through and made a pass at removing the instances of 
>>> "PII" and replacing with more inclusive language.
>>> 
>>> On Wed, Jul 1, 2015 at 4:20 PM, Greg Norcie <gnorcie@cdt.org> wrote:
>>>> Hi Frank,
>>>> 
>>>> Please send your feeback to the list so it can be discussed.
>>>> 
>>>> Thanks for the help!
>>>> 
>>>> On Wed, Jul 1, 2015 at 4:17 PM, Dawson Frank (Nokia-TECH/Irving) 
>>>> <frank.dawson@nokia.com> wrote:
>>>>> PS…
>>>>> 
>>>>> Under §4 Mitigations, it occurred to me that another mitigation is 
>>>>> “data minimization”. An example was in work that ex-colleague 
>>>>> Frederick Hirsch did in Devices API work. For example, on 
>>>>> addressbook lookup, rather than allow functionality of API to 
>>>>> transfer full addressbook entry via an identifier, you had to 
>>>>> access entry and retrieve partial information, parameter by 
>>>>> parameter, out of the entry. This data minimization decreased the 
>>>>> attack surface of the API by limiting amount of entry that could be 
>>>>> retrieved at once.
>>>>> 
>>>>> Another would be the classic “Privacy by Default”. For example, 
>>>>> when you would use WebRTC to open a video connection, the 
>>>>> microphone and video sensors should be muted and privacy lid 
>>>>> enabled by default.
>>>>> 
>>>>> Another would be “Contexual or Timely User Control” (you might have 
>>>>> better term). In the same example as previous, user should have 
>>>>> ability to toggle off microphone and video, on-demand, even if 
>>>>> consent has already been granted for the session.
>>>>> 
>>>>> From: ext Greg Norcie [mailto:gnorcie@cdt.org]
>>>>> Sent: Wednesday, July 01, 2015 10:27
>>>>> To: Dawson Frank (Nokia-TECH/Irving)
>>>>> Cc: public-privacy (W3C mailing list)
>>>>> Subject: Re: new security/privacy review questions
>>>>> 
>>>>> Hi Frank,
>>>>> 
>>>>> Thanks for the input. I definitely agree we should try to remove US 
>>>>> centric language. I can try to go through and be a little more 
>>>>> general, but it might be useful for a non-US person to make a pass 
>>>>> as well.
>>>>> 
>>>>> I will make a second pass today and try to alter anything that 
>>>>> seems especially tied to US law.
>>>>> 
>>>>> Also, while I'm sure there are many techniques aside from 
>>>>> questionnaires that can be used when reviewing a new standard, I 
>>>>> think for right now we'll focus on refining the questionnaire - 
>>>>> other techniques can certainly be developed to supplement the 
>>>>> questionnaire once it is mature.
>>>>> 
>>>>> (The addition of new sections would be something that probably 
>>>>> should be saved for discussion in Prague)
>>>>> 
>>>>> I'll send out a revised question set with revised language later 
>>>>> today.
>>>>> 
>>>>> -Greg
>>>>> 
>>>>> On Wed, Jul 1, 2015 at 10:50 AM, Dawson Frank (Nokia-TECH/Irving) 
>>>>> <frank.dawson@nokia.com> wrote:
>>>>>> Hei Greg.
>>>>>> 
>>>>>> Looks like a hard crowd to please at SOUPS events J
>>>>>> 
>>>>>> SOUPS acceptance rates: 2005: 10/39 (25%); 2006: 14/39 (35%); 
>>>>>> 2007: 12/41 (29%); 2008: 13/43 (30%); 2009: 15/49 (30%); 2010: 
>>>>>> 16/65 (24%); 2011: 15/45 (33%); 2012: 14/67 (20%); 2013 15/51 
>>>>>> (29%)
>>>>>> 
>>>>>> At least maybe you can escape the heat/humidity of summer time in 
>>>>>> DC for a while.
>>>>>> 
>>>>>> I looked at the questionnaire that you Joe and Mike updated. Have 
>>>>>> you read PRIPARE paper from IWPE15 event on goal-based versus 
>>>>>> risk-based approaches to analyzing privacy impact? Net-net is that 
>>>>>> both approaches are important and a hybrid of the two makes for 
>>>>>> better privacy engineering.
