Re: new security/privacy review questions

Also I went through and made a pass at removing the instances of "PII" and
replacing with more inclusive language.

On Wed, Jul 1, 2015 at 4:20 PM, Greg Norcie <gnorcie@cdt.org> wrote:

> Hi Frank,
>
> Please send your feeback to the list so it can be discussed.
>
> Thanks for the help!
>
> On Wed, Jul 1, 2015 at 4:17 PM, Dawson Frank (Nokia-TECH/Irving) <
> frank.dawson@nokia.com> wrote:
>
>>  PS…
>>
>>
>>
>> Under §4 Mitigations, it occurred to me that another mitigation is “data
>> minimization”. An example was in work that ex-colleague Frederick Hirsch
>> did in Devices API work. For example, on addressbook lookup, rather than
>> allow functionality of API to transfer full addressbook entry via an
>> identifier, you had to access entry and retrieve partial information,
>> parameter by parameter, out of the entry. This data minimization decreased
>> the attack surface of the API by limiting amount of entry that could be
>> retrieved at once.
>>
>>
>>
>> Another would be the classic “Privacy by Default”. For example, when you
>> would use WebRTC to open a video connection, the microphone and video
>> sensors should be muted and privacy lid enabled by default.
>>
>>
>>
>> Another would be “Contexual or Timely User Control” (you might have
>> better term). In the same example as previous, user should have ability to
>> toggle off microphone and video, on-demand, even if consent has already
>> been granted for the session.
>>
>>
>>
>> *From:* ext Greg Norcie [mailto:gnorcie@cdt.org]
>> *Sent:* Wednesday, July 01, 2015 10:27
>> *To:* Dawson Frank (Nokia-TECH/Irving)
>> *Cc:* public-privacy (W3C mailing list)
>> *Subject:* Re: new security/privacy review questions
>>
>>
>>
>> Hi Frank,
>>
>> Thanks for the input. I definitely agree we should try to remove US
>> centric language. I can try to go through and be a little more general, but
>> it might be useful for a non-US person to make a pass as well.
>>
>> I will make a second pass today and try to alter anything that seems
>> especially tied to US law.
>>
>> Also, while I'm sure there are many techniques aside from questionnaires
>> that can be used when reviewing a new standard, I think for right now we'll
>> focus on refining the questionnaire - other techniques can certainly be
>> developed to supplement the questionnaire once it is mature.
>>
>> (The addition of new sections would be something that probably should be
>> saved for discussion in Prague)
>>
>> I'll send out a revised question set with revised language later today.
>>
>> -Greg
>>
>>
>>
>> On Wed, Jul 1, 2015 at 10:50 AM, Dawson Frank (Nokia-TECH/Irving) <
>> frank.dawson@nokia.com> wrote:
>>
>>  Hei Greg.
>>
>>
>>
>> Looks like a hard crowd to please at SOUPS events J
>>
>>
>>
>> SOUPS acceptance rates: 2005: 10/39 (25%); 2006: 14/39 (35%); 2007: 12/41
>> (29%); 2008: 13/43 (30%); 2009: 15/49 (30%); 2010: 16/65 (24%); 2011: 15/45
>> (33%); 2012: 14/67 (20%); 2013 15/51 (29%)
>>
>>
>>
>> At least maybe you can escape the heat/humidity of summer time in DC for
>> a while.
>>
>>
>>
>> I looked at the questionnaire that you Joe and Mike updated. Have you
>> read PRIPARE paper from IWPE15 event on goal-based versus risk-based
>> approaches to analyzing privacy impact? Net-net is that both approaches are
>> important and a hybrid of the two makes for better privacy engineering.
>>
>>
>>
>> The questionnaire approach is good when system is well known and true
>> table of knowledge exists for problem determination and solution selection
>> (e.g., A380 engine #4 shows fire light, what to do). But with the privacy
>> impact analysis for new web technologies this might not be the case.
>>
>>
>>
>> I was wondering if the questionnaire might be complemented by some
>> additional section with more systematic guidance. For example, pre-analysis
>> work involving assembly by editors of worksheet with data inventory that
>> can be used for analysis of the data flows involved. Attached is an
>> example, but this could be specified in other ways than XLS, such as
>> questions. Obviously, the attached example columns are specific to a
>> deployment of a standard (ie, implementation or product) but can be
>> generalized to capture the more generic nature that a W3C web specification
>> would creation.
>>
>>
>>
>> Also, the questionnaire could be supplemented by a suggested PII
>> classification scheme. I prefer the Paul Schwartz/Daniel Solove “PII 2.0”,
>> as is incorporated into the XLS attached.
>>
>>
>>
>> Lastly, the W3C specifications are for a global web, but the vocabulary
>> in the questionnaire is very US specific (eg, use of PII over Personal
>> Data). Why not go for a more international vocabulary (eg, EU GDPR that is
>> being copied by regional jurisdictions other than US or ISO 29100/Privacy
>> Framework which PDF is freely available from ISO).
>>
>>
>>
>> Additionally, the questionnaire could be enhanced by a Privacy
>> Recommendations section that listed a set or catalog of principles,
