Re: PROV-AQ security (privacy) considerations from Yolanda Gil on 2012-11-07 (public-prov-wg@w3.org from November 2012)

From: Yolanda Gil <gil@isi.edu>
Date: Tue, 6 Nov 2012 17:12:37 -0800
To: Graham Klyne <GK@ninebynine.org>
Cc: W3C provenance WG <public-prov-wg@w3.org>
Message-Id: <71791808-2CDF-41B5-AD80-2BC9795E130C@isi.edu>

Hi Graham,

Privacy is indeed an important issue, I am very happy that you tracked  
this.  We collected several use cases from the community during the  
Provenance Incubator that brought up provenance issues, in particular:

http://www.w3.org/2005/Incubator/prov/wiki/Use_Case_Report#Anonymous_Information
http://www.w3.org/2005/Incubator/prov/wiki/Use_Case_Report#Provenance_and_Private_Data_Use
http://www.w3.org/2005/Incubator/prov/wiki/Use_Case_Report#Fulfilling_Contractual_Obligations

We reflected privacy concerns in one of the three driving scenarios  
that we synthesized out of the use cases:

http://www.w3.org/2005/Incubator/prov/wiki/Analysis_of_Business_Contract_Scenario

Based on the discussions we had on the above, the text that you  
propose makes sense to me.  If anything, I'd add a sentence at the end:

"Provenance management systems can provide mechanisms for enforcement  
and auditing of privacy policies."

Thanks,

Yolanda


Yolanda Gil, USC/ISI
+1-310-448-8794



On Nov 6, 2012, at 6:35 AM, Graham Klyne wrote:

> I'm working through some outstanding TODO issues in PROV-AQ.
>
> There are some notes for discussion of potential privacy concerns.  
> Based on these notes, I've drafted the following, which might be  
> controversial:
>
> [[
>        Provenance information may provide a route for leakage of  
> privacy-related information, combining as it does a diversity of  
> information types with possible personally-identifying information;  
> e.g. editing timestamps may provide clues to the working patterns of  
> document editors, or derivation traces might indicate access to  
> sensitive materials.  In particular, note that the fact that a  
> resource is openly accessible does not mean that its provenance  
> information should also be.  When publishing provenance, its  
> sensitivity should be considered and appropriate access controls  
> applied where necessary.  When a provenance-aware publishing service  
> accepts some resource for publication, the contributors should have  
> some opportunity to review and correct or conceal any provenance  
> information that they don't wish to be exposed.
> ]]
>
> Are there any objections to this?
>
> #g
>

Received on Wednesday, 7 November 2012 01:13:29 UTC