>>>>>> 
>>>>>> The questionnaire approach is good when system is well known and 
>>>>>> true table of knowledge exists for problem determination and 
>>>>>> solution selection (e.g., A380 engine #4 shows fire light, what to 
>>>>>> do). But with the privacy impact analysis for new web technologies 
>>>>>> this might not be the case.
>>>>>> 
>>>>>> I was wondering if the questionnaire might be complemented by some 
>>>>>> additional section with more systematic guidance. For example, 
>>>>>> pre-analysis work involving assembly by editors of worksheet with 
>>>>>> data inventory that can be used for analysis of the data flows 
>>>>>> involved. Attached is an example, but this could be specified in 
>>>>>> other ways than XLS, such as questions. Obviously, the attached 
>>>>>> example columns are specific to a deployment of a standard (ie, 
>>>>>> implementation or product) but can be generalized to capture the 
>>>>>> more generic nature that a W3C web specification would creation.
>>>>>> 
>>>>>> Also, the questionnaire could be supplemented by a suggested PII 
>>>>>> classification scheme. I prefer the Paul Schwartz/Daniel Solove 
>>>>>> “PII 2.0”, as is incorporated into the XLS attached.
>>>>>> 
>>>>>> Lastly, the W3C specifications are for a global web, but the 
>>>>>> vocabulary in the questionnaire is very US specific (eg, use of 
>>>>>> PII over Personal Data). Why not go for a more international 
>>>>>> vocabulary (eg, EU GDPR that is being copied by regional 
>>>>>> jurisdictions other than US or ISO 29100/Privacy Framework which 
>>>>>> PDF is freely available from ISO).
>>>>>> 
>>>>>> Additionally, the questionnaire could be enhanced by a Privacy 
>>>>>> Recommendations section that listed a set or catalog of 
>>>>>> principles, controls, implementation criteria. The set would be 
>>>>>> something that would grow as experienced identified further 
>>>>>> patterns for best practice. The sectorial standards for the ISO 
>>>>>> 27001-series for Information Security Management Systems provides 
>>>>>> in ISO 27009 guidance on how this would be formatted.
>>>>>> 
>>>>>> x Data Stewardship
>>>>>> 
>>>>>> x.1 Data inventory
>>>>>> 
>>>>>> Control: Personal data collected, processed, stored, transferred 
>>>>>> or managed by the specification is identified and classified 
>>>>>> according to its purposes, personal data category, security 
>>>>>> category, retention/deletion recommendation…
>>>>>> 
>>>>>> Implementation guidance: Sensitive categories of personal data 
>>>>>> should be encrypted when transferred and consideration given on 
>>>>>> encryption when at rest/stored.
>>>>>> 
>>>>>> Frank/
>>>>>> 
>>>>>> From: ext Greg Norcie [mailto:gnorcie@cdt.org]
>>>>>> Sent: Tuesday, June 30, 2015 20:51
>>>>>> To: Christine Runnegar
>>>>>> Cc: public-privacy (W3C mailing list)
>>>>>> Subject: Re: new security/privacy review questions
>>>>>> 
>>>>>> Hi all,
>>>>>> 
>>>>>> Joe's out of the office this week, but I spoke with him before he 
>>>>>> left, and he will be at IETF in Prague.
>>>>>> 
>>>>>> I'd love to join him, but I had made plans to attend SOUPS in 
>>>>>> Ottawa during that time prior to this idea being raised. (But if 
>>>>>> anyone will also be at SOUPS I'd be happy to chat)
>>>>>> 
>>>>>> If anyone has feedback between now and then, please feel free to 
>>>>>> share it with the list and I will iterate on the current question 
>>>>>> set.
>>>>>> 
>>>>>> On Tue, Jun 30, 2015 at 7:52 AM, Christine Runnegar 
>>>>>> <runnegar@isoc.org> wrote:
>>>>>>> Thank you Greg and Joe for all your work on this.
>>>>>>> 
>>>>>>> One suggestion at the PING call last week is to use at least some 
>>>>>>> of the time at the PING meeting alongside IETF (Thursday 23 July 
>>>>>>> - during the lunch break) to progress this work further.
>>>>>>> 
>>>>>>> In the meantime, everyone, please continue to share your thoughts 
>>>>>>> on the draft as well as the feedback from Greg and Joe.
