RE: Proposed friendly amendments to industry draft from Shane Wiley on 2013-07-09 (public-tracking@w3.org from July 2013)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Tue, 9 Jul 2013 17:55:58 +0000
To: "Edward W. Felten" <felten@cs.princeton.edu>
CC: Rob van Eijk <rob@blaeu.com>, David Singer <singer@apple.com>, "public-tracking@w3.org WG" <public-tracking@w3.org>
Message-ID: <DCCF036E573F0142BD90964789F720E3140E963B@GQ1-MB01-02.y.corp.yahoo.com>
Ed,

'Link' has such a broad definition that it in of itself is creating some confusion - and this was the same disconnect Rob and I had for some time.  In this context, we're saying that records cannot be reassociated 'to the specific user' but can be linked to one another in a de-identified state.  Meaning I can "link" the events together but I cannot "link" those events to the specific user.

Hopefully that makes more sense.

- Shane

From: Edward W. Felten [mailto:felten@cs.princeton.edu]
Sent: Tuesday, July 09, 2013 10:45 AM
To: Shane Wiley
Cc: Rob van Eijk; David Singer; public-tracking@w3.org WG
Subject: Re: Proposed friendly amendments to industry draft

The DAA text says that "deidentified" means that data "cannot reasonably be re-associated or connected to a specific user, computer, or device..."    I can't see how to reconcile this with the idea that the same data would be considered "de-identified but linkable".

How can data be "associated or connected to a specific user' but at the same time not be "linkable"?


On Tue, Jul 9, 2013 at 1:18 PM, Shane Wiley <wileys@yahoo-inc.com<mailto:wileys@yahoo-inc.com>> wrote:
I disagree with this naming change as much of the data in the "red" zone may also be considered to be "pseudonymized".  What is critical to this conversation are definitions associated with the terms being used.

If the definition of IDENTIFICATION is: an act of identifying : the state of being identified -OR- b : evidence of identity (Marrian-Websters), then deidentification would be the opposite of this.  Or plainly - removing "evidence of identity".  While there are many ways to remove evidence of identity, I'll continue to argue the removal of operational "linkability" from identifiers meets this definition as well (as the "evidence" of the actual user/device identity has been removed).

Red State:  Data is fully identifiable (Limited Permitted Uses only - retention rates should be short)
Yellow State:  Data is de-identified but linkable (Permitted Uses only - singular utility is analytics)
Green State:  Data is de-identified and de-linked (any use)

When you further layer these concepts into the definition of TRACKING, basically the pairing of a unique ID with non-affiliated site URLs, you create the foundation for the presentation I distributed to the group 2 weeks ago.

We're disagreeing on the term "de-identification" I believe more because some are still attached to the notion the de-identified data in of itself is outside the scope of DNT.  This is incorrect in the new construct and only the combination of de-identification with de-linking reaches the bar of moving outside the scope of DNT.

I hope this is clearer.  For those that don't agree with this use of de-identification, could you please articulate what real-world use or loop hole you feel this creates?  If we've appropriately contained the collection and use of data in the standard, then I'm not seeing a way to game the system (which I believe you somehow see something here that I don't).

Thank you,
Shane


From: Rob van Eijk [mailto:rob@blaeu.com<mailto:rob@blaeu.com>]
Sent: Tuesday, July 09, 2013 9:51 AM
To: David Singer; public-tracking@w3.org<mailto:public-tracking@w3.org> WG
Subject: Re: Proposed friendly amendments to industry draft


David,
I support the proposed change of wording.

s/de-identified/pseudonymized/
AND
s/de-linked/de-identified/

Rob

David Singer <singer@apple.com<mailto:singer@apple.com>> wrote:

On Jul 9, 2013, at 17:18 , Rob van Eijk <rob@blaeu.com<mailto:rob@blaeu.com>> wrote:






I am considering to formally object to the term de-identified in the DAA proposal.

The reasoning is that it has been used as synonym with 'the data it is not about a person anymore'. We need another word.

or we need to use de-identified in the way that it is commonly used?  do we need more than one term?

If we do, I'd rather use a new term for data that is identifiable but that takes some work (or access to keys) to be so, such as pseudonymized.




So, in the DAA text, I'd change:

de-identifed (where it is defined) to pseudonymized
de-linked (where it is defined) to de-identified

and leave the req!

 uirement

that data must be de-identified (in the strong sense) to be out of scope.

I am proposing to simply use the term linkable.

Rob


"Israel, Susan" <Susan_Israel@Comcast.com<mailto:Susan_Israel@Comcast.com>> wrote:




his document and how they may be used elsewhere, it may help to introduce the definitions by saying, "For purposes of this specification, ...."

Substantive:  To clarify one of the differences between the de-identified and de-linked categories as I understand them, it may be helpful to add language that indicates that the de-identified category permits reliance on operational controls in addition to technical controls, which I believe is consistent with the ideas Thomas Schauf presented.




Thus, the definition would read, "Data is de-identified when a party

1. has taken reasonable steps to ensure th!

 at the

data cannot be reasonably re-associated or connected to a specific user, computer, or device without the use of additional data that is subject to separate and distinct technical and organizational controls to ensure such non-attribution, or wh!




en such
attribution would require a disproportionate amount of time, expense and effort; ...."


I also support adding the audience measurement language that has been discussed and revised with  several participants and submitted by Esomar to the permitted uses section, 5.2.







Susan Israel
Comcast Cable
215.286.3239<tel:215.286.3239>
215.767.3926<tel:215.767.3926> mobile




917.934.1044<tel:917.934.1044> NY
susan_israel@comcast.com<mailto:susan_israel@comcast.com>

This message and any attachments to it may contain PRIVILEGED AND CONFIDENTIAL ATTORNEY-CLIENT INFORMATION AND/OR ATTORNEY WORK PRODUCT exclusively for intended recipients. Please DO NOT FORWARD OR DISTRIBUTE to anyone else. If you are not an intended recipient, please cont!

 act the

sender to report the error and then delete all copies of this message from your system.





David Singer
Multimedia and Software Standards, Apple Inc.



--
Edward W. Felten
Professor of Computer Science and Public Affairs
Director, Center for Information Technology Policy
Princeton University
609-258-5906           http://www.cs.princeton.edu/~felten
Received on Tuesday, 9 July 2013 17:58:51 UTC