Re: Security and privacy questionnaire

We have done some work that we'll send to PING this week (hopefully
before Thursday's call) on this questionnaire... some of it will get
to your critique, Chaals, but let's definitely slot in a discussion of
this questionnaire, how PING should respond (I'd hope with a
coordinated voice back to TAG), etc.

On Mon, Jun 22, 2015 at 10:56 AM,  <chaals@yandex-team.ru> wrote:
> Hi,
>
> The questionnaire: https://w3ctag.github.io/security-questionnaire/ seems overly focused on security.
> There should be a section at the beginning of the threats on "inviting users to expose themselves".
>
> Users are generally unaware of where their data goes, and are often not really able to understand the implications of a privacy policy even if one exists. They are generally prepared to give up information in exchange for some service, but inviting them to do so without being very clear (in terms a seven-year old can understand, although to be fair many 4 year-olds can use the web) of the consequences, effectively puts them at risk.
>
> I would like to see a specific discussion of the fact that users are poor at anticipating the long-term cumulative consequences of repeatedly giving up small amounts of information.
>
> I think the questions on e.g. location information are valuable, but they seem to be phrased far too atomically.
>
> One way to think of sensitive material is to consider how hard it is to replace, if an unfriendly party has it - your name is harder to change than your passport, which is harder to change than a credit card, which is harder to change than a certain amount of cash.
>
> Another is to consider the cost of an unfriendly party having it.
>
> Someone may use your credit card to spend your money. The cost of lost cash is fairly simple to calculate. But authenticating to an online service like a social network as you, and developing a reputation for things that you would not do, can be very damaging.  Even worse is something that compromises the security of your possessions (e.g. knowing when you are not at home) or your person (e.g. knowing where you are, whether you are alone, with relative strangers, or in a group of friends and family) - all of which is magnified by having personal information - age, gender, etc…
>
> cheers
>
> Chaals
>
> --
> Charles McCathie Nevile - web standards - CTO Office, Yandex
> chaals@yandex-team.ru - - - Find more at http://yandex.com
>



-- 
Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe@cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871

Received on Monday, 22 June 2015 19:43:56 UTC