Re: new security/privacy review questions from Greg Norcie on 2015-07-01 (public-privacy@w3.org from July to September 2015)

From: Greg Norcie <gnorcie@cdt.org>
Date: Wed, 1 Jul 2015 16:20:50 -0400
To: "Dawson Frank (Nokia-TECH/Irving)" <frank.dawson@nokia.com>
Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CAMJgV7Y6YZT1mrZMe3P+pNz_BX-RyM=_GiRt6MgWCj0+n5h3Fg@mail.gmail.com>
Hi Frank,

Please send your feeback to the list so it can be discussed.

Thanks for the help!

On Wed, Jul 1, 2015 at 4:17 PM, Dawson Frank (Nokia-TECH/Irving) <
frank.dawson@nokia.com> wrote:

>  PS…
>
>
>
> Under §4 Mitigations, it occurred to me that another mitigation is “data
> minimization”. An example was in work that ex-colleague Frederick Hirsch
> did in Devices API work. For example, on addressbook lookup, rather than
> allow functionality of API to transfer full addressbook entry via an
> identifier, you had to access entry and retrieve partial information,
> parameter by parameter, out of the entry. This data minimization decreased
> the attack surface of the API by limiting amount of entry that could be
> retrieved at once.
>
>
>
> Another would be the classic “Privacy by Default”. For example, when you
> would use WebRTC to open a video connection, the microphone and video
> sensors should be muted and privacy lid enabled by default.
>
>
>
> Another would be “Contexual or Timely User Control” (you might have better
> term). In the same example as previous, user should have ability to toggle
> off microphone and video, on-demand, even if consent has already been
> granted for the session.
>
>
>
> *From:* ext Greg Norcie [mailto:gnorcie@cdt.org]
> *Sent:* Wednesday, July 01, 2015 10:27
> *To:* Dawson Frank (Nokia-TECH/Irving)
> *Cc:* public-privacy (W3C mailing list)
> *Subject:* Re: new security/privacy review questions
>
>
>
> Hi Frank,
>
> Thanks for the input. I definitely agree we should try to remove US
> centric language. I can try to go through and be a little more general, but
> it might be useful for a non-US person to make a pass as well.
>
> I will make a second pass today and try to alter anything that seems
> especially tied to US law.
>
> Also, while I'm sure there are many techniques aside from questionnaires
> that can be used when reviewing a new standard, I think for right now we'll
> focus on refining the questionnaire - other techniques can certainly be
> developed to supplement the questionnaire once it is mature.
>
> (The addition of new sections would be something that probably should be
> saved for discussion in Prague)
>
> I'll send out a revised question set with revised language later today.
>
> -Greg
>
>
>
> On Wed, Jul 1, 2015 at 10:50 AM, Dawson Frank (Nokia-TECH/Irving) <
> frank.dawson@nokia.com> wrote:
>
>  Hei Greg.
>
>
>
> Looks like a hard crowd to please at SOUPS events J
>
>
>
> SOUPS acceptance rates: 2005: 10/39 (25%); 2006: 14/39 (35%); 2007: 12/41
> (29%); 2008: 13/43 (30%); 2009: 15/49 (30%); 2010: 16/65 (24%); 2011: 15/45
> (33%); 2012: 14/67 (20%); 2013 15/51 (29%)
>
>
>
> At least maybe you can escape the heat/humidity of summer time in DC for a
> while.
>
>
>
> I looked at the questionnaire that you Joe and Mike updated. Have you read
> PRIPARE paper from IWPE15 event on goal-based versus risk-based approaches
> to analyzing privacy impact? Net-net is that both approaches are important
> and a hybrid of the two makes for better privacy engineering.
>
>
>
> The questionnaire approach is good when system is well known and true
> table of knowledge exists for problem determination and solution selection
> (e.g., A380 engine #4 shows fire light, what to do). But with the privacy
> impact analysis for new web technologies this might not be the case.
>
>
>
> I was wondering if the questionnaire might be complemented by some
> additional section with more systematic guidance. For example, pre-analysis
> work involving assembly by editors of worksheet with data inventory that
> can be used for analysis of the data flows involved. Attached is an
> example, but this could be specified in other ways than XLS, such as
> questions. Obviously, the attached example columns are specific to a
> deployment of a standard (ie, implementation or product) but can be
> generalized to capture the more generic nature that a W3C web specification
> would creation.
>
>
>
> Also, the questionnaire could be supplemented by a suggested PII
> classification scheme. I prefer the Paul Schwartz/Daniel Solove “PII 2.0”,
> as is incorporated into the XLS attached.
>
>
>
> Lastly, the W3C specifications are for a global web, but the vocabulary in
> the questionnaire is very US specific (eg, use of PII over Personal Data).
> Why not go for a more international vocabulary (eg, EU GDPR that is being
> copied by regional jurisdictions other than US or ISO 29100/Privacy
