Re: Privacy Guidance Draft - Your Feedback Needed

Hey Karl, 

thanks for your feedback. My response is below: 


On Jul 12, 2013, at 2:03 PM, Karl Dubost wrote:

> Hannes Tschofenig [2013-06-26T02:29]:
>>> May I access to the information I created? — [karl]
>> 
>> Further clarification is needed here. Typically, privacy concerns are raised when information is shared or when unauthorized access to information is gained.
> 
> 
> In this case, my line was "can I understand what is collected about me". Having access to the data which have been silently collected can help me take actions such as terminating a service, understanding my own patterns, adjusting my usage of a service because of privacy implications. As long as I do not have access to these data, I can't really make an informed choice about the consequences. 


Thanks for the clarifications. I would put this topic under "user participation". Here is the proposed (updated) text:

-----------------------------------------
User Participation

Many Web applications collect data and allow it to be shared with other parties through APIs and other protocol mechanisms.

Data collection: What mechanism for obtaining consent does the specification develop forsee to be used before collecting data starts? Is a user able to access the data that is collected about him or her that has implications for the protocol, API, or extension being defined?

Data sharing: What controls or consent mechanisms does the protocol define or require before personal data are shared with other parties (e.g., via the protocol or API)? Does the user have control over their data after it has been shared with other parties, for example regarding secondary use? Are users able to determine what information was shared with other parties (as part of an audit log)?

What recommendations can be given to implementers and those who deploy regarding privacy-friendly sharing of information for the technology being standardized? This in particular refers to the ability to provide additional information about why the sharing is taking place (the purpose), what information is shared and with whom. Furthermore relevant is to control the degree (or the granularity) of information sharing. Will the data subject be given enough context to make an informed decision? Is it anticipated that the decision about granting sharing with a particular party be made persistent (i.e., cached) so that the user is not repeately asked? If so, for how long is the decision cached? How can it be revoked? Is there an anticipated way for a user to determine what decisions have been cached?


-----------------------------------------

Does this reflect your ideas? 

> 
> 
>>> May I record it myself (locally)? — [karl]
>> 
>> Further clarification is needed here. Why is this is a privacy concern? Normally, everything can be “stored” that is available locally unless there is some DRM protection.
> 
> Consequence of the previous one. Having access to the data online on a Web site doesn't mean that you can easily save them on your computer for further analysis. A perfect recent example is now the twitter archives that you can request in your preferences. There is plenty of meta information in these tweets that you can analyze yourself and/or feed in a software for understanding them and the extent of the issues or non-issues it creates.

Ah. This is about data portability, i.e., the ability to take your data with you. 

I added one question regarding this item to the last paragraph of text shown above, namely "For data that is collected is the user able to retrieve that data in an electronic format (data portability)? Are there standardized data formats (if they exist) used for the data export?"

I think that this is mostly a question for those who deploy and not for those who write the specification. 

> 
> 
>>> Am I able to have actions on this personal record? — [karl]
>> 
>> Further clarification is needed here. What type of actions should be applied to the personal data?
> 
> 
> Can I erase the data or change the data?
> One technique which is recommended when you want to leave a social network is to enter garbage text instead or just removing the data. So that garbage text is replacing the records in the database. Some sites do not allow that, and you become permanently part of their records.
> 
> Another possibility is when you would like to change the "memory of the system". Twitter for example allows people to delete tweets, but not in a programmatic way or massive way without relying on a third party script. You might want for example to erase all tweets but the last week or the last 100.
> See https://github.com/olivierthereaux/oldtweets
> 

Got it. I added the following question to last paragraph: "What ability for deleting data previously collected is given to the user? Is a user given the ability to delete all collected data or is data deletion applied only selectively. "


> 
>>> May I fake it? (think about fuzzy geolocation or voluntary fake location) — [karl]
>> 
>> Further clarification is needed here. In general, information from end devices can be faked in a variety of ways. For information that is provided by a third party this might be more difficult. Which case are you referring to?
> 
> 
> Privacy concerns are also raised when a system (device, infrastructure, law) unbalances the control of your actions. Let's say you are writing and sharing to people: "I'm in Toronto this week". This is a lot different than saying I'm located at this latitude and longitude at any time.
> 
> The function (Location, time) in the Toronto/week case is fuzzy. But make it still possible to ask questions such as "What are the restaurants around?" or "What is the weather here?" Basically you are not sharing your precise location with the service?
> 
> The same way you are on a business location, but you want the system to continue working like you were at home. Or the opposite. The fact is that you might want to say you are elsewhere and/or change the precision of your location. There was a time it was fashionable to put a meta name with your geolocation on your blog. Some services were aggregating this information and making geolocated directories of blogs and/or maps. Some of us where putting the location of a well-known monument instead of the precise geolocation of our home. Having that choice is interesting it helps remove some frictions with regards to privacy.
> 
Got it. I added a sentence to the data minimization section and re-structured it. 
The new text can be found at: http://www.tschofenig.priv.at/w3c-privacy-guidelines.html#guidelines 

> 
> 
> 
> Hope it clarifies.

It certainly does. 

Ciao
Hannes

> 
> -- 
> Karl Dubost
> http://www.la-grange.net/karl/
> 

Received on Thursday, 18 July 2013 11:57:53 UTC