Re: new security/privacy review questions from Greg Norcie on 2015-07-01 (public-privacy@w3.org from July to September 2015)

From: Greg Norcie <gnorcie@cdt.org>
Date: Wed, 1 Jul 2015 11:27:17 -0400
To: "Dawson Frank (Nokia-TECH/Irving)" <frank.dawson@nokia.com>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CAMJgV7bhDh81-mU=-9617W-JPMOr=-=jxN6L6y4VqYvFnkCSOw@mail.gmail.com>
Hi Frank,

Thanks for the input. I definitely agree we should try to remove US centric
language. I can try to go through and be a little more general, but it
might be useful for a non-US person to make a pass as well.

I will make a second pass today and try to alter anything that seems
especially tied to US law.

Also, while I'm sure there are many techniques aside from questionnaires
that can be used when reviewing a new standard, I think for right now we'll
focus on refining the questionnaire - other techniques can certainly be
developed to supplement the questionnaire once it is mature.

(The addition of new sections would be something that probably should be
saved for discussion in Prague)

I'll send out a revised question set with revised language later today.

-Greg

On Wed, Jul 1, 2015 at 10:50 AM, Dawson Frank (Nokia-TECH/Irving) <
frank.dawson@nokia.com> wrote:

>  Hei Greg.
>
>
>
> Looks like a hard crowd to please at SOUPS events J
>
>
>
> SOUPS acceptance rates: 2005: 10/39 (25%); 2006: 14/39 (35%); 2007: 12/41
> (29%); 2008: 13/43 (30%); 2009: 15/49 (30%); 2010: 16/65 (24%); 2011: 15/45
> (33%); 2012: 14/67 (20%); 2013 15/51 (29%)
>
>
>
> At least maybe you can escape the heat/humidity of summer time in DC for a
> while.
>
>
>
> I looked at the questionnaire that you Joe and Mike updated. Have you read
> PRIPARE paper from IWPE15 event on goal-based versus risk-based approaches
> to analyzing privacy impact? Net-net is that both approaches are important
> and a hybrid of the two makes for better privacy engineering.
>
>
>
> The questionnaire approach is good when system is well known and true
> table of knowledge exists for problem determination and solution selection
> (e.g., A380 engine #4 shows fire light, what to do). But with the privacy
> impact analysis for new web technologies this might not be the case.
>
>
>
> I was wondering if the questionnaire might be complemented by some
> additional section with more systematic guidance. For example, pre-analysis
> work involving assembly by editors of worksheet with data inventory that
> can be used for analysis of the data flows involved. Attached is an
> example, but this could be specified in other ways than XLS, such as
> questions. Obviously, the attached example columns are specific to a
> deployment of a standard (ie, implementation or product) but can be
> generalized to capture the more generic nature that a W3C web specification
> would creation.
>
>
>
> Also, the questionnaire could be supplemented by a suggested PII
> classification scheme. I prefer the Paul Schwartz/Daniel Solove “PII 2.0”,
> as is incorporated into the XLS attached.
>
>
>
> Lastly, the W3C specifications are for a global web, but the vocabulary in
> the questionnaire is very US specific (eg, use of PII over Personal Data).
> Why not go for a more international vocabulary (eg, EU GDPR that is being
> copied by regional jurisdictions other than US or ISO 29100/Privacy
> Framework which PDF is freely available from ISO).
>
>
>
> Additionally, the questionnaire could be enhanced by a Privacy
> Recommendations section that listed a set or catalog of principles,
> controls, implementation criteria. The set would be something that would
> grow as experienced identified further patterns for best practice. The
> sectorial standards for the ISO 27001-series for Information Security
> Management Systems provides in ISO 27009 guidance on how this would be
> formatted.
>
>
>
> x Data Stewardship
