Re: new security/privacy review questions

Hi Everybody,

I'm a new in this mailinglist and I feel very honoured that you agreed
me. I'm a french attorney passionate and concerned about privacy issues,
so please excuse me for my bad english and my ignorance of US law...

I agree that the specifications should use terms that are not to much
related to a national legislation and are more neutral to be more
understandable for everybody. "PII" is to close to US Law and  "Personal
Data" maybe to close to EU law. However comparing the french and
european definition of Personal Data to the definition you give of PII
in this specifications, both concepts seems to me quite similar:

legal definition of Personal data according to EU directive of 1995
about personal data is: "'personal data' shall mean any information
relating to an identified or identifiable natural person ('data
subject'); an identifiable person is one who can be identified, directly
or indirectly, in particular by reference to an identification number or
to one or more factors specific to his physical, physiological, mental,
economic, cultural or social identity".

In other words a personal data is also a data that at first sight isn't
personally identifying but becomes personally identifying when it's
combined or crossed with an other data and as a result permits to
identify a person (for example a cookie identifier crossed with a
browser history).
 
On the other hand what is not defined in this specifications and seems
for me not clear is what you understand under "First" and "Third"-
Party? Talking about this in France with developpers, it is a real
debate. As a lawyer I understand strictly that first party are
exclusively components controlled by the controller (the direct person I
think, as an user, I'm talking to and who defines legally the purposes
and the collecting of data) and a third party is any other person
outside of this relationship, even if the third party has been
authorised by the controller but the processing of data isn't completely
controlled by the controller (so it materially can't be under his direct
authority, for example collected data by Google Analytics).

Hereafter the legal definition of Third Party according to EU directive
of 1995 : "'third party' shall mean any natural or legal person, public
authority, agency or any other body other than the data subject, the
controller, the processor and the persons who, under the direct
authority of the controller or the processor, are authorized to process
the data".

For the developpers I was talking with, they understand that a Third
party is only a person which wasn't  authorised by the controller.

What is your position?

