Re: questionnaire feedback (was Re: Save the date - PING at IETF - Thursday 23 July) from David Singer on 2015-08-12 (public-privacy@w3.org from July to September 2015)

From: David Singer <singer@apple.com>
Date: Wed, 12 Aug 2015 09:24:26 -0700
To: Joseph Lorenzo Hall <joe@cdt.org>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>, Nicholas Doty <npdoty@w3.org>
Message-id: <F50D83E0-B1AB-42EC-A164-A2D20387E510@apple.com>
> On Aug 12, 2015, at 5:45 , Joseph Lorenzo Hall <joe@cdt.org> wrote:
> 
> Hi David, text suggestions to get discussion going are always
> welcome... I think the first and third thing here could be dealt with
> rather nicely by some suggested text, if you have the time. As for the
> second…

I’ll look into it, sure.

> 
> On Wed, Aug 5, 2015 at 4:05 PM, David Singer <singer@apple.com> wrote:
>> some questions about the questionnaire. <https://www.w3.org/wiki/Privacy_and_security_questionnaire>
>> 
>> 1. Does this specification deal with personally derived data?
>>        • Explanation: Personal data includes a large swath of data which could be used on its own, or in combination with other information, to identify a single person. The exact definition of what’s considered “personal information” varies, but could certainly include things like a home address, an email address, birthdates, usernames, fingerprints, video recordings, audio recordings, geographic location or any other information derived from a person.
>> 
>> 
>> Um, there are TWO issues here:  (a) can the data be used to identify someone and (b) if the person is or can be identified, is the data revealing something about them?  The latter doesn’t seem addressed.
>> 
>> In general, even innocuous pieces of personally-derived data may become significantly less so when combined with other data.  For example, if you get access to my location, you may learn that I am in a hotel room.  That seems fairly innocuous.  Separately you may learn my home city, which also may be fairly innocuous. But when you realize that the hotel is in my own city, and it’s the middle of the day in that time zone, you might be a teensy bit suspicious…
>> 
>> 
>> 
>> 2. Does this specification allow an origin access to a user’s location, and if so is that information minimized?
>> 
>> Why do we pull out the user’s location as a piece of personally-derived-data of special significance?
> 
> It's pretty well-understood that location/location history is a pretty
> sensitive piece of personal data. Are you questioning that or asking
> us to be sure to not assume the person reading the questionnaire knows
> this?

Ah, no, of course location is sensitive. But mentioning only location seems to put it into a special category, that’s what I am questioning. Is my location really so sensitive it needs to be specially mentioned in this questionnaire, and other sensitive information is not? Look at the privacy panel on iOS: access to my microphone, camera, photos (which have a treasure trove of metadata, let alone the possibilities of face recognition), fitness data, contacts, and so on.

Incidentally, we have a privacy problem with data that is about more than one person. I recently signed up for an online service, and it already knew a lot about me, notably who I knew. Oh? Well, I assume that was because other people had shared their contact database.  A contact record is, of course, about *two* people, and at the moment, only one is asked about the privacy consequences of sharing it. Similarly a photo tells us something about the faces in it.


> 
>> 3.      • How should this specification work in the context of a user agent’s "incognito" mode?
>>                • Explanation: Ideally, the feature would work in such a way that the website would not be able to determine that the user was in "incognito". Less ideally, the feature wouldn’t work, but the website still wouldn’t be able to distinguish "incognito" from simply being denied permission to use the feature (for instance). Unideally, the feature wouldn’t exist at all in "incognito", which means that the user wouldn’t be exposing data, but the website can probably tell that the user is in that state
>>                • Example: Disabling a feature which could out a user when used in "incognito" mode.
>> 
>> 
>> I am not at all sure that I agree that revealing I am ‘incognito’ is always a problem.  I think this might need attention.  The example sentence has some issues, unless we mean by ‘out a user’ that we reveal their sexual preference, which I doubt :-)
>> 
>> 
>> David Singer
>> Manager, Software Standards, Apple Inc.
>> 
>> 
> 
> 
> 
> -- 
> Joseph Lorenzo Hall
> Chief Technologist
> Center for Democracy & Technology
> 1634 I ST NW STE 1100
> Washington DC 20006-4011
> (p) 202-407-8825
> (f) 202-637-0968
> joe@cdt.org
> PGP: https://josephhall.org/gpg-key
> fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871
> 

David Singer
Manager, Software Standards, Apple Inc.
Received on Wednesday, 12 August 2015 16:25:22 UTC