W3C home > Mailing lists > Public > public-tracking@w3.org > September 2013

Re: updating Compliance doc with graduated response

From: John Simpson <john@consumerwatchdog.org>
Date: Tue, 24 Sep 2013 15:04:50 -0700
Cc: David Singer <singer@apple.com>, Shane M Wiley <wileys@yahoo-inc.com>, "public-tracking@w3.org List" <public-tracking@w3.org>
Message-Id: <3507D6E8-2008-49D9-B2F5-29B15DB6A69B@consumerwatchdog.org>
To: Nicholas Doty <npdoty@w3.org>
Colleagues,

Alas, I think this chain demonstrates the futility of ever reaching consensus…

Regards,
John

On Sep 24, 2013, at 2:58 PM, Nicholas Doty <npdoty@w3.org> wrote:

> On September 23, 2013, at 7:00 PM, David Singer <singer@apple.com> wrote:
>> On Sep 23, 2013, at 18:39 , Shane M Wiley <wileys@yahoo-inc.com> wrote:
>> 
>>> I object to this being added.  New Issue?  
>>> 
>>> 'Graduated Response' is not a viable approach to Security.  While I appreciate how this approach sounds perfectly acceptable from a logical perspective, in practice this doesn't work.  This was highlighted during the Sunnyvale face-to-face where the "security expert" agreed that attempting to collect more data from a user over time would likely tip off the suspected bad actor that they were being tracked in a differentiated manner - something you would not want to as they would quickly change tactics - creating another security risk/channel.
>>> 
>>> I've attempted to convey our security experts views in this area and thought the Sunnyvale session clearly demonstrated there is little value to this approach and creates a false expectation by placing this in the Compliance and Scope document.  More than happy to continue documenting though and have true security experts provide this feedback to the group.
>> 
>> We probably need to debate this more (sadly) but the "when feasible" introduction does seem to allow your experts some…latitude.
> 
> I don't see the need for additional debate on the presence of non-normative text -- I was sending it around just so that the editors could update the text with the group decision -- but it's true that this is written (by Ian Fette, then revised by Roy Fielding and also proposed by John Simpson) specifically to allow latitude for use cases where a graduated response wouldn't make sense: both "when feasible" and "is preferred" are to that point. I believe the group supported it in part because as non-normative text it didn't add any requirements that might conflict with Shane's use case. While some preferred having a normative requirement and some preferred no mention at all, everyone on the call (2013-07-17 [0]) could live with the non-normative description.
> 
> There is an open issue and set of change proposals on security, focused on the normative text:
> http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security
> http://www.w3.org/2011/tracking-protection/track/issues/24
> 
> Thanks,
> Nick
> 
> [0] http://www.w3.org/2013/07/17-dnt-minutes#item01
Received on Tuesday, 24 September 2013 22:05:19 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:18 UTC