Re: summary: data retention call from Alan Chapell on 2013-06-04 (public-tracking@w3.org from June 2013)

From: Alan Chapell <achapell@chapellassociates.com>
Date: Tue, 04 Jun 2013 08:08:52 -0400
To: Dan Auerbach <dan@eff.org>, <public-tracking@w3.org>
Message-ID: <CDD34F9C.32362%achapell@chapellassociates.com>
Dan,


As was mentioned a number of times on the call, there are confidentiality
and resource allocation issues associated with the level of detail you are
requesting. And when one of the rationale behind asking for this level of
detail is the hope of offering some sort of consulting services to
companies, I think we're well beyond the scope of the WG.

Best,

Alan  

On 6/3/13 7:33 PM, "Dan Auerbach" <dan@eff.org> wrote:

>Shane,
>
>I disagree, and think that the WG should arrive at reasonable time
>frames to guide companies. To make that as data driven as possible,
>sharing information with the group would of course go a long way,
>especially if the time frames are data driven within a company (for
>example: I would hope that folks in the WG at companies would ask their
>fraud engineers to provide them with hard numbers on how much invalid
>activity gets caught after the ad event happens, broken down in a
>granular way (by minutes, hours, days, say), to arrive at a sensible
>internal retention period).
>
>I disagree that transparency alone will provide incentives to compete on
>retention periods. I don't see a way forward, but I think our respective
>positions on the matter are clear.
>
>Thanks,
>Dan
>
>On 06/03/2013 04:15 PM, Shane Wiley wrote:
>> Dan,
>>
>> Some of us had discussed this in Sunnyvale and we had agreed to always
>>provide transparency so there was no need for an arbitrary retention
>>timeframe in normative text (the "SHOULD" proposed by Aleecia and team).
>> The danger of arbitrary timeframes is that they're not data driven,
>>don't express all online business models, and would likely be defined so
>>low as to not provide any value for most implementers (meaning we'd be
>>back to most everyone providing transparency).  So to short-cut the
>>situation, we've agreed to simply always provide transparency - no
>>matter the timeframe.
>>
>> - Shane
>>
>> -----Original Message-----
>> From: Dan Auerbach [mailto:dan@eff.org]
>> Sent: Monday, June 03, 2013 3:33 PM
>> To: public-tracking@w3.org
>> Subject: Re: summary: data retention call
>>
>> On 06/03/2013 01:49 PM, Thomas Roessler wrote:
>>> We met today to further discuss data retention for permitted uses,
>>>following up on the lunch table discussion in Sunnyvale.
>>>
>>>
>>>
>>> Minutes are available:
>>> 	http://www.w3.org/2013/06/03-dnt-minutes.html
>>>
>>>
>>> 1. Points of general agreement from the face-to-face:
>>>
>>> - third parties must provide public transparency re: retention for
>>> permitted uses
>>> - there could be different retention periods for different Permitted
>>> Uses
>>> - post retention period, data is destroyed or otherwise rendered
>>>anonymous / deidentified / ...
>>> - there is disagreement about a proposal to normatively include
>>> specific numbers
>> It wasn't discussed so much in the meeting, but just to clarify the
>>position that I have (and believe to be Aleecia's position too): we are
>>not suggesting that normative language is used to force retention
>>numbers; instead, the idea is to have guiding numbers with the carve-out
>>that companies who need longer periods need merely to disclose that, and
>>possibly provide a bit of justification in their privacy policies.
>>
>>> There was also agreement in Sunnyvale that data retention for
>>>permitted uses must be proportionate, though I forgot to mention that
>>>point on the call.
>>>
>>>
>>> 2. Transparency for retention periods
>>>
>>> - agreement that disclosures should say "data XYZ is retained for
>>>permitted use UVW for time ABC"
>>> - agreement that the nature of "data XYZ" should be somewhere in the
>>>middle between P3P-type granularity and "we keep data about the user"
>>> - disagreement what that looks like exactly
>>> - disagreement whether data currently shared in privacy policies is
>>> adequate
>>>
>>> As a follow-up item, if people can give a sense what additional data
>>>might be useful (while staying in "middle ground" territory), or what
>>>else they think might be needed to get closer to consensus, then that
>>>would be useful to put on the table.
>>>
>>>
>>> 3. Information sharing within the group
>>>
>>> - Dan Auerbach called out financial logging, audit, security as
>>>permitted uses where he thought more data might be needed; frequency
>>>capping probably ok.
>>> - sentiment from industry participants that they would expect to share
>>> the same data within the group as in public
>>> - Offered W3C staff anonymizing information, or providing a W3C member
>>>confidential forum for additional information sharing.
>>> - General preference for private  1:1 conversations over any of these,
>>>therefore not pursuing further.
>> My preference is for companies to share publicly. But in light of clear
>>signals that this won't happen, I think 1:1 is the only way towards
>>potentially useful information sharing.
>>>
>>> 4. Numbers or not?
>>>
>>> Time was up; we'll reconvene specifically on this pint.
>>>
>>> Thomas Roessler, W3C <tlr@w3.org> (@roessler)
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>
>
>
Received on Tuesday, 4 June 2013 12:09:33 UTC