Re: new security/privacy review questions

> On Jul 7, 2015, at 20:40 , Robin Wilton <wilton@isoc.org> wrote:
> 
> Thanks Greg - and I look forward to seeing anyone who can make it to Prague in person.
> 
> On the topic of terminology: I understand your preference for "personally derived information", since I think the established terms (personal data, personally identifiable information) and their definitions have shortcomings - on the other hand, they are established and there is a wealth of description and examples to supplement them.
> 
> On the other hand, one of my gripes about them is that they don't naturally lead to a consideration of inference data as a source of privacy risk/harm. They tend to encourage a focus on the individual, whereas in today's Internet, a growing proportion of privacy risk/harm arises from data about *others* and their behaviour, not data about you.
> 

Yes.  It used to be true that it was a courtesy violation for someone to give out my contact information without my permission. Indeed, when individual people are concerned, I will still get requests “do you mind if I give so-and-so your contact information?”.  Yet somehow services have persuaded people that giving them access to their contact database is OK.

I recently joined a social service, and it already knew who many of my friends are: presumably because they had told the service that I was their friend, by giving the service access to their contact set.

In a sense, a contact database is doubly-personally-derived; it says something about both me and the people identified in it.

The reason I like ‘personally derived information’ is that once information results from the interaction of a single person, I think it deserves thought and care as to how it is handled, as it probably has something to say about the person(s) involved.

David Singer
Manager, Software Standards, Apple Inc.

Received on Wednesday, 8 July 2015 07:31:22 UTC