Re: list of questions raised during ambient light privacy review from Karima Boudaoud on 2013-04-25 (public-privacy@w3.org from April to June 2013)

From: Karima Boudaoud <karima@polytech.unice.fr>
Date: Thu, 25 Apr 2013 14:08:19 +0200
To: Christine Runnegar <runnegar@isoc.org>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-Id: <8170C8E6-E194-4827-A6A6-F98B956928D6@polytech.unice.fr>
Hi Christine,

> This will be very useful for the privacy guidance documents.
>
> I'll have a go at putting the questions on the wiki (unless there is  
> a kind volunteer willing to help me with this, please!).

I can help you. I will try to do it before the teleconference if I can.

Best regards

Karima

> In the meantime, please continue to add your suggested questions to  
> this thread.
>
> Christine
>
> On Apr 22, 2013, at 11:47 AM, Robin Wilton wrote:
>
>> Nick -
>>
>> That's excellent, thank you!
>>
>> I have one addition to suggest (something that occurred to me more  
>> recently than the discussion). It relates to two already-identified  
>> risks:
>>
>>>
>>> * What other data could this record be correlated with? (e.g. the  
>>> ISP)
>>> 	[dsinger]
>>>
>>> * If you had large amounts of this data about one person, what  
>>> conclusions would it enable you to draw? (e.g. maybe you could  
>>> estimate location from many ambient light events by estimating  
>>> latitude and longitude from the times of sunrise and sunset)
>>> 	[dsinger, tonyr]
>>
>> The additional use-case I thought of has to do with what happens if  
>> you're able to correlate the ambient light events from two discrete  
>> devices. If they show the same event profile, you might infer that  
>> the two devices are co-located. That represents two kinds of  
>> privacy risk: (1) that you can infer that two people are (or were)  
>> co-located at a given time, and (2) that you can frustrate an  
>> individual's attempts to maintain separation of two  
>> "personas" (say, Home and Work) by having a dedicated device for  
>> each.
>>
>> Hope this is useful -
>>
>> Robin
>>
>>
>> Robin Wilton
>> Technical Outreach Director - Identity and Privacy
>> Internet Society
>>
>> email: wilton@isoc.org
>> Phone: +44 705 005 2931
>> Twitter: @futureidentity
>>
>>
>>
>>
>> On 20 Apr 2013, at 04:34, Nicholas Doty wrote:
>>
>>> Robin W. and others raised the point that it might be useful to  
>>> consolidate the questions that different reviewers asked during  
>>> privacy reviews of the Ambient Light API. I've tried to extract  
>>> that list from those threads and included my results below (and  
>>> marked the people that mentioned a question in [brackets]).
>>>
>>> I do not yet believe that all of these questions must be asked/ 
>>> answered regarding every Web spec or API, that this list is  
>>> exhaustive or usefully framed. But I think it might be a nice  
>>> starting point. As Frank D. has noted, checklists are often a good  
>>> first step towards systematic reviews.
>>>
>>> * can the information be used (alone or in combination with other  
>>> APIs / sources of information) to fingerprint a device or user?
>>> 	[tlr, erin, npdoty, others]
>>>
>>> * may I access to the information I created?
>>> 	[karl]
>>>
>>> * may I record it myself (locally)?
>>> 	[karl]
>>>
>>> * am I able to have actions on this personal record?
>>> 	[karl]
>>>
>>> * may I block partly or totally the record of the information?
>>> 	[karl, tonyr]
>>>
>>> * may I fake it? (think about fuzzy geolocation or voluntary fake  
>>> location)
>>> 	[karl]
>>>
>>> * Is the data personally-derived, i.e. derived from the  
>>> interaction of a single person, or their device or address?  (If  
>>> so, even if anonymous, it might be re-correlated)
>>> 	[dsinger]
>>>
>>> * Does the data record contain elements that would enable such re- 
>>> correlation?  (examples include an IP address, and so on)
>>> 	[dsinger]
>>>
>>> * What other data could this record be correlated with? (e.g. the  
>>> ISP)
>>> 	[dsinger]
>>>
>>> * If you had large amounts of this data about one person, what  
>>> conclusions would it enable you to draw? (e.g. maybe you could  
>>> estimate location from many ambient light events by estimating  
>>> latitude and longitude from the times of sunrise and sunset)
>>> 	[dsinger, tonyr]
>>>
>>> * Am I likely to know if information is being collected?
>>> 	[wseltzer]
>>>
>>> * How visible is its collection and or use?
>>> 	[wseltzer, tonyr]
>>>
>>> * Do I get feedback on the patterns that the information could  
>>> reveal (at any instant, over time) so I can adjust behaviors?
>>> 	[wseltzer]
>>>
>>> * if a background event about the device is fired in all browsing  
>>> contexts, does it allow correlation of a user across contexts?
>>> 	[npdoty]
>>>
>>> * can code on a page send signals that can be received by device  
>>> sensors on nearby devices?
>>> 	[npdoty, tonyr]
>>>
>>> And while we're gathering checklists of questions, we might look  
>>> at the old Morris/Davidson doc for Internet specification authors  
>>> that had some questions related to privacy:
>>> 	http://tools.ietf.org/id/draft-morris-policy-considerations-00.txt
>>> (In particular: "4. Questions about Technical Characteristics or  
>>> Functionality" and then privacy discussion in Section 5.)
>>> And the IAB Privacy Considerations for Internet Protocols contains  
>>> lists of questions in the "Guidelines" section:
>>> 	http://tools.ietf.org/html/draft-iab-privacy-considerations-08
>>>
>>> This satisfies my ACTION-2.
>>>
>>> Thanks,
>>> Nick
>>
>
>
Received on Thursday, 25 April 2013 11:55:30 UTC