W3C home > Mailing lists > Public > public-privacy@w3.org > July to September 2015

Re: Privacy Questionnaire

From: Kepeng Li <kepeng.lkp@alibaba-inc.com>
Date: Fri, 31 Jul 2015 10:29:27 +0800
To: Joseph Lorenzo Hall <joe@cdt.org>
CC: Christine Runnegar <runnegar@isoc.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <D1E0F802.14CB0%kepeng.lkp@alibaba-inc.com>
> Feel free to add this to the wiki...


OK, I will reword it a little bit and add this to the wiki.

>So is this question specifically about creating data that
>might be personal? For example for WebRTC, it generates a bunch of
>audio/video data, and depending on what the camera is pointed at, some
>of that could be quite personal.


Good point. Lets focus on creating data and classification of data, but
leave data handling to other questions.

Let me add your example above.

Here is the updated version:

X Will this specification generate data and what is the classification of
the generated data?

Explanation: 
It is important to know if this specification generates data that might be
personal. Also understanding the classification of the generated data is
important to determine the processing methods. One way to minimize the
privacy impact is to minimize the collection of personal information in
the first place and to limit the retention of that data for further
processing. To protect the generated personal data, some methods can be
adopted, e.g. de-identification, anonymous, encryption.

Example: 
For WebRTC, it generates a bunch of audio/video data, and depending on
what the camera is pointed at, some of that could be quite personal. About
the generated data, we should determine: why the data is collected, what
is the primary purpose for the processing, where it is being transferred
or stored and how long it is being retained. In addition, the anonymity
characteristic or the degree that the individual associated with the
personal data can be identified, linked to, or named through observing the
network traffic containing the data, needs to be classified (that is, the
personal data, in fact, personally identifiable information or PII).
Personal data is classified as identified, identifiable and
non-identifiable. In addition, a classification of sensitive identifiable
should be considered.



Thanks,

Kind Regards
Kepeng

 31/7/15 4:34 am "Joseph Lorenzo Hall" <joe@cdt.org> д:

>Thanks, Kepeng!  Feel free to add this to the wiki... greg/me/CDT
>don't want it to feel like we "own" that, and others should feel free
>to change it (as long as you have a w3c login).
>
>I do think "classification" is a bit general... there are other parts
>of the questionnaire that talk about "handling personal data" (my
>words). So is this question specifically about creating data that
>might be personal? For example for WebRTC, it generates a bunch of
>audio/video data, and depending on what the camera is pointed at, some
>of that could be quite personal.
>
>best, Joe
>
>On Wed, Jul 29, 2015 at 9:14 PM, Kepeng Li <kepeng.lkp@alibaba-inc.com>
>wrote:
>> Hello all,
>>
>>>Link to the PING working document:
>> https://www.w3.org/wiki/Privacy_and_security_questionnaire
>>
>>
>> I propose to add another privacy question:
>>
>> X Will this specification generate data? What is the classification of
>>the
>> generated
>> data and how to deal with that?
>>
>> Explanation:
>> Understanding the classification of the generated data is important to
>> determine the
>> processing methods. One way to minimize the privacy impact is to
>>minimize
>> the
>> collection of personal information in the first place and to limit the
>> retention of that data for further processing. To protect the privacy
>>data,
>> some methods can be adopted, e.g. de-identification, anonymous,
>>encryption.
>>
>> Example: There are a number of classification schemes
>> that can be used to achieve this process step, but in general we should
>> determine: why the data is collected, what is the primary purpose for
>>the
>> processing, where it is being transferred or stored and how long it is
>> being
>> retained. In addition, the anonymity characteristic or the degree that
>>the
>> individual associated with the personal data can be identified, linked
>>to,
>> or
>> named through observing the network traffic containing the data, needs
>>to
>> be
>> classified (that is, the personal data, in fact, personally identifiable
>> information or PII). Personal data is classified as identified,
>> identifiable
>> and non-identifiable. In addition, a classification of sensitive
>> identifiable
>> should be considered.
>>
>>
>> Thanks,
>>
>> Kind Regards
>> Kepeng
>>
>>>
>>>> Begin forwarded message:
>>>>
>>>> From: Christine Runnegar <runnegar@isoc.org>
>>>> Subject: Fwd: Save the date - PING at IETF - Thursday 23 July
>>>> Date: 15 July 2015 9:57:12 am GMT+2
>>>> To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
>>>> Resent-From: <public-privacy@w3.org>
>>>>
>>>> PING and friends,
>>>>
>>>> We will be meeting in the Rokoska room between 11:30 and 13:00 on
>>>>Thursday 23 July 2015.
>>>>
>>>> Anyone with an interest in privacy is welcome. Bring your friends!
>>>>
>>>> Please let us know (off list) if you plan to attend.
>>>>
>>>> The main topic will be the draft TAG privacy and security
>>>>questionnaire:
>>>>
>>>> https://w3ctag.github.io/security-questionnaire/
>>>>
>>>> Link to the PING working document:
>>>>
>>>> https://www.w3.org/wiki/Privacy_and_security_questionnaire
>>>>
>>>> Useful background reading:
>>>>
>>>> DRAFT - Fingerprinting guidance -
>>>>https://w3c.github.io/fingerprinting-guidance/
>>>> DRAFT - Privacy considerations -
>>>>https://w3c.github.io/privacy-considerations/
>>>> DRAFT - Specification Privacy Assessment -
>>>>http://yrlesru.github.io/SPA/
>>>>
>>>> Please note that this will be a bring your own lunch meeting
>>>>
>>>> Christine and Tara
>>>>
>>>>> Begin forwarded message:
>>>>>
>>>>> From: Christine Runnegar <runnegar@isoc.org>
>>>>> Subject: Save the date - PING at IETF - Thursday 23 July
>>>>> Date: 10 June 2015 7:59:29 am GMT+2
>>>>> To: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
>>>>> Resent-From: <public-privacy@w3.org>
>>>>>
>>>>> Hi all,
>>>>>
>>>>> We will be again organising an informal PING and friends get-together
>>>>>alongside IETF.
>>>>>
>>>>> Please join us on Thursday 23 July 2015 during the lunch break.
>>>>>
>>>>> (Precise meeting time and location to be advised)
>>>>>
>>>>> Christine and Tara
>>>>
>>>
>>
>>
>>
>
>
>
>-- 
>Joseph Lorenzo Hall
>Chief Technologist
>Center for Democracy & Technology
>1634 I ST NW STE 1100
>Washington DC 20006-4011
>(p) 202-407-8825
>(f) 202-637-0968
>joe@cdt.org
>PGP: https://josephhall.org/gpg-key
>fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
Received on Friday, 31 July 2015 02:30:19 UTC

This archive was generated by hypermail 2.3.1 : Friday, 31 July 2015 02:30:20 UTC