- From: David Singer <singer@apple.com>
- Date: Fri, 18 Sep 2015 14:11:44 -0700
- To: Joseph Lorenzo Hall <joe@cdt.org>
- Cc: Christine Runnegar <runnegar@isoc.org>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Hi Joe, all I think the problem is that we’re asking a question about an effect, rather than the data; and that we’re mixing two privacy concerns: * can the data be used to identify me? (potentially ‘identifying me’ when I want to be anonymous) * if I am identified, is it revealing something about me? (a potential breach of my privacy) I don’t care at all about the former in some cases (e.g. in a shopping site where I am about to login anyway) and not much about the latter if the former keeps me anonymous. Maybe we need to ask ‘lower level’ questions. * Where on the spectrum between being a permanent characteristic of the subject (e.g. their gender, a hereditary characteristic) and transient (e.g. the current location of the subject) does the data fall? (e.g. their current home address is rather closer to the former than the latter). * Where on the spectrum between being fairly insensitive (e.g. gender, purchase of a pencil) and sensitive (e.g. a current medical condition, purchase of a weapon) does the data item lie? * Is the data likely to enable identifying the person, possibly in combination with other data (e.g. gender, birthdate, home zip code)? i.e. is it something that might be looked up? These are pretty orthogonal. My blood type is permanent, fairly sensitive, but not easily looked up. My zip code is formally transient, not terribly sensitive, but easily looked up. And so on. (I may have missed some axes). On Sep 18, 2015, at 13:02 , Joseph Lorenzo Hall <joe@cdt.org> wrote: > > > On Fri, Sep 18, 2015 at 3:37 PM, David Singer <singer@apple.com> wrote: >> >>>> • Does the data record contain elements that would enable re-correlation when combined with other datasets through the property of intersection? >>>> • No (just audio/video) >>>> This seems like a hard question... on the one hand, if a "face" is enough from which to derive a facial pattern that you can correlate with other databases of facial patterns, then the answer would seem to be yes (although I don't know of any public databases of facial biometrics). Maybe there's a better way to get at what this question wants to get at? Does anyone remember what the impetus for this question is? or can we think of examples in a spec that we'd definitely want to catch with this question? >> >> Yes. Isn’t this getting at the problem that if I know someone’s gender, birthday, zip-code and one other datum (I forget what), I can almost certainly identify them, even though any one of these looks innocuous? > > The US-based privacy law academic community would refer to this as > "the mosiac theory" (that any one datum is not revealing but in > concert more than one can be quite revealing). Sweeney [1] published > the first analysis that revealed the power of the gender, birthday, > and zip code three-tuple using 1990 US census data, although Golle [2] > updated that and found that in ten years it had become less uniquely > identifying (presumably because of increased urban concentration of > the US population?). I don't think anyone has repeated the analysis > with 2010 US census data, which would be cool. > > But I digress! > > I'm having a hard time thinking of ways to make this particular > question easier for a spec-author to handle (and for us to evaluate) > without potentially loosing important privacy thinking we or they > should do in the process. Hmmmm... > > best, Joe > > [1]: https://urldefense.proofpoint.com/v2/url?u=http-3A__dataprivacylab.org_projects_identifiability_paper1.pdf&d=BQIFaQ&c=eEvniauFctOgLOKGJOplqw&r=lsCTiiScrfjO0gbgKpiPgw&m=ANYwGLTm65CLnLGPfPIYGW3vsfigH8zOUqIUM1YN2Zg&s=WVxwmORtRcDG4GgPUjB93E43IX92EzbHeI3zFzEgm-I&e= > [2]: https://urldefense.proofpoint.com/v2/url?u=https-3A__crypto.stanford.edu_-7Epgolle_papers_census.pdf&d=BQIFaQ&c=eEvniauFctOgLOKGJOplqw&r=lsCTiiScrfjO0gbgKpiPgw&m=ANYwGLTm65CLnLGPfPIYGW3vsfigH8zOUqIUM1YN2Zg&s=5jNFxLJ3zaJCP8X6XWTmiGH3xQULbqloMWlG7Tv0c_M&e= > > -- > Joseph Lorenzo Hall > Chief Technologist > Center for Democracy & Technology > 1634 I ST NW STE 1100 > Washington DC 20006-4011 > (p) 202-407-8825 > (f) 202-637-0968 > joe@cdt.org > PGP: https://urldefense.proofpoint.com/v2/url?u=https-3A__josephhall.org_gpg-2Dkey&d=BQIFaQ&c=eEvniauFctOgLOKGJOplqw&r=lsCTiiScrfjO0gbgKpiPgw&m=ANYwGLTm65CLnLGPfPIYGW3vsfigH8zOUqIUM1YN2Zg&s=Rs29EyQd3q4Gvfilr8imhhE6IeoP7_H4hjRN7uer5Ts&e= > fingerprint: 3CA2 8D7B 9F6D DBD3 4B10 1607 5F86 6987 40A9 A871 David Singer Manager, Software Standards, Apple Inc.
Received on Friday, 18 September 2015 21:12:14 UTC