Re: new security/privacy review questions

Thanks Greg - and I look forward to seeing anyone who can make it to Prague in person.

On the topic of terminology: I understand your preference for "personally derived information", since I think the established terms (personal data, personally identifiable information) and their definitions have shortcomings - on the other hand, they are established and there is a wealth of description and examples to supplement them.

On the other hand, one of my gripes about them is that they don't naturally lead to a consideration of inference data as a source of privacy risk/harm. They tend to encourage a focus on the individual, whereas in today's Internet, a growing proportion of privacy risk/harm arises from data about *others* and their behaviour, not data about you.

Imdon't have a neat definition to suggest that moves us further in that direction, but I'm open to suggestions ;^)

Best wishes,
Robin

Robin Wilton

Technical Outreach Director - Identity and Privacy

On 7 Jul 2015, at 19:31, "Greg Norcie" <gnorcie@cdt.org<mailto:gnorcie@cdt.org>> wrote:

Hi all,

So I spoke with Joe - he will definitely be in Prague, however we both agree it'd be ideal to keep as much of the discussion on list as possible, so those who won't be present can give feedback. (The IETF meeting can focus on discussing any remaining sticking points / high level issues that need debate).

I went through the questions and edited them to try to be more respectful of international norms, using language like "personally derived information" rather than "personally identifiable" information

I also fleshed out the sections where an explanation and/or example was lacking.

(The goal is that each section have an explanation of the question as well as a real world example - some questions seem pretty self explanatory but I'd rather be a little redundan rather than start to make subjectives judgement on what questions are "self explanatory")

On Sat, Jul 4, 2015 at 8:11 AM, Ambarish S Natu <ambarish.natu@gmail.com<mailto:ambarish.natu@gmail.com>> wrote:
If i try to summarize Privacy as a state free from observation and Security as a state free from danger, what will ensure that an individual be free from any observation be it PII or PDI or something else, i have no particular preference.

Ambarish


On Saturday, 4 July 2015, Craig Spiezle <craigs@otalliance.org<mailto:craigs@otalliance.org>> wrote:
+1. Agree with David

Sent from my iPhone

> On Jul 3, 2015, at 4:21 PM, David Singer <singer@apple.com> wrote:
>
>
>> On Jul 3, 2015, at 4:28 , Christine Runnegar <runnegar@isoc.org> wrote:
>>
>> Yes, welcome Tiffany, and thank you for sharing your views.
>>
>> Indeed, the scope of privacy and data protection laws (i.e. the definition of "personal data/personal information") varies depending on the jurisdiction.
>>
>> A common, but not universal definition is:
>>
>> "any information [relating to/about] an identified or identifiable individual"
>>
>> (found, for example, in the OECD Privacy Guidelines, Council of Europe Convention 108 and APEC Privacy Framework)
>>
>> My personal preference is not to use "PII", but rather, "personal data" or "personal information", as needed.
>
> yes.  I am quite fond of 'personally derived information' i.e. information that derives from the actions of a single person.
>
>
> David Singer
> Manager, Software Standards, Apple Inc.
>
>



--
?????? ????????? ????

Sent from Gmail Mobile



--
/***********************************/
Greg Norcie (norcie@cdt.org<mailto:norcie@cdt.org>)
Staff Technologist
Center for Democracy & Technology
1634 Eye St NW Suite 1100
Washington DC 20006
(p) 202-637-9800<tel:202-637-9800>
PGP: http://norcie.com/pgp.txt

Fingerprint:
73DF-6710-520F-83FE-03B5
8407-2D0E-ABC3-E1AE-21F1

/***********************************/
<PingPrivSecQs-3.pdf>
<PingPrivSecQs-3.odt>