> Framework which PDF is freely available from ISO).
>
>
>
> Additionally, the questionnaire could be enhanced by a Privacy
> Recommendations section that listed a set or catalog of principles,
> controls, implementation criteria. The set would be something that would
> grow as experienced identified further patterns for best practice. The
> sectorial standards for the ISO 27001-series for Information Security
> Management Systems provides in ISO 27009 guidance on how this would be
> formatted.
>
>
>
> x Data Stewardship
>
>
>
> x.1 Data inventory
>
>
>
> Control: Personal data collected, processed, stored, transferred or
> managed by the specification is identified and classified according to its
> purposes, personal data category, security category, retention/deletion
> recommendation…
>
>
>
> Implementation guidance: Sensitive categories of personal data should be
> encrypted when transferred and consideration given on encryption when at
> rest/stored.
>
>
>
> Frank/
>
>
>
> *From:* ext Greg Norcie [mailto:gnorcie@cdt.org]
> *Sent:* Tuesday, June 30, 2015 20:51
> *To:* Christine Runnegar
> *Cc:* public-privacy (W3C mailing list)
> *Subject:* Re: new security/privacy review questions
>
>
>
> Hi all,
>
> Joe's out of the office this week, but I spoke with him before he left,
> and he will be at IETF in Prague.
>
> I'd love to join him, but I had made plans to attend SOUPS
> <https://cups.cs.cmu.edu/soups/2015/> in Ottawa during that time prior to
> this idea being raised. (But if anyone will also be at SOUPS I'd be happy
> to chat)
>
> If anyone has feedback between now and then, please feel free to share it
> with the list and I will iterate on the current question set.
>
>
>
> On Tue, Jun 30, 2015 at 7:52 AM, Christine Runnegar <runnegar@isoc.org>
> wrote:
>
> Thank you Greg and Joe for all your work on this.
>
> One suggestion at the PING call last week is to use at least some of the
> time at the PING meeting alongside IETF (Thursday 23 July - during the
> lunch break) to progress this work further.
>
> In the meantime, everyone, please continue to share your thoughts on the
> draft as well as the feedback from Greg and Joe.
>
> Christine and Tara
>
>
> > On 24 Jun 2015, at 3:34 pm, Greg Norcie <gnorcie@cdt.org> wrote:
> >
> > Hi all,
> >
> > Myself and Joe Hall been working on a rewrite of the TAG security
> questionaire[1], which incorporates privacy concerns as well as security
> concerns. (For example, we include some of the questions raised by Nick in
> his privacy questionnaire.[2])
> >
> > We also split the questionnaire into a security section and a privacy
> section (with the implication all new standards should enumerate their
> privacy impacts as well as their security impacts.)
> >
> > The goal is that for each question, there will eventually be an
> explanation and a concrete, real world example.
> >
> > [1] https://w3ctag.github.io/security-questionnaire/
> > [2]
> https://lists.w3.org/Archives/Public/public-privacy/2013AprJun/0004.html
> >
> > I've attached a .odt outlining our proposed questions, as well as a PDF
> in case you don't have an ODT capable editor installed. (I recommend
> Libreoffice)
> > --
> > /***********************************/
> > Greg Norcie (norcie@cdt.org)
> > Staff Technologist
> > Center for Democracy & Technology
> > 1634 Eye St NW Suite 1100
> > Washington DC 20006
> > (p) 202-637-9800
> > PGP: http://norcie.com/pgp.txt
> >
> > Fingerprint:
> > 73DF-6710-520F-83FE-03B5
> > 8407-2D0E-ABC3-E1AE-21F1
> >
> > /***********************************/
>
> > <PingPrivSecQs.pdf><PingPrivSecQs.odt>
>
>
>
>
> --
>
> /***********************************/
> * Greg Norcie (norcie@cdt.org <norcie@cdt.org>)*
>
> *Staff Technologist*
>
> *Center for Democracy & Technology*
>
> 1634 Eye St NW Suite 1100
>
> Washington DC 20006
>
> (p) 202-637-9800
>
> PGP: http://norcie.com/pgp.txt
>
>
> Fingerprint:
> 73DF-6710-520F-83FE-03B5
> 8407-2D0E-ABC3-E1AE-21F1
>
> /***********************************/
>
>
>
>
> --
>
> /***********************************/
> * Greg Norcie (norcie@cdt.org <norcie@cdt.org>)*
>
> *Staff Technologist*
>
> *Center for Democracy & Technology*
>
> 1634 Eye St NW Suite 1100
>
> Washington DC 20006
>
> (p) 202-637-9800
>
> PGP: http://norcie.com/pgp.txt
>
>
> Fingerprint:
> 73DF-6710-520F-83FE-03B5
> 8407-2D0E-ABC3-E1AE-21F1
>
> /***********************************/
>



-- 
/***********************************/

*Greg Norcie (norcie@cdt.org <norcie@cdt.org>)*

*Staff Technologist*
*Center for Democracy & Technology*
1634 Eye St NW Suite 1100
Washington DC 20006
(p) 202-637-9800
PGP: http://norcie.com/pgp.txt

Fingerprint:
73DF-6710-520F-83FE-03B5
8407-2D0E-ABC3-E1AE-21F1

/***********************************/
Received on Wednesday, 1 July 2015 20:21:22 UTC