- From: Rob van Eijk <rob@blaeu.com>
- Date: Fri, 03 Jul 2015 14:11:04 +0200
- To: Christine Runnegar <runnegar@isoc.org>
- Cc: Katie Haritos-Shea GMAIL <ryladog@gmail.com>, Tiffany DUMAS <tiffany.dumas@live.com>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
>> As to first party and third party, I believe there were many many
>> discussions about this in the Tracking Protection WG, but that they
>> were specifically for that context.
In the TPWG we also aimed at law-neutral formulations of the key terms
[1,2]. As to first and third party, e.g., in the US first and third
party relates more to a service provider model whereas in the EU this
relates to data controller/data processor or joint controllership.
Rob
[1]
http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#first-party
[2]
http://www.w3.org/2011/tracking-protection/drafts/tracking-compliance.html#third-party
Christine Runnegar schreef op 2015-07-03 13:28:
> Yes, welcome Tiffany, and thank you for sharing your views.
>
> Indeed, the scope of privacy and data protection laws (i.e. the
> definition of “personal data/personal information”) varies depending
> on the jurisdiction.
>
> A common, but not universal definition is:
>
> “any information [relating to/about] an identified or identifiable
> individual”
>
> (found, for example, in the OECD Privacy Guidelines, Council of Europe
> Convention 108 and APEC Privacy Framework)
>
> My personal preference is not to use “PII”, but rather, “personal
> data” or “personal information”, as needed.
>
> As much as possible, we should try to be “law-neutral” in our approach.
>
> Our goal is to help Web specifications authors consider privacy
> implications and choose privacy-enhancing design choices. To do this,
> we need to use language that makes sense for that audience. This is
> often why we see discussions about “identifiers”, “permissions”,
> “fingerprinting”, “persistence”, “same-origin”, “user agent”, etc.
> Also, as some of the key privacy-decision points may occur at
> implementation, it is useful to include guidance for implementors, as
> appropriate.
>
> As to first party and third party, I believe there were many many
> discussions about this in the Tracking Protection WG, but that they
> were specifically for that context.
>
> Generally, however, the language typically revolves around “origin”,
> “same origin” and “cross-origin”. However, I will leave this to others
> to explain in more detail.
>
> Christine
>
>> On 2 Jul 2015, at 5:48 pm, Katie Haritos-Shea GMAIL
>> <ryladog@gmail.com> wrote:
>>
>> Welcome Tiffany! Your English is great….:-)
>>
>>
>>
>> * katie *
>>
>> Katie Haritos-Shea
>> Senior Accessibility SME (WCAG/Section 508/ADA/AODA)
>>
>> Cell: 703-371-5545 | ryladog@gmail.com | Oakton, VA | LinkedIn Profile
>> |Office: 703-371-5545
>>
>> From: Tiffany DUMAS [mailto:tiffany.dumas@live.com]
>> Sent: Thursday, July 2, 2015 4:17 AM
>> To: public-privacy@w3.org
>> Subject: Re: new security/privacy review questions
>>
>> Hi Everybody,
>>
>> I'm a new in this mailinglist and I feel very honoured that you agreed
>> me. I'm a french attorney passionate and concerned about privacy
>> issues, so please excuse me for my bad english and my ignorance of US
>> law...
>>
>> I agree that the specifications should use terms that are not to much
>> related to a national legislation and are more neutral to be more
>> understandable for everybody. "PII" is to close to US Law and
>> "Personal Data" maybe to close to EU law. However comparing the french
>> and european definition of Personal Data to the definition you give of
>> PII in this specifications, both concepts seems to me quite similar:
>>
>> legal definition of Personal data according to EU directive of 1995
>> about personal data is: "'personal data' shall mean any information
>> relating to an identified or identifiable natural person ('data
>> subject'); an identifiable person is one who can be identified,
>> directly or indirectly, in particular by reference to an
>> identification number or to one or more factors specific to his
>> physical, physiological, mental, economic, cultural or social
>> identity".
>>
>> In other words a personal data is also a data that at first sight
>> isn't personally identifying but becomes personally identifying when
>> it's combined or crossed with an other data and as a result permits to
>> identify a person (for example a cookie identifier crossed with a
>> browser history).
>>
>> On the other hand what is not defined in this specifications and seems
>> for me not clear is what you understand under "First" and "Third"-
>> Party? Talking about this in France with developpers, it is a real
>> debate. As a lawyer I understand strictly that first party are
>> exclusively components controlled by the controller (the direct person
>> I think, as an user, I'm talking to and who defines legally the
>> purposes and the collecting of data) and a third party is any other
>> person outside of this relationship, even if the third party has been
>> authorised by the controller but the processing of data isn't
>> completely controlled by the controller (so it materially can't be
>> under his direct authority, for example collected data by Google
>> Analytics).