>> controls, implementation criteria. The set would be something that would
>> grow as experienced identified further patterns for best practice. The
>> sectorial standards for the ISO 27001-series for Information Security
>> Management Systems provides in ISO 27009 guidance on how this would be
>> formatted.
>>
>>
>>
>> x Data Stewardship
>>
>>
>>
>> x.1 Data inventory
>>
>>
>>
>> Control: Personal data collected, processed, stored, transferred or
>> managed by the specification is identified and classified according to its
>> purposes, personal data category, security category, retention/deletion
>> recommendation…
>>
>>
>>
>> Implementation guidance: Sensitive categories of personal data should be
>> encrypted when transferred and consideration given on encryption when at
>> rest/stored.
>>
>>
>>
>> Frank/
>>
>>
>>
>> *From:* ext Greg Norcie [mailto:gnorcie@cdt.org]
>> *Sent:* Tuesday, June 30, 2015 20:51
>> *To:* Christine Runnegar
>> *Cc:* public-privacy (W3C mailing list)
>> *Subject:* Re: new security/privacy review questions
>>
>>
>>
>> Hi all,
>>
>> Joe's out of the office this week, but I spoke with him before he left,
>> and he will be at IETF in Prague.
>>
>> I'd love to join him, but I had made plans to attend SOUPS
>> <https://cups.cs.cmu.edu/soups/2015/> in Ottawa during that time prior
>> to this idea being raised. (But if anyone will also be at SOUPS I'd be
>> happy to chat)
>>
>> If anyone has feedback between now and then, please feel free to share it
>> with the list and I will iterate on the current question set.
>>
>>
>>
>> On Tue, Jun 30, 2015 at 7:52 AM, Christine Runnegar <runnegar@isoc.org>
>> wrote:
>>
>> Thank you Greg and Joe for all your work on this.
>>
>> One suggestion at the PING call last week is to use at least some of the
>> time at the PING meeting alongside IETF (Thursday 23 July - during the
>> lunch break) to progress this work further.
>>
>> In the meantime, everyone, please continue to share your thoughts on the
>> draft as well as the feedback from Greg and Joe.
>>
>> Christine and Tara
>>
>>
>> > On 24 Jun 2015, at 3:34 pm, Greg Norcie <gnorcie@cdt.org> wrote:
>> >
>> > Hi all,
>> >
>> > Myself and Joe Hall been working on a rewrite of the TAG security
>> questionaire[1], which incorporates privacy concerns as well as security
>> concerns. (For example, we include some of the questions raised by Nick in
>> his privacy questionnaire.[2])
>> >
>> > We also split the questionnaire into a security section and a privacy
>> section (with the implication all new standards should enumerate their
>> privacy impacts as well as their security impacts.)
>> >
>> > The goal is that for each question, there will eventually be an
>> explanation and a concrete, real world example.
>> >
>> > [1] https://w3ctag.github.io/security-questionnaire/
>> > [2]
>> https://lists.w3.org/Archives/Public/public-privacy/2013AprJun/0004.html
>> >
>> > I've attached a .odt outlining our proposed questions, as well as a PDF
>> in case you don't have an ODT capable editor installed. (I recommend
>> Libreoffice)
>> > --
>> > /***********************************/
>> > Greg Norcie (norcie@cdt.org)
>> > Staff Technologist
>> > Center for Democracy & Technology
>> > 1634 Eye St NW Suite 1100
>> > Washington DC 20006
>> > (p) 202-637-9800
>> > PGP: http://norcie.com/pgp.txt
>> >
>> > Fingerprint:
>> > 73DF-6710-520F-83FE-03B5
>> > 8407-2D0E-ABC3-E1AE-21F1
>> >
>> > /***********************************/
>>
>> > <PingPrivSecQs.pdf><PingPrivSecQs.odt>
>>
>>
>>
>>
>> --
>>
>> /***********************************/
>> * Greg Norcie (norcie@cdt.org <norcie@cdt.org>)*
>>
>> *Staff Technologist*
>>
>> *Center for Democracy & Technology*
>>
>> 1634 Eye St NW Suite 1100
>>
>> Washington DC 20006
>>
>> (p) 202-637-9800
>>
>> PGP: http://norcie.com/pgp.txt
>>
>>
>> Fingerprint:
>> 73DF-6710-520F-83FE-03B5
>> 8407-2D0E-ABC3-E1AE-21F1
>>
>> /***********************************/
>>
>>
>>
>>
>> --
>>
>> /***********************************/
>> * Greg Norcie (norcie@cdt.org <norcie@cdt.org>)*
>>
>> *Staff Technologist*
>>
>> *Center for Democracy & Technology*
>>
>> 1634 Eye St NW Suite 1100
>>
>> Washington DC 20006
>>
>> (p) 202-637-9800
>>
>> PGP: http://norcie.com/pgp.txt
>>
>>
>> Fingerprint:
>> 73DF-6710-520F-83FE-03B5
>> 8407-2D0E-ABC3-E1AE-21F1
>>
>> /***********************************/
>>
>
>
>
> --
> /***********************************/
>
> *Greg Norcie (norcie@cdt.org <norcie@cdt.org>)*
>
> *Staff Technologist*
> *Center for Democracy & Technology*
> 1634 Eye St NW Suite 1100
> Washington DC 20006
> (p) 202-637-9800
> PGP: http://norcie.com/pgp.txt
>
> Fingerprint:
> 73DF-6710-520F-83FE-03B5
> 8407-2D0E-ABC3-E1AE-21F1
>
> /***********************************/
>



-- 
/***********************************/

*Greg Norcie (norcie@cdt.org <norcie@cdt.org>)*

*Staff Technologist*
*Center for Democracy & Technology*
1634 Eye St NW Suite 1100
Washington DC 20006
(p) 202-637-9800
PGP: http://norcie.com/pgp.txt

Fingerprint:
73DF-6710-520F-83FE-03B5
8407-2D0E-ABC3-E1AE-21F1

/***********************************/