>>>>>>> 
>>>>>>> Christine and Tara
>>>>>>> 
>>>>>>> > On 24 Jun 2015, at 3:34 pm, Greg Norcie <gnorcie@cdt.org> wrote:
>>>>>>> >
>>>>>>> > Hi all,
>>>>>>> >
>>>>>>> > Myself and Joe Hall been working on a rewrite of the TAG security questionaire[1], which incorporates privacy concerns as well as security concerns. (For example, we include some of the questions raised by Nick in his privacy questionnaire.[2])
>>>>>>> >
>>>>>>> > We also split the questionnaire into a security section and a privacy section (with the implication all new standards should enumerate their privacy impacts as well as their security impacts.)
>>>>>>> >
>>>>>>> > The goal is that for each question, there will eventually be an explanation and a concrete, real world example.
>>>>>>> >
>>>>>>> > [1] https://w3ctag.github.io/security-questionnaire/
>>>>>>> > [2] https://lists.w3.org/Archives/Public/public-privacy/2013AprJun/0004.html
>>>>>>> >
>>>>>>> > I've attached a .odt outlining our proposed questions, as well as a PDF in case you don't have an ODT capable editor installed. (I recommend Libreoffice)
>>>>>>> > --
>>>>>>> > /***********************************/
>>>>>>> > Greg Norcie (norcie@cdt.org)
>>>>>>> > Staff Technologist
>>>>>>> > Center for Democracy & Technology
>>>>>>> > 1634 Eye St NW Suite 1100
>>>>>>> > Washington DC 20006
>>>>>>> > (p) 202-637-9800
>>>>>>> > PGP: http://norcie.com/pgp.txt
>>>>>>> >
>>>>>>> > Fingerprint:
>>>>>>> > 73DF-6710-520F-83FE-03B5
>>>>>>> > 8407-2D0E-ABC3-E1AE-21F1
>>>>>>> >
>>>>>>> > /***********************************/
>>>>>>> > <PingPrivSecQs..pdf><PingPrivSecQs.odt>
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> /***********************************/
>>>>>> Greg Norcie (norcie@cdt.org)
>>>>>> Staff Technologist
>>>>>> Center for Democracy & Technology
>>>>>> 1634 Eye St NW Suite 1100
>>>>>> Washington DC 20006
>>>>>> (p) 202-637-9800
>>>>>> PGP: http://norcie.com/pgp.txt
>>>>>> 
>>>>>> Fingerprint:
>>>>>> 73DF-6710-520F-83FE-03B5
>>>>>> 8407-2D0E-ABC3-E1AE-21F1
>>>>>> 
>>>>>> /***********************************/
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> /***********************************/
>>>>> Greg Norcie (norcie@cdt.org)
>>>>> Staff Technologist
>>>>> Center for Democracy & Technology
>>>>> 1634 Eye St NW Suite 1100
>>>>> Washington DC 20006
>>>>> (p) 202-637-9800
>>>>> PGP: http://norcie.com/pgp.txt
>>>>> 
>>>>> Fingerprint:
>>>>> 73DF-6710-520F-83FE-03B5
>>>>> 8407-2D0E-ABC3-E1AE-21F1
>>>>> 
>>>>> /***********************************/
>>>> 
>>>> 
>>>> 
>>>> --
>>>> /***********************************/
>>>> Greg Norcie (norcie@cdt.org)
>>>> Staff Technologist
>>>> Center for Democracy & Technology
>>>> 1634 Eye St NW Suite 1100
>>>> Washington DC 20006
>>>> (p) 202-637-9800
>>>> PGP: http://norcie.com/pgp.txt
>>>> 
>>>> Fingerprint:
>>>> 73DF-6710-520F-83FE-03B5
>>>> 8407-2D0E-ABC3-E1AE-21F1
>>>> 
>>>> /***********************************/
>>> 
>>> 
>>> 
>>> --
>>> /***********************************/
>>> Greg Norcie (norcie@cdt.org)
>>> Staff Technologist
>>> Center for Democracy & Technology
>>> 1634 Eye St NW Suite 1100
>>> Washington DC 20006
>>> (p) 202-637-9800
>>> PGP: http://norcie.com/pgp.txt
>>> 
>>> Fingerprint:
>>> 73DF-6710-520F-83FE-03B5
>>> 8407-2D0E-ABC3-E1AE-21F1
>>> 
>>> /***********************************/
>> 
Received on Friday, 3 July 2015 12:11:37 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 July 2015 12:11:37 UTC