W3C home > Mailing lists > Public > public-tracking@w3.org > February 2012

(unknown charset) Re: New Research on Protocol Information (ISSUE-16, ISSUE-19)

From: (unknown charset) Matthias Schunter <mts@zurich.ibm.com>
Date: Wed, 08 Feb 2012 17:48:32 +0100
Message-ID: <4F32A760.2060802@zurich.ibm.com>
To: (unknown charset) public-tracking@w3.org
Hi Jonathan,


some of my (more academic) thoughts on privacy-enhancing technologies...

If viewed from a academic privacy angle (the trust model underlying
Chaums original privacy work), user should never be required to trust
anyone else to achieve/protect their privacy.

While this model is useful and appropriate in many cases and is OK to
pursue as the ideal goal, I believe it is not what we want to achieve
using DNT:

If protocols satisfy this trust model (i.e., users can self-protect),
then no DNT would be needed anymore: Why send signals to untrusted
parties that will not honor it in any case?

Overall, DNT aims at finding the right mix between privacy
improvement, efficient implementability by sites, and ideally also
some verifiability by end users (i.e., at least regulators may detect
misbehavior).

>From my perspective, our goals are to
- substantially improve privacy for the end-user sending   DNT;1
- provide a standard that is implementable by all web-sites at low cost
- not breaking essential functionalities
   (Note: do not reply to this goal : Exception discussion is
elsewhere ;-)
- satisfying key regulatory requirements

I am confident that this will lead to
- Wide adoption/support by industry and end users
- Incentives (not requirement) for additional novel privacy enhancing
technologies

Note that I do not believe that a solution that aims at completely
preventing tracking by malicious sites (under DNT;1) will achieve
these objectives.

Some itneresting questions I see are:
- What are the right exeptions (discussed elsewhere)
- Example implementation guidance for exeptions that illustrate
  how they can easily be addressed using today's technology
  (e.g., statements like "if you do not store anything, then you're
fine").
- How to ensure enforcement by regulators, i.e.,
  how can one determine whether a site follows the required practices?
- How can one encourage privacy-enhancing technologies without
requiring them?


Regards,









On 2/8/2012 3:52 PM, Shane Wiley wrote:
> Rigo,
> 
> I appreciate the desire for the working group to solve all privacy issues in a single pass but would suggest an attempt to solve the age old debate of "when is 'anonymous' anonymous enough?" is outside of the scope of this working group.  Many local laws already take positions on this topic and I suggest we allow this discussion to evolve separate to the efforts of this working group.
> 
> - Shane
> 
> -----Original Message-----
> From: Rigo Wenning [mailto:rigo@w3.org] 
> Sent: Wednesday, February 08, 2012 1:37 AM
> To: public-tracking@w3.org
> Cc: Jonathan Mayer
> Subject: Re: New Research on Protocol Information (ISSUE-16, ISSUE-19)
> 
> On Tuesday 07 February 2012 16:30:32 Jonathan Mayer wrote:
>> The paper also finds that scrubbing the last octet from an IP address may do
>> little to mitigate tracking.
> 
>>From a scientific point of view, this was already acquired as a fact in our 
> discussions around P3P in 2001. I'm pretty sure that Matthias can find some 
> paper from long time ago that already addresses this issue.
> 
> This raises the question of how anonymous is anonymization. While being 
> interesting from a scientific point of view, this may be dangerous for our 
> considerations here as it will push us into the anonymity arms race. As this 
> is a moving target, it is hard to lay down something in the specification. 
> 
> My suggestion would be that the group:
> 
> 1/ Recognizes that just removing the last octet of an IP-address is NOT 
> sufficient for anonymization or even pseudonymization.
> 
> 2/ Discuss what is "good enough" for the risk we are trying to tackle, risk 
> being one of the following: consumer protection and dangers for democracy 
> (have to be made more concrete in the discussion)
> 
> I don't think a burdensome re-identification of a single person like in a law 
> enforcement scenario is our attacking scenario, but rather mass information 
> processing to find opinions and predict and influence people in an undue and 
> dangerous way or amass sufficient information that others could abuse the 
> amassed information for undue and dangerous purposes.
> 
> Best, 
> 
> Rigo
> 
> 
> 
> 
> 
Received on Wednesday, 8 February 2012 16:55:35 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:44:44 UTC