Regards,

Le 01/07/2015 22:43, Katie Haritos-Shea GMAIL a écrit :
>
> I think this is a very good first pass, however, I think that we
> should give the localized name as (e.g, ?) after the internationalized
> term.
>
>  
>
> As and example:
>
>  
>
> Where you have “high-value data” I ould like to see (e.g, PII,
> <whatever PII is referred to elsewhere>, PIFI, PHI) – so that users in
> each country can better understand what is being said……..
>
>  
>
> ** katie **
>
>  
>
> *Katie Haritos-Shea**
> **Senior Accessibility SME (WCAG/Section 508/ADA/AODA)*
>
>  
>
> *Cell: 703-371-5545 **|****ryladog@gmail.com*
> <mailto:ryladog@gmail.com>***|****Oakton, VA **|****LinkedIn Profile*
> <http://www.linkedin.com/in/katieharitosshea/>***|****Office:
> 703-371-5545*
>
>  
>
> *From:*Greg Norcie [mailto:gnorcie@cdt.org]
> *Sent:* Wednesday, July 1, 2015 4:22 PM
> *To:* Greg Norcie
> *Cc:* public-privacy (W3C mailing list)
> *Subject:* Re: new security/privacy review questions
>
>  
>
> Also I went through and made a pass at removing the instances of "PII"
> and replacing with more inclusive language.
>
>  
>
> On Wed, Jul 1, 2015 at 4:20 PM, Greg Norcie <gnorcie@cdt.org
> <mailto:gnorcie@cdt.org>> wrote:
>
>     Hi Frank,
>
>     Please send your feeback to the list so it can be discussed.
>
>     Thanks for the help!
>
>      
>
>     On Wed, Jul 1, 2015 at 4:17 PM, Dawson Frank (Nokia-TECH/Irving)
>     <frank.dawson@nokia.com <mailto:frank.dawson@nokia.com>> wrote:
>
>         PS…
>
>          
>
>         Under §4 Mitigations, it occurred to me that another
>         mitigation is “data minimization”. An example was in work that
>         ex-colleague Frederick Hirsch did in Devices API work. For
>         example, on addressbook lookup, rather than allow
>         functionality of API to transfer full addressbook entry via an
>         identifier, you had to access entry and retrieve partial
>         information, parameter by parameter, out of the entry. This
>         data minimization decreased the attack surface of the API by
>         limiting amount of entry that could be retrieved at once.
>
>          
>
>         Another would be the classic “Privacy by Default”.. For
>         example, when you would use WebRTC to open a video connection,
>         the microphone and video sensors should be muted and privacy
>         lid enabled by default.
>
>          
>
>         Another would be “Contexual or Timely User Control” (you might
>         have better term). In the same example as previous, user
>         should have ability to toggle off microphone and video,
>         on-demand, even if consent has already been granted for the
>         session.
>
>          
>
>         *From:*ext Greg Norcie [mailto:gnorcie@cdt.org
>         <mailto:gnorcie@cdt.org>]
>         *Sent:* Wednesday, July 01, 2015 10:27
>         *To:* Dawson Frank (Nokia-TECH/Irving)
>
>         *Cc:* public-privacy (W3C mailing list)
>         *Subject:* Re: new security/privacy review questions
>
>          
>
>         Hi Frank,
>
>         Thanks for the input. I definitely agree we should try to
>         remove US centric language. I can try to go through and be a
>         little more general, but it might be useful for a non-US
>         person to make a pass as well.
>
>         I will make a second pass today and try to alter anything that
>         seems especially tied to US law.
>
>         Also, while I'm sure there are many techniques aside from
>         questionnaires that can be used when reviewing a new standard,
>         I think for right now we'll focus on refining the
>         questionnaire - other techniques can certainly be developed to
>         supplement the questionnaire once it is mature.
>
>         (The addition of new sections would be something that probably
>         should be saved for discussion in Prague)
>
>         I'll send out a revised question set with revised language
>         later today.
>
>         -Greg
>
>          
>
>         On Wed, Jul 1, 2015 at 10:50 AM, Dawson Frank
>         (Nokia-TECH/Irving) <frank.dawson@nokia.com
>         <mailto:frank.dawson@nokia.com>> wrote:
>
>             Hei Greg.
>
>              
>
>             Looks like a hard crowd to please at SOUPS events J
>
>              
>
>             SOUPS acceptance rates: 2005: 10/39 (25%); 2006: 14/39
>             (35%); 2007: 12/41 (29%); 2008: 13/43 (30%); 2009: 15/49
>             (30%); 2010: 16/65 (24%); 2011: 15/45 (33%); 2012: 14/67
>             (20%); 2013 15/51 (29%)
>
>              
>
>             At least maybe you can escape the heat/humidity of summer
>             time in DC for a while.
>
>              
>
>             I looked at the questionnaire that you Joe and Mike
>             updated. Have you read PRIPARE paper from IWPE15 event on
>             goal-based versus risk-based approaches to analyzing
>             privacy impact? Net-net is that both approaches are
>             important and a hybrid of the two makes for better privacy
>             engineering.
>
>              
>
>             The questionnaire approach is good when system is well
>             known and true table of knowledge exists for problem
>             determination and solution selection (e.g., A380 engine #4
>             shows fire light, what to do). But with the privacy impact
>             analysis for new web technologies this might not be the case.
>
>              
>
>             I was wondering if the questionnaire might be complemented
>             by some additional section with more systematic guidance.
>             For example, pre-analysis work involving assembly by
>             editors of worksheet with data inventory that can be used
>             for analysis of the data flows involved. Attached is an
>             example, but this could be specified in other ways than
>             XLS, such as questions. Obviously, the attached example
>             columns are specific to a deployment of a standard (ie,
>             implementation or product) but can be generalized to
>             capture the more generic nature that a W3C web
>             specification would creation.
>
>              
>
>             Also, the questionnaire could be supplemented by a
>             suggested PII classification scheme. I prefer the Paul
>             Schwartz/Daniel Solove “PII 2.0”, as is incorporated into
>             the XLS attached.
>
>              
>
>             Lastly, the W3C specifications are for a global web, but
>             the vocabulary in the questionnaire is very US specific
>             (eg, use of PII over Personal Data). Why not go for a more
>             international vocabulary (eg, EU GDPR that is being copied
>             by regional jurisdictions other than US or ISO
>             29100/Privacy Framework which PDF is freely available from
>             ISO).
>
>              
>
>             Additionally, the questionnaire could be enhanced by a