>>
>> Hereafter the legal definition of Third Party according to EU
>> directive of 1995 : "'third party' shall mean any natural or legal
>> person, public authority, agency or any other body other than the data
>> subject, the controller, the processor and the persons who, under the
>> direct authority of the controller or the processor, are authorized to
>> process the data".
>>
>> For the developpers I was talking with, they understand that a Third
>> party is only a person which wasn't authorised by the controller.
>>
>> What is your position?
>>
>> Regards,
>>
>> <image001.png>
>> Le 01/07/2015 22:43, Katie Haritos-Shea GMAIL a écrit :
>>> I think this is a very good first pass, however, I think that we
>>> should give the localized name as (e.g, ?) after the
>>> internationalized term.
>>>
>>> As and example:
>>>
>>> Where you have “high-value data” I ould like to see (e.g, PII,
>>> <whatever PII is referred to elsewhere>, PIFI, PHI) – so that users
>>> in each country can better understand what is being said……..
>>>
>>> * katie *
>>>
>>> Katie Haritos-Shea
>>> Senior Accessibility SME (WCAG/Section 508/ADA/AODA)
>>>
>>> Cell: 703-371-5545 | ryladog@gmail.com | Oakton, VA |LinkedIn Profile
>>> | Office: 703-371-5545
>>>
>>> From: Greg Norcie [mailto:gnorcie@cdt.org]
>>> Sent: Wednesday, July 1, 2015 4:22 PM
>>> To: Greg Norcie
>>> Cc: public-privacy (W3C mailing list)
>>> Subject: Re: new security/privacy review questions
>>>
>>> Also I went through and made a pass at removing the instances of
>>> "PII" and replacing with more inclusive language.
>>>
>>> On Wed, Jul 1, 2015 at 4:20 PM, Greg Norcie <gnorcie@cdt.org> wrote:
>>>> Hi Frank,
>>>>
>>>> Please send your feeback to the list so it can be discussed.
>>>>
>>>> Thanks for the help!
>>>>
>>>> On Wed, Jul 1, 2015 at 4:17 PM, Dawson Frank (Nokia-TECH/Irving)
>>>> <frank.dawson@nokia.com> wrote:
>>>>> PS…
>>>>>
>>>>> Under §4 Mitigations, it occurred to me that another mitigation is
>>>>> “data minimization”. An example was in work that ex-colleague
>>>>> Frederick Hirsch did in Devices API work. For example, on
>>>>> addressbook lookup, rather than allow functionality of API to
>>>>> transfer full addressbook entry via an identifier, you had to
>>>>> access entry and retrieve partial information, parameter by
>>>>> parameter, out of the entry. This data minimization decreased the
>>>>> attack surface of the API by limiting amount of entry that could be
>>>>> retrieved at once.
>>>>>
>>>>> Another would be the classic “Privacy by Default”. For example,
>>>>> when you would use WebRTC to open a video connection, the
>>>>> microphone and video sensors should be muted and privacy lid
>>>>> enabled by default.
>>>>>
>>>>> Another would be “Contexual or Timely User Control” (you might have
>>>>> better term). In the same example as previous, user should have
>>>>> ability to toggle off microphone and video, on-demand, even if
>>>>> consent has already been granted for the session.
>>>>>
>>>>> From: ext Greg Norcie [mailto:gnorcie@cdt.org]
>>>>> Sent: Wednesday, July 01, 2015 10:27
>>>>> To: Dawson Frank (Nokia-TECH/Irving)
>>>>> Cc: public-privacy (W3C mailing list)
>>>>> Subject: Re: new security/privacy review questions
>>>>>
>>>>> Hi Frank,
>>>>>
>>>>> Thanks for the input. I definitely agree we should try to remove US
>>>>> centric language. I can try to go through and be a little more
>>>>> general, but it might be useful for a non-US person to make a pass
>>>>> as well.
>>>>>
>>>>> I will make a second pass today and try to alter anything that
>>>>> seems especially tied to US law.
>>>>>
>>>>> Also, while I'm sure there are many techniques aside from
>>>>> questionnaires that can be used when reviewing a new standard, I
>>>>> think for right now we'll focus on refining the questionnaire -
>>>>> other techniques can certainly be developed to supplement the
>>>>> questionnaire once it is mature.
>>>>>
>>>>> (The addition of new sections would be something that probably
>>>>> should be saved for discussion in Prague)
>>>>>
>>>>> I'll send out a revised question set with revised language later
>>>>> today.
>>>>>
>>>>> -Greg
>>>>>
>>>>> On Wed, Jul 1, 2015 at 10:50 AM, Dawson Frank (Nokia-TECH/Irving)
>>>>> <frank.dawson@nokia.com> wrote:
>>>>>> Hei Greg.
