Re: Walk through a paradigmatic privacy review in 'public' (TPAC)? from Nat Sakimura on 2017-05-08 (public-privacy@w3.org from April to June 2017)

From: Nat Sakimura <sakimura@gmail.com>
Date: Tue, 9 May 2017 04:47:28 +0900
To: David Singer <singer@apple.com>
Cc: Rob van Eijk <rob@blaeu.com>, "public-privacy (W3C mailing list)" <public-privacy@w3.org>
Message-ID: <CABzCy2DyvpUM0iNDMfGQ6cqo4af6p1z8STzdff8J_aUt3tjfYA@mail.gmail.com>

+1

Our goal in fact is "how to create a good fishing field" but we have to
teach how to fish before that  :-)

On May 8, 2017 7:30 PM, "David Singer" <singer@apple.com> wrote:

>
> > On May 6, 2017, at 3:46 , Rob van Eijk <rob@blaeu.com> wrote:
> >
> > >> is there a ‘paradigmatic review’ which would help educate the
> community what it’s like to think about privacy issues?
> > Obviously, scholars and standardization bodies have been working on this
> toping since many years.
>
> I think we’re at cross purposes.  I am wondering if there is some value of
> having a short session at TPAC where we take a recent spec. that’s worked
> its way through the consortium, and went through PING for privacy review,
> and explain to the consortium “how did we do the privacy review of this
> spec.”. Demonstrate how to go about thinking of a privact review, and how
> ot write a privacy considerations section.  We somehow need to get it to
> the point that the privacy experts are verifying that the privacy
> considerations section, and the privacy thought in the specs., are good,
> not that we’re doing privacy-thinking post-facto.  We have to have ‘good
> privacy’ part of the design process, not part of the review.
>
> So I would like to work through an example spec. and how the privacy
> considerations ended up being written, as a way to show/teach people how to
> fish for themselves.  The model where a small interest group does the
> privacy review post-facto is unsustainable, IMHO, for two reasons (a) the
> group is too small and (b) ‘wide review’ stage is waaay too late to be
> thinking about privacy implications.
>
> Makes sense?
>
>
> > For instance the work on contextual privacy by Helen Nissenbaum, and the
> ISO 29100 serie. I believe that a paradigmatic review could include the
> following activities:
> > - identify privacy risks in the context of the application of the
> technology
> > - identify actors and their responsibilities,
> > - focus on privacy risks to the users concerned,
> > - focus on the risks stemming from the sensitivity of the data in
> relation to the harm the data may cause to the users concerned, e.g., when
> data is used outside of the intended context,
> > - identify (potential) adequate controls for each matching risk,
> > - make residual risks (identified risks without adequate mitigation)
> explicit.
> >
> > For instance, the review of the RFID [1] is IMHO still an interesting.
> It was published in 2011. Annex III (pp. 14-16) of the RFID-pia framework
> [1] contains a list of examples of privacy risks. The examples were
> identified under the EU 95/46 framework for processing personal data (annex
> II, p. 13).
> >
> > Rob
> >
> > [1] http://ec.europa.eu/justice/data-protection/article-29/
> documentation/opinion-recommendation/files/2011/wp180_annex_en.pdf
> >
> > -----Original message-----
> > From: Nat Sakimura
> > Sent: Saturday, May 6 2017, 11:36 am
> > To: David Singer; public-privacy@w3.org
> > Subject: Re: Walk through a paradigmatic privacy review in 'public'
> (TPAC)?
> >
> > Sounds like a good idea. In another forum, the privacy committee there
> is being flooded by the request for privacy reviews now and that is simply
> not sustainable and started thinking about "teaching how to fish" rather
> than bring them fish. It would be good to start the effort before it gets
> too late.
> >
> > Nat
> >
> > On Fri, May 5, 2017 at 4:06 AM David Singer <singer@apple.com> wrote:
> > Hi
> >
> > the question has come up whether we should consider ‘teaching the
> community to fish’ by talking through some horizontal reviews (privacy,
> security, i18n, accessibility) in TPAC briefly, so as to illuminate how to
> look at specs and think about the issues.
> >
> > would there be interest from PING in doing that?  is there a
> ‘paradigmatic review’ which would help educate the community what it’s like
> to think about privacy issues?
> >
> > David Singer
> > Manager, Software Standards, Apple Inc.
> >
> >
> > --
> > Nat Sakimura
> >
> > Chairman of the Board, OpenID Foundation
> >
>
> David Singer
> Manager, Software Standards, Apple Inc.
>
>

Received on Monday, 8 May 2017 19:48:03 UTC