- From: Greg Norcie <gnorcie@cdt.org>
- Date: Wed, 30 Mar 2016 08:04:33 -0400
- To: "Lukasz Olejnik (W3C)" <lukasz.w3c@gmail.com>
- Cc: "public-privacy (W3C mailing list)" <public-privacy@w3.org>
- Message-ID: <CAMJgV7Zp8TPb+a7kZsmA0Pwb3oacYj27nEEG98CiYWo=forrog@mail.gmail.com>
Hi Lukasz, I took an initial look at your report. Before I start giving specific feedback, could you fill me in a little on your goals for this document? Is this meant to be a comprehensive list of privacy concerns in the APIs it mentions, or a more general case study of privacy concerns? Any sort of "report" on a specific set of issues will quickly go out of date - however a more general case study, where standards writers can see some real examples of API privacy failures could be a great tool to help people threat model. You might want to consider re-organizing so that it's less of an Intro -> Discussion -> Conclusion format to something a little less scientific, with more of a focus on describing the standards, their privacy issues, the impacts of those issues, and maybe a concluding section helping non-privacy experts spot the common themes. /********************************************/ Greg Norcie (norcie@cdt.org) Staff Technologist Center for Democracy & Technology District of Columbia office (p) 202-637-9800 PGP: http://norcie.com/pgp.txt *CDT's Annual Dinner (Tech Prom) is April 6, 2016. Don't miss out!learn more at https://cdt.org/annual-dinner <https://cdt.org/annual-dinner>* /*******************************************/ On Tue, Mar 29, 2016 at 10:34 AM, Lukasz Olejnik (W3C) <lukasz.w3c@gmail.com > wrote: > Hi Greg, > > No timeline, take your time. > > But I'm looking forward to feedback, hopefully we might bake something > good and perhaps not entirely expected ;) > > Best > Lukasz > > 2016-03-29 16:21 GMT+02:00 Greg Norcie <gnorcie@cdt.org>: > >> Hi Lukasz, >> >> Thanks for reaching out, we really appreciate it. We're happy to help. >> >> Do you have a timeline for when you'll need comments by? >> >> >> /********************************************/ >> Greg Norcie (norcie@cdt.org) >> Staff Technologist >> Center for Democracy & Technology >> District of Columbia office >> (p) 202-637-9800 >> PGP: http://norcie.com/pgp.txt >> >> >> >> *CDT's Annual Dinner (Tech Prom) is April 6, 2016. Don't miss out!learn >> more at https://cdt.org/annual-dinner <https://cdt.org/annual-dinner>* >> /*******************************************/ >> >> On Tue, Mar 29, 2016 at 5:49 AM, Lukasz Olejnik (W3C) < >> lukasz.w3c@gmail.com> wrote: >> >>> Dear all! >>> >>> I am working on a sensors privacy (impact, risk, ...) assessment for a >>> while now. And I think now it has little sense to withhold it for any >>> longer, as most of the work I did some time ago, anyway. >>> >>> It is primarily intended for Devis APIs WG (DAP), with whom I have the >>> pleasure to work on the privacy aspects of sensors API. >>> >>> I invite you to take a look on the document [1]. I hope it will be >>> useful, and I primarily hope this can be an appropriate starting input in >>> privacy considerations of sensors. >>> Often, as indicated in the PDF report, even perhaps far-fetched >>> scenarios are considered. Same for cross-device risks, where plausible >>> scenario could be pointed to. >>> >>> As advised in private correspondence with (and by), Tobie Langel (DAP), >>> it would be good if specific pull(s) request(s) follow. I'll look into that >>> next. >>> >>> Also of note. It is not included in the PDF (should it?), but I believe >>> it is worthy to require a secure (i.e. TLS) connection for having access to >>> sensors ('secure contexts') - all of them, generically and just like that. >>> I can't imagine a scenario where this could cause any issues, apart from >>> the need to set up a TLS, that is. >>> >>> I also highlight my view and want to ask a question. Can W3C give >>> guidance/recommendation/note regarding the transparency UIs (sometimes >>> called "privacy user interface")? A method for a straight-forward >>> user-verification of: what/how was being used, how frequent, etc. >>> >>> Please, enjoy ;-) >>> >>> >>> Best regards >>> Lukasz Olejnik >>> >>> [1] http://lukaszolejnik.com/SensorsPrivacyReport.pdf >>> >>> >>> >> >
Received on Wednesday, 30 March 2016 12:06:08 UTC