>             Privacy Recommendations section that listed a set or
>             catalog of principles, controls, implementation criteria.
>             The set would be something that would grow as experienced
>             identified further patterns for best practice. The
>             sectorial standards for the ISO 27001-series for
>             Information Security Management Systems provides in ISO
>             27009 guidance on how this would be formatted.
>
>              
>
>             x Data Stewardship
>
>              
>
>             x.1 Data inventory
>
>              
>
>             Control: Personal data collected, processed, stored,
>             transferred or managed by the specification is identified
>             and classified according to its purposes, personal data
>             category, security category, retention/deletion
>             recommendation…
>
>              
>
>             Implementation guidance: Sensitive categories of personal
>             data should be encrypted when transferred and
>             consideration given on encryption when at rest/stored.
>
>              
>
>             Frank/
>
>              
>
>             *From:*ext Greg Norcie [mailto:gnorcie@cdt.org
>             <mailto:gnorcie@cdt.org>]
>             *Sent:* Tuesday, June 30, 2015 20:51
>             *To:* Christine Runnegar
>             *Cc:* public-privacy (W3C mailing list)
>             *Subject:* Re: new security/privacy review questions
>
>              
>
>             Hi all,
>
>             Joe's out of the office this week, but I spoke with him
>             before he left, and he will be at IETF in Prague.
>
>             I'd love to join him, but I had made plans to attend SOUPS
>             <https://cups.cs.cmu.edu/soups/2015/> in Ottawa during
>             that time prior to this idea being raised. (But if anyone
>             will also be at SOUPS I'd be happy to chat)
>
>             If anyone has feedback between now and then, please feel
>             free to share it with the list and I will iterate on the
>             current question set.
>
>              
>
>             On Tue, Jun 30, 2015 at 7:52 AM, Christine Runnegar
>             <runnegar@isoc.org <mailto:runnegar@isoc.org>> wrote:
>
>                 Thank you Greg and Joe for all your work on this.
>
>                 One suggestion at the PING call last week is to use at
>                 least some of the time at the PING meeting alongside
>                 IETF (Thursday 23 July - during the lunch break) to
>                 progress this work further.
>
>                 In the meantime, everyone, please continue to share
>                 your thoughts on the draft as well as the feedback
>                 from Greg and Joe.
>
>                 Christine and Tara
>
>
>                 > On 24 Jun 2015, at 3:34 pm, Greg Norcie
>                 <gnorcie@cdt.org <mailto:gnorcie@cdt.org>> wrote:
>                 >
>                 > Hi all,
>                 >
>                 > Myself and Joe Hall been working on a rewrite of the
>                 TAG security questionaire[1], which incorporates
>                 privacy concerns as well as security concerns. (For
>                 example, we include some of the questions raised by
>                 Nick in his privacy questionnaire.[2])
>                 >
>                 > We also split the questionnaire into a security
>                 section and a privacy section (with the implication
>                 all new standards should enumerate their privacy
>                 impacts as well as their security impacts.)
>                 >
>                 > The goal is that for each question, there will
>                 eventually be an explanation and a concrete, real
>                 world example.
>                 >
>                 > [1] https://w3ctag.github.io/security-questionnaire/
>                 > [2]
>                 https://lists.w3.org/Archives/Public/public-privacy/2013AprJun/0004.html
>                 >
>                 > I've attached a .odt outlining our proposed
>                 questions, as well as a PDF in case you don't have an
>                 ODT capable editor installed. (I recommend Libreoffice)
>                 > --
>                 > /***********************************/
>                 > Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org>)
>                 > Staff Technologist
>                 > Center for Democracy & Technology
>                 > 1634 Eye St NW Suite 1100
>                 > Washington DC 20006
>                 > (p) 202-637-9800 <tel:202-637-9800>
>                 > PGP: http://norcie.com/pgp.txt
>                 >
>                 > Fingerprint:
>                 > 73DF-6710-520F-83FE-03B5
>                 > 8407-2D0E-ABC3-E1AE-21F1
>                 >
>                 > /***********************************/
>
>                 > <PingPrivSecQs.pdf><PingPrivSecQs.odt>
>
>
>
>
>             -- 
>
>             /***********************************/*
>             Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org>)*
>
>             *Staff Technologist*
>
>             *Center for Democracy & Technology*
>
>             1634 Eye St NW Suite 1100
>
>             Washington DC 20006
>
>             (p) 202-637-9800 <tel:202-637-9800>
>
>             PGP: http://norcie.com/pgp.txt
>
>
>             Fingerprint: 
>             73DF-6710-520F-83FE-03B5
>             8407-2D0E-ABC3-E1AE-21F1
>
>             /***********************************/
>
>
>
>
>         -- 
>
>         /***********************************/*
>         Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org>)*
>
>         *Staff Technologist*
>
>         *Center for Democracy & Technology*
>
>         1634 Eye St NW Suite 1100
>
>         Washington DC 20006
>
>         (p) 202-637-9800 <tel:202-637-9800>
>
>         PGP: http://norcie.com/pgp.txt
>
>
>         Fingerprint: 
>         73DF-6710-520F-83FE-03B5
>         8407-2D0E-ABC3-E1AE-21F1
>
>         /***********************************/
>
>
>
>
>     -- 
>
>     /***********************************/*
>     Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org>)*
>
>     *Staff Technologist*
>
>     *Center for Democracy & Technology*
>
>     1634 Eye St NW Suite 1100
>
>     Washington DC 20006
>
>     (p) 202-637-9800 <tel:202-637-9800>
>
>     PGP: http://norcie.com/pgp.txt
>
>
>     Fingerprint: 
>     73DF-6710-520F-83FE-03B5
>     8407-2D0E-ABC3-E1AE-21F1
>
>     /***********************************/
>
>
>
>
> -- 
>
> /***********************************/*
> Greg Norcie (norcie@cdt.org <mailto:norcie@cdt.org>)*
>
> *Staff Technologist*
>
> *Center for Democracy & Technology*
>
> 1634 Eye St NW Suite 1100
>
> Washington DC 20006
>
> (p) 202-637-9800
>
> PGP: http://norcie.com/pgp.txt
>
>
> Fingerprint: 
> 73DF-6710-520F-83FE-03B5
> 8407-2D0E-ABC3-E1AE-21F1
>
> /***********************************/
>

Received on Thursday, 2 July 2015 15:43:33 UTC