Re: ACTION-408 - security & fraud proposed text - Section 6.2. from John Simpson on 2013-06-13 (public-tracking@w3.org from June 2013)

From: John Simpson <john@consumerwatchdog.org>
Date: Wed, 12 Jun 2013 18:18:53 -0700
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: W3C DNT Working Group Mailing List <public-tracking@w3.org>
Message-Id: <1ED3422A-4E23-473C-ABFB-2CF7F8EE1D42@consumerwatchdog.org>
I must say I agree with Roy's take here.  What is wrong with the language on security and fraud that is in the April 29 Public Working Draft?  I though the outstanding issue was around graduated response and I don't see how any of the new text addresses that…

On Jun 12, 2013, at 4:37 PM, Roy T. Fielding <fielding@gbiv.com> wrote:

> While I appreciate that some folks are actually making good on their
> action items, these proposed texts are not an improvement over what
> has already been published in the compliance spec WD:
> 
> http://www.w3.org/TR/2013/WD-tracking-compliance-20130430/#security
> 
> and for which the only open concern I am aware of is the last sentence
> that requires a definition of graduated response, for which we had an
> apparent agreement at the F2F to adopt Ian's proposed definition.
> 
> So, why are we even talking about this?  What exactly do you object
> to in the text that is in the WD?
> 
> [I am ignoring the June draft, at the moment, since it has almost
> the same text as the WD except the section numbering is gone and the
> first sentence has been reversed in a way that makes it harder to
> read.]
> 
> ....Roy
> 
> On Jun 12, 2013, at 12:33 PM, Dan Auerbach wrote:
> 
>> We largely agree but Chris's text was not agreed to be the version we sent out. But here's my version, which I think is more precise, appropriately tailored, and less verbose:
>> 
>> 6.2.2.6 Detection and Prevention of Malicious or Invalid Activity
>> 
>> Information may be collected, retained and used to the extent reasonably necessary for detecting and preventing malicious or invalid activity. Information related to malicious or invalid activity may furthermore be retained if necessary for particular civil actions being pursued, or for particular criminal investigations that are in process. This information may be used to alter the user's experience in order to reasonably keep a service secure or prevent malicious or invalid activity. 
>> 
>> The term "malicious or invalid activity" means: 
>>     (a) invalid Web traffic (for instance bot activity generating impressions or clicks), 
>>     (b) bogus, malicious or automated sign ups or form submissions, 
>>     (c) attacks intended to disrupt the availability of a service, 
>>     (d) malicious intrusions into corporate networks, 
>>     (e) fraud prevention, or 
>>     (f) abuse of a service in a way that harms the integrity or security of a service or the security of the users of a service.
>> 
>> On 06/12/2013 09:17 AM, Chris Mejia wrote:
>>> David Wainberg, Dan Auerbach and I worked on this draft text.  I'm submitting it now for consideration by the wider group, as there were only small gaps between Dan and our text proposals.
>>> 
>>> --
>>> 
>>> 6.2.2.6 Detection, Prevention or Prosecution of Malicious, Nefarious or Invalid Activity
>>>  
>>> Data may be collected, retained and used to the extent reasonably necessary for detecting and/or preventing malicious, nefarious or disingenuous activity. Additionally,                 data related to malicious, nefarious or disingenuous activity may be retained when reasonably necessary to support civil or criminal prosecution of parties that conduct, support or perpetuate malicious, nefarious or disingenuous activity. This data may also be used to alter the user's experience in order to preserve or bolster the security of a site/service/user(s), or to prevent malicious, nefarious or disingenuous activity. 
>>>  
>>> The term "malicious, nefarious or disingenuous activity" means: 
>>>     (a) disingenuous Web traffic/server requests (for example: non-human activity generating bogus server requests, ad-impressions or clicks);
>>>     (b) bogus, malicious, automated or non-human Web-form submissions;
>>>     (c) attacks intended to disrupt a site, service or user experience;
>>>     (d) malicious or nefarious intrusions, or attempts to intrude into private or corporate networks;
>>>     (e) fraudulent activity, including any activity that's purpose is to defraud a site, service or users of a site or service;
>>>     (f) any activity that's reasonably determined to abuse, or attempts to abuse a site/service/user in any way.
>>> 
>>> 
>> 
>
Received on Thursday, 13 June 2013 01:26:30 UTC