RE: Walk through a paradigmatic privacy review in 'public' (TPAC)? from Craig Spiezle on 2017-05-06 (public-privacy@w3.org from April to June 2017)

From: Craig Spiezle <craigs@otalliance.org>
Date: Sat, 6 May 2017 15:46:18 +0000
To: Rob van Eijk <rob@blaeu.com>, Nat Sakimura <sakimura@gmail.com>, "David Singer" <singer@apple.com>, "public-privacy@w3.org" <public-privacy@w3.org>
Message-ID: <CY1PR11MB0793EF76EC9AC97FDA64A6EBB9E80@CY1PR11MB0793.namprd11.prod.outlook.com>

I agree teaching how to fish makes sense.  Would this be worth to reach out to IAPP for a possible training session?  I am on the programming committee for the upcoming event in IAPP PSR (Privacy.Secirty.Risk) San Diego in October and can ask.  Would anyone be interested in doing a session if this was possible?

From: Rob van Eijk [mailto:rob@blaeu.com]
Sent: Saturday, May 6, 2017 3:46 AM
To: Nat Sakimura <sakimura@gmail.com>; David Singer <singer@apple.com>; public-privacy@w3.org
Subject: RE: Walk through a paradigmatic privacy review in 'public' (TPAC)?

>> is there a ‘paradigmatic review’ which would help educate the community what it’s like to think about privacy issues?
Obviously, scholars and standardization bodies have been working on this toping since many years. For instance the work on contextual privacy by Helen Nissenbaum, and the ISO 29100 serie. I believe that a paradigmatic review could include the following activities:
- identify privacy risks in the context of the application of the technology
- identify actors and their responsibilities,
- focus on privacy risks to the users concerned,
- focus on the risks stemming from the sensitivity of the data in relation to the harm the data may cause to the users concerned, e.g., when data is used outside of the intended context,
- identify (potential) adequate controls for each matching risk,
- make residual risks (identified risks without adequate mitigation) explicit.

For instance, the review of the RFID [1] is IMHO still an interesting. It was published in 2011. Annex III (pp. 14-16) of the RFID-pia framework [1] contains a list of examples of privacy risks. The examples were identified under the EU 95/46 framework for processing personal data (annex II, p. 13).

Rob

[1] http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp180_annex_en.pdf

-----Original message-----
From: Nat Sakimura
Sent: Saturday, May 6 2017, 11:36 am
To: David Singer; public-privacy@w3.org<mailto:public-privacy@w3.org>
Subject: Re: Walk through a paradigmatic privacy review in 'public' (TPAC)?

Sounds like a good idea. In another forum, the privacy committee there is being flooded by the request for privacy reviews now and that is simply not sustainable and started thinking about "teaching how to fish" rather than bring them fish. It would be good to start the effort before it gets too late.

Nat

On Fri, May 5, 2017 at 4:06 AM David Singer <singer@apple.com<mailto:singer@apple.com>> wrote:
Hi

the question has come up whether we should consider ‘teaching the community to fish’ by talking through some horizontal reviews (privacy, security, i18n, accessibility) in TPAC briefly, so as to illuminate how to look at specs and think about the issues.

would there be interest from PING in doing that?  is there a ‘paradigmatic review’ which would help educate the community what it’s like to think about privacy issues?

David Singer
Manager, Software Standards, Apple Inc.

--

Nat Sakimura

Chairman of the Board, OpenID Foundation

Received on Saturday, 6 May 2017 15:47:00 UTC