>
>
>
> x.1 Data inventory
>
>
>
> Control: Personal data collected, processed, stored, transferred or
> managed by the specification is identified and classified according to its
> purposes, personal data category, security category, retention/deletion
> recommendation…
>
>
>
> Implementation guidance: Sensitive categories of personal data should be
> encrypted when transferred and consideration given on encryption when at
> rest/stored.
>
>
>
> Frank/
>
>
>
> *From:* ext Greg Norcie [mailto:gnorcie@cdt.org]
> *Sent:* Tuesday, June 30, 2015 20:51
> *To:* Christine Runnegar
> *Cc:* public-privacy (W3C mailing list)
> *Subject:* Re: new security/privacy review questions
>
>
>
> Hi all,
>
> Joe's out of the office this week, but I spoke with him before he left,
> and he will be at IETF in Prague.
>
> I'd love to join him, but I had made plans to attend SOUPS
> <https://cups.cs.cmu.edu/soups/2015/> in Ottawa during that time prior to
> this idea being raised. (But if anyone will also be at SOUPS I'd be happy
> to chat)
>
> If anyone has feedback between now and then, please feel free to share it
> with the list and I will iterate on the current question set.
>
>
>
> On Tue, Jun 30, 2015 at 7:52 AM, Christine Runnegar <runnegar@isoc.org>
> wrote:
>
> Thank you Greg and Joe for all your work on this.
>
> One suggestion at the PING call last week is to use at least some of the
> time at the PING meeting alongside IETF (Thursday 23 July - during the
> lunch break) to progress this work further.
>
> In the meantime, everyone, please continue to share your thoughts on the
> draft as well as the feedback from Greg and Joe.
>
> Christine and Tara
>
>
> > On 24 Jun 2015, at 3:34 pm, Greg Norcie <gnorcie@cdt.org> wrote:
> >
> > Hi all,
> >
> > Myself and Joe Hall been working on a rewrite of the TAG security
> questionaire[1], which incorporates privacy concerns as well as security
> concerns. (For example, we include some of the questions raised by Nick in
> his privacy questionnaire.[2])
> >
> > We also split the questionnaire into a security section and a privacy
> section (with the implication all new standards should enumerate their
> privacy impacts as well as their security impacts.)
> >
> > The goal is that for each question, there will eventually be an
> explanation and a concrete, real world example.
> >
> > [1] https://w3ctag.github.io/security-questionnaire/
> > [2]
> https://lists.w3.org/Archives/Public/public-privacy/2013AprJun/0004.html
> >
> > I've attached a .odt outlining our proposed questions, as well as a PDF
> in case you don't have an ODT capable editor installed. (I recommend
> Libreoffice)
> > --
> > /***********************************/
> > Greg Norcie (norcie@cdt.org)
> > Staff Technologist
> > Center for Democracy & Technology
> > 1634 Eye St NW Suite 1100
> > Washington DC 20006
> > (p) 202-637-9800
> > PGP: http://norcie.com/pgp.txt
> >
> > Fingerprint:
> > 73DF-6710-520F-83FE-03B5
> > 8407-2D0E-ABC3-E1AE-21F1
> >
> > /***********************************/
>
> > <PingPrivSecQs.pdf><PingPrivSecQs.odt>
>
>
>
>
> --
>
> /***********************************/
> * Greg Norcie (norcie@cdt.org <norcie@cdt.org>)*
>
> *Staff Technologist*
>
> *Center for Democracy & Technology*
>
> 1634 Eye St NW Suite 1100
>
> Washington DC 20006
>
> (p) 202-637-9800
>
> PGP: http://norcie.com/pgp.txt
>
>
> Fingerprint:
> 73DF-6710-520F-83FE-03B5
> 8407-2D0E-ABC3-E1AE-21F1
>
> /***********************************/
>



-- 
/***********************************/

*Greg Norcie (norcie@cdt.org <norcie@cdt.org>)*

*Staff Technologist*
*Center for Democracy & Technology*
1634 Eye St NW Suite 1100
Washington DC 20006
(p) 202-637-9800
PGP: http://norcie.com/pgp.txt

Fingerprint:
73DF-6710-520F-83FE-03B5
8407-2D0E-ABC3-E1AE-21F1

/***********************************/
Received on Wednesday, 1 July 2015 15:27:47 UTC