>>>>>>
>>>>>> Looks like a hard crowd to please at SOUPS events J
>>>>>>
>>>>>> SOUPS acceptance rates: 2005: 10/39 (25%); 2006: 14/39 (35%);
>>>>>> 2007: 12/41 (29%); 2008: 13/43 (30%); 2009: 15/49 (30%); 2010:
>>>>>> 16/65 (24%); 2011: 15/45 (33%); 2012: 14/67 (20%); 2013 15/51
>>>>>> (29%)
>>>>>>
>>>>>> At least maybe you can escape the heat/humidity of summer time in
>>>>>> DC for a while.
>>>>>>
>>>>>> I looked at the questionnaire that you Joe and Mike updated. Have
>>>>>> you read PRIPARE paper from IWPE15 event on goal-based versus
>>>>>> risk-based approaches to analyzing privacy impact? Net-net is that
>>>>>> both approaches are important and a hybrid of the two makes for
>>>>>> better privacy engineering.
>>>>>>
>>>>>> The questionnaire approach is good when system is well known and
>>>>>> true table of knowledge exists for problem determination and
>>>>>> solution selection (e.g., A380 engine #4 shows fire light, what to
>>>>>> do). But with the privacy impact analysis for new web technologies
>>>>>> this might not be the case.
>>>>>>
>>>>>> I was wondering if the questionnaire might be complemented by some
>>>>>> additional section with more systematic guidance. For example,
>>>>>> pre-analysis work involving assembly by editors of worksheet with
>>>>>> data inventory that can be used for analysis of the data flows
>>>>>> involved. Attached is an example, but this could be specified in
>>>>>> other ways than XLS, such as questions. Obviously, the attached
>>>>>> example columns are specific to a deployment of a standard (ie,
>>>>>> implementation or product) but can be generalized to capture the
>>>>>> more generic nature that a W3C web specification would creation.
>>>>>>
>>>>>> Also, the questionnaire could be supplemented by a suggested PII
>>>>>> classification scheme. I prefer the Paul Schwartz/Daniel Solove
>>>>>> “PII 2.0”, as is incorporated into the XLS attached.
>>>>>>
>>>>>> Lastly, the W3C specifications are for a global web, but the
>>>>>> vocabulary in the questionnaire is very US specific (eg, use of
>>>>>> PII over Personal Data). Why not go for a more international
>>>>>> vocabulary (eg, EU GDPR that is being copied by regional
>>>>>> jurisdictions other than US or ISO 29100/Privacy Framework which
>>>>>> PDF is freely available from ISO).
>>>>>>
>>>>>> Additionally, the questionnaire could be enhanced by a Privacy
>>>>>> Recommendations section that listed a set or catalog of
>>>>>> principles, controls, implementation criteria. The set would be
>>>>>> something that would grow as experienced identified further
>>>>>> patterns for best practice. The sectorial standards for the ISO
>>>>>> 27001-series for Information Security Management Systems provides
>>>>>> in ISO 27009 guidance on how this would be formatted.
>>>>>>
>>>>>> x Data Stewardship
>>>>>>
>>>>>> x.1 Data inventory
>>>>>>
>>>>>> Control: Personal data collected, processed, stored, transferred
>>>>>> or managed by the specification is identified and classified
>>>>>> according to its purposes, personal data category, security
>>>>>> category, retention/deletion recommendation…
>>>>>>
>>>>>> Implementation guidance: Sensitive categories of personal data
>>>>>> should be encrypted when transferred and consideration given on
>>>>>> encryption when at rest/stored.
>>>>>>
>>>>>> Frank/
>>>>>>
>>>>>> From: ext Greg Norcie [mailto:gnorcie@cdt.org]
>>>>>> Sent: Tuesday, June 30, 2015 20:51
>>>>>> To: Christine Runnegar
>>>>>> Cc: public-privacy (W3C mailing list)
>>>>>> Subject: Re: new security/privacy review questions
>>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> Joe's out of the office this week, but I spoke with him before he
>>>>>> left, and he will be at IETF in Prague.
>>>>>>
>>>>>> I'd love to join him, but I had made plans to attend SOUPS in
>>>>>> Ottawa during that time prior to this idea being raised. (But if
>>>>>> anyone will also be at SOUPS I'd be happy to chat)
>>>>>>
>>>>>> If anyone has feedback between now and then, please feel free to
>>>>>> share it with the list and I will iterate on the current question
>>>>>> set.
>>>>>>
>>>>>> On Tue, Jun 30, 2015 at 7:52 AM, Christine Runnegar
>>>>>> <runnegar@isoc.org> wrote:
>>>>>>> Thank you Greg and Joe for all your work on this.
