Re: questionnaire feedback (was Re: Save the date - PING at IETF - Thursday 23 July)

> On Aug 12, 2015, at 5:45 , Joseph Lorenzo Hall <joe@cdt.org> wrote:
> 
> Hi David, text suggestions to get discussion going are always
> welcome... I think the first and third thing here could be dealt with
> rather nicely by some suggested text, if you have the time. As for the
> second...
> 
> On Wed, Aug 5, 2015 at 4:05 PM, David Singer <singer@apple.com> wrote:
>> some questions about the questionnaire. <https://www.w3.org/wiki/Privacy_and_security_questionnaire>
>> 
>> 1. Does this specification deal with personally derived data?
>>        • Explanation: Personal data includes a large swath of data which could be used on its own, or in combination with other information, to identify a single person. The exact definition of what’s considered “personal information” varies, but could certainly include things like a home address, an email address, birthdates, usernames, fingerprints, video recordings, audio recordings, geographic location or any other information derived from a person.
>> 
>> 
>> Um, there are TWO issues here:  (a) can the data be used to identify someone and (b) if the person is or can be identified, is the data revealing something about them?  The latter doesn’t seem addressed.
>> 
>> In general, even innocuous pieces of personally-derived data may become significantly less so when combined with other data.  For example, if you get access to my location, you may learn that I am in a hotel room.  That seems fairly innocuous.  Separately you may learn my home city, which also may be fairly innocuous. But when you realize that the hotel is in my own city, and it’s the middle of the day in that time zone, you might be a teensy bit suspicious…

OK, changed

Personal data includes a large swath of data which could be used on its own, or in combination with other information, to identify a single person. The exact definition of what’s considered “personal information” varies, but could certainly include things like a home address, an email address, birthdates, usernames, fingerprints, video recordings, audio recordings, geographic location or any other information derived from a person. 

to

#*Explanation: If the person involved in the transaction was not previously identifiable, Personally Derived Data includes a large swath of data which could be used on its own, or in combination with other information, to identify them. The exact definition of what’s considered “personal information” varies, but could certainly include things like a home address, an email address, birthdates, usernames, fingerprints, video recordings, audio recordings, geographic location or any other information derived from a person. If the person is already identifiable, personally derived data might become more significant when combined with other data (including general data such as the time of day where the transaction is happening, or personally derived data), enabling inferences to be drawn about the person involved.

>> 
>> 
>> 
>> 2. Does this specification allow an origin access to a user’s location, and if so is that information minimized?
>> 
>> Why do we pull out the user’s location as a piece of personally-derived-data of special significance?
> 
> It's pretty well-understood that location/location history is a pretty
> sensitive piece of personal data. Are you questioning that or asking
> us to be sure to not assume the person reading the questionnaire knows
> this?

I didn’t touch this.  I note that converting an IP address into a location is a well-known technique…

> 
>> 3.      • How should this specification work in the context of a user agent’s "incognito" mode?
>>                • Explanation: Ideally, the feature would work in such a way that the website would not be able to determine that the user was in "incognito". Less ideally, the feature wouldn’t work, but the website still wouldn’t be able to distinguish "incognito" from simply being denied permission to use the feature (for instance). Unideally, the feature wouldn’t exist at all in "incognito", which means that the user wouldn’t be exposing data, but the website can probably tell that the user is in that state
>>                • Example: Disabling a feature which could out a user when used in "incognito" mode.
>> 
>> 
>> I am not at all sure that I agree that revealing I am ‘incognito’ is always a problem.  I think this might need attention.  The example sentence has some issues, unless we mean by ‘out a user’ that we reveal their sexual preference, which I doubt :-)

changed to

#How should this specification work in the context of a user agent’s "incognito" mode?
#*Explanation: At the moment, sites are not told when the user is in "incognito" mode. Ideally, the feature would work in such a way that the website would not be able to determine that the user was in “incognito" mode, as this reveals that the user might consider their interaction sensitive. Less ideally, the feature wouldn’t work, but the website still wouldn’t be able to distinguish "incognito" from simply being denied permission to use the feature (for instance). Unideally, the feature wouldn’t exist at all in "incognito", which means that the user wouldn’t be exposing data, but the website can probably tell that the user is in that state. (The question of whether websites could be aware of, and hence offer to respect, "incognito" mode is a matter of current discussion.)
#*Example: Disabling a feature which could reveal that the user is in "incognito" mode.



>> 
>> 
>> David Singer
>> Manager, Software Standards, Apple Inc.
>> 
>> 
> 
> 
> 
> -- 
> Joseph Lorenzo Hall
> Chief Technologist
> Center for Democracy & Technology
> 1634 I ST NW STE 1100
> Washington DC 20006-4011
> (p) 202-407-8825
> (f) 202-637-0968
> joe@cdt.org
> PGP: https://josephhall.org/gpg-key
> fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

David Singer
Manager, Software Standards, Apple Inc.

Received on Monday, 17 August 2015 18:26:54 UTC