- From: Ambarish S Natu <ambarish.natu@gmail.com>
- Date: Tue, 27 Jan 2015 22:17:02 +1100
- To: David Singer <singer@apple.com>
- Cc: "Mike O'Neill" <michael.oneill@baycloud.com>, Danny Weitzner <djweitzner@csail.mit.edu>, Rigo Wenning <rigo@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>
- Message-ID: <CAO6L_b770_NAP6xq5o4h7U1DZfn-Szdv7fy96ZG6MmXqqt+hFw@mail.gmail.com>
Here is a list of requirements to start thinking of a framework ! The
problem could easily spiral out of any proportion !
Privacy-Abusive Data Collection and Retention
- *Demands for User Data*
- identity data
- profile data
- contacts data
- location data
- *Enticement of the Disclosure of User Data*
- about the user
- about the user's location
- about others
- *Collection of User Data *
- about users' online behaviour
- when transacting with the particular social media service
- even when transacting with other services
- about users' reading, interests, opinions and attitudes
- about users' locations over time
- from third parties:
- without notice to the user and/or
- without meaningful consent
- *Retention of User Data*
- without meaningful consent
- without a deletion-cycle
- compiling an intensive track of users' readings, behaviours and
movements
Privacy-Abusive Service-Provider Rights
- *Terms of Service Features*
- substantial self-declared, non-negotiable service-provider rights
- a right to exploit users' data for the service-providers' own
purposes
- a right to disclose users' data to other organisations
- a right to retain users' data permanently, even if the person
terminates their account
- a right to change Terms of Service:
- unilaterally
- without advance notice to users; and/or
- without any notice to users
- *Exercise of Self-Declared Service-Provider Rights*
- in ways harmful to users' interests
- in order to renege on previous undertakings
- without notice of the action being provided to the user
- *Avoidance of Consumer Protection and Privacy Laws*
- location of storage and processing in data havens
- location of contract-jurisdiction distant from users
- ignoring of regulatory and oversight agencies
- acceptance of nuisance-value fines and nominal undertakings as 'a
cost of doing business'
Privacy-Abusive Functionality and User Interfaces
- *Privacy-Related Settings*
- non-conservative default settings, such as default-open for
profile-data, postings, and even location-data
- inadequate granularity
- complex and unhelpful user interfaces
- changes to the effects of settings
- without advance notice
- without any notice and/or
- without meaningful consent
- *'Real Names' Policies*
- denial of anonymity
- denial of pseudonymity
- denial of multiple identities
- enforced publication of 'real name' and associated profile data
- *Changes to Functionality and User Interface*
- frequent
- without advance notice to users
- without any notice to users
- without meaningful consent
- *User Access to Their Data*
- lack of clarity about whether data can be accessed
- lack of clarity about how data can be accessed
- failure to implement effective processes for user access
- unreasonable limitations on a right of access
- denial of a right of access
- *User Deletion of Their Data*
- lack of clarity about whether each category of data can be deleted
- lack of clarity about how each category of data can be deleted
- failure to implement effective processes for user-initiated deletion
- unreasonable limitations on a right of deletion
- denial of a right of deletion
Privacy-Abusive Data Exploitation
- *Exposure of User Data to Third Parties*
- wide exposure, in violation of previous Terms of Service, of:
- users' profile-data - even to the point of publishing
street-address and mobile-phone number
- users' postings
- users' advertising and purchasing behaviour
- users' declared social networks
- users' inferred social networks, based on messaging-traffic
- changes to the scope of exposure:
- without advance notice to users
- without any notice to users; and/or
- without meaningful consent
- ready access by government agencies, without demonstrated legal
authority for the demand
- *Exposure of Data about Other People*
- upload of users' address-books, including:
- their contact-points
- other personal data, such as children's names
- comments about them
- by implication, their social networks
- exploitation of non-users' interactions with users
Regards
Ambarish S Natu
This list is from one of roger clarke's paper
http://www.rogerclarke.com/II/COSM-1301.html
On Tuesday, 27 January 2015, David Singer <singer@apple.com> wrote:
>
> > On Jan 27, 2015, at 11:46 , Mike O'Neill <michael.oneill@baycloud.com
> <javascript:;>> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > There is also a international dimension, with transatlantic agreements
> on privacy, cybersecurity and surveillance being publically discussed, and
> it is clear these things are interrelated, addressing one will always
> involve consideration of the others.
> >
> > There does not have to be a trade-off, no need to forgo privacy for the
> sake of security. We should be able to build a system with them all.
> >
> > What is needed is a clearly expressed “statement of requirements” i.e.
> we want to protect privacy and security within a transparent and
> democratically accountable framework which, for example, allows law
> enforcement to do its job (using warranted surveillance if necessary), but
> rules out mass surveillance. Because the net knows no borders there has to
> be a transnational component.
> >
> > The W3C could then do its part helping to create the necessary protocols
> and standards, while the politicians take charge of the oversight process
> and creating the legal environment.
> >
>
> If you have even vague visions for what protocols and standards could help
> here, could you sketch them out?
>
> David Singer
> Manager, Software Standards, Apple Inc.
>
>
>
--
अंबरीष श्रिकृष्ण नातू
Sent from Gmail Mobile
Received on Tuesday, 27 January 2015 12:56:07 UTC