>>>>>>>
>>>>>>> One suggestion at the PING call last week is to use at least some
>>>>>>> of the time at the PING meeting alongside IETF (Thursday 23 July
>>>>>>> - during the lunch break) to progress this work further.
>>>>>>>
>>>>>>> In the meantime, everyone, please continue to share your thoughts
>>>>>>> on the draft as well as the feedback from Greg and Joe.
>>>>>>>
>>>>>>> Christine and Tara
>>>>>>>
>>>>>>> > On 24 Jun 2015, at 3:34 pm, Greg Norcie <gnorcie@cdt.org> wrote:
>>>>>>> >
>>>>>>> > Hi all,
>>>>>>> >
>>>>>>> > Myself and Joe Hall been working on a rewrite of the TAG security questionaire[1], which incorporates privacy concerns as well as security concerns. (For example, we include some of the questions raised by Nick in his privacy questionnaire.[2])
>>>>>>> >
>>>>>>> > We also split the questionnaire into a security section and a privacy section (with the implication all new standards should enumerate their privacy impacts as well as their security impacts.)
>>>>>>> >
>>>>>>> > The goal is that for each question, there will eventually be an explanation and a concrete, real world example.
>>>>>>> >
>>>>>>> > [1] https://w3ctag.github.io/security-questionnaire/
>>>>>>> > [2] https://lists.w3.org/Archives/Public/public-privacy/2013AprJun/0004.html
>>>>>>> >
>>>>>>> > I've attached a .odt outlining our proposed questions, as well as a PDF in case you don't have an ODT capable editor installed. (I recommend Libreoffice)
>>>>>>> > --
>>>>>>> > /***********************************/
>>>>>>> > Greg Norcie (norcie@cdt.org)
>>>>>>> > Staff Technologist
>>>>>>> > Center for Democracy & Technology
>>>>>>> > 1634 Eye St NW Suite 1100
>>>>>>> > Washington DC 20006
>>>>>>> > (p) 202-637-9800
>>>>>>> > PGP: http://norcie.com/pgp.txt
>>>>>>> >
>>>>>>> > Fingerprint:
>>>>>>> > 73DF-6710-520F-83FE-03B5
>>>>>>> > 8407-2D0E-ABC3-E1AE-21F1
>>>>>>> >
>>>>>>> > /***********************************/
>>>>>>> > <PingPrivSecQs..pdf><PingPrivSecQs.odt>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> /***********************************/
>>>>>> Greg Norcie (norcie@cdt.org)
>>>>>> Staff Technologist
>>>>>> Center for Democracy & Technology
>>>>>> 1634 Eye St NW Suite 1100
>>>>>> Washington DC 20006
>>>>>> (p) 202-637-9800
>>>>>> PGP: http://norcie.com/pgp.txt
>>>>>>
>>>>>> Fingerprint:
>>>>>> 73DF-6710-520F-83FE-03B5
>>>>>> 8407-2D0E-ABC3-E1AE-21F1
>>>>>>
>>>>>> /***********************************/
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> /***********************************/
>>>>> Greg Norcie (norcie@cdt.org)
>>>>> Staff Technologist
>>>>> Center for Democracy & Technology
>>>>> 1634 Eye St NW Suite 1100
>>>>> Washington DC 20006
>>>>> (p) 202-637-9800
>>>>> PGP: http://norcie.com/pgp.txt
>>>>>
>>>>> Fingerprint:
>>>>> 73DF-6710-520F-83FE-03B5
>>>>> 8407-2D0E-ABC3-E1AE-21F1
>>>>>
>>>>> /***********************************/
>>>>
>>>>
>>>>
>>>> --
>>>> /***********************************/
>>>> Greg Norcie (norcie@cdt.org)
>>>> Staff Technologist
>>>> Center for Democracy & Technology
>>>> 1634 Eye St NW Suite 1100
>>>> Washington DC 20006
>>>> (p) 202-637-9800
>>>> PGP: http://norcie.com/pgp.txt
>>>>
>>>> Fingerprint:
>>>> 73DF-6710-520F-83FE-03B5
>>>> 8407-2D0E-ABC3-E1AE-21F1
>>>>
>>>> /***********************************/
>>>
>>>
>>>
>>> --
>>> /***********************************/
>>> Greg Norcie (norcie@cdt.org)
>>> Staff Technologist
>>> Center for Democracy & Technology
>>> 1634 Eye St NW Suite 1100
>>> Washington DC 20006
>>> (p) 202-637-9800
>>> PGP: http://norcie.com/pgp.txt
>>>
>>> Fingerprint:
>>> 73DF-6710-520F-83FE-03B5
>>> 8407-2D0E-ABC3-E1AE-21F1
>>>
>>> /***********************************/
>>
Received on Friday, 3 July 2015 12:11:37 UTC