- From: Erin Kenneally <erin@elchemy.org>
- Date: Mon, 11 Oct 2010 15:18:36 -0700
- To: Rigo Wenning <rigo@w3.org>
- CC: Mark Lizar <info@smartspecies.com>, public-privacy@w3.org
On 10/11/10 1:17 PM, Rigo Wenning wrote: > Hi Mark, > > On Monday 11 October 2010 11:04:30 Mark Lizar wrote: >> In this regard maybe some more research and analysis of this issues is >> warranted? What do you think about the idea of tracking the use of MAC >> addresses and submitting a subject access request (or two) to >> organisations that are storing MAC addresses? > This only works for the EU where you have subject access requests. And those > are burdensome. We are techies here, right? What about a subject access API > for web services? I know a lot of privacy advocates would like to have such an > API. indeed, such a capability would go far in forcing accountability to the self-reg regime that predominates the online playing field in the u.s. the ftc does not want to regulate and companies don't want to be regulated, but there continues to be pushback that industry self-regulation is inadequate because it is still largely opaque and is being gamed by many of the entities who benefit from the information asymmetries. implementation of a subject access api would put teeth behind the recent 'pledge': http://www.iab.net/about_the_iab/recent_press_releases/press_release_archive/press_release/pr-100410 >> The challenge (I propose) is to track institutional use of MAC address >> to attempt to find the frequency and occurence of a MAC address in >> databases. What these MAC addresses are being used for, their state >> of storage and transmission. Etc. > I think the challenge is less in finding out evil service behavior. We know > how to track that more or less. Incidents like the one David Singer describes > very often trigger people to look more closely to things. > > What we don't know is the social expectations in our societies and into what > that translates technology wise. Hiding all the risks and tracking like there > is no tomorrow hasn't really helped the Web to gain trust. We have to do more > research on real user expectations and the traps inherent to this social > field. i'd suggest the challenge is a hybrid of the above, ie., knowing the capabilities (the frequency, occurrence AND demographics of the entities that storehouse MAC addys) and social expectations of their USES as it relates to causing injury/damage/harm from a legal perspective. so, for example, people are more concerned about IPA as a secondary identifier/digital fingerprint because it's often the principal evidentiary underpinning in affidavits for search warrants or subpoenas relied upon by private IP owners (e.g., RIAA, John Doe lawsuits) and gov't investigators. so, there's a normative expectation of privacy in that network artifact that hasn't attached to mac addy's because of how IPA is being used to impact people negatively. i think it's just a matter of time before we get there w/ mac addys. perhaps it's helpful to analogize to expectations associated with dna: there was little concern about dna expectation of privacy when our best methods to identify people were based on a/b/o blood group typing ... that changed as pcr or rflp technology enabled that same blood spatter evidence to distinguish individuals to the exclusion of others by anchoring off of the dna in blood. given that diatribe, that's not to say that our laws don't have some evolving to do w/ respect to interpreting privacy harms, but people don't take notice until they suffer tangible harm. /erin -- Erin E. Kenneally, M.F.S., J.D. CEO, Founder eLCHEMY, Inc. 8677 Villa La Jolla Dr., #1133 La Jolla, CA 92037 www.elchemy.org
Received on Tuesday, 12 October 2010 02:01:01 UTC