XPost to TPWG-announce list: [Fwd: Issue 24 - Consensus] from mts-std@schunter.org on 2013-10-23 (public-tracking-announce@w3.org from October 2013)

From: <mts-std@schunter.org>
Date: Wed, 23 Oct 2013 00:59:51 -0700
To: public-tracking-announce@w3.org
Message-ID: <f0cf391809599676c016d5333184a9ad.squirrel@webmail.schunter.org>

---------------------------- Original Message ----------------------------
Subject: Issue 24 - Consensus
From:    "Carl Cargill" <cargill@adobe.com>
Date:    Tue, October 22, 2013 6:41 pm
To:      "public-tracking@w3.org (public-tracking@w3.org)"
<public-tracking@w3.org>
--------------------------------------------------------------------------


All -

On the teleconference on October 9th we found consensus on a change
proposal for issue-24 related to security and fraud prevention, including
acceptance from the authors of the other change proposals on that topic.

http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security#Proposal_.282.29:_Add_retention_for_prosecution.2C_but_exclude_from_operational_use
https://www.w3.org/2011/tracking-protection/track/issues/24

Change proposal includes the following replacement text:

> Regardless of the tracking preference expressed, data MAY be collected,
retained, and used to the extent reasonably necessary to  detect
security incidents, protect the service against malicious, deceptive,
fraudulent, or illegal activity, and prosecute those responsible for
such activity, provided that such data is not used for operational
behavior (profiling or personalization) beyond what is reasonably
necessary to protect the service or institute a graduated response.
>
> When feasible, a graduated response to a detected security incident is
preferred over widespread data collection. An example would be recording
all use from a given IP address range, regardless of DNT signal, if the
party believes it is seeing a coordinated attack on its service (such as
click fraud) from that IP address range. Similarly, if an attack shared
some other identifiable fingerprint, such as a combination of User Agent
and other protocol information, the party could retain logs on all
transactions matching that fingerprint until it can be determined that
they are not associated with such an attack or such retention is no
longer necessary to support prosecution.

Editors, please update the document with this proposal. The issue is
marked pending review and we plan to close the issue in two weeks
(November 5th).

Sincerely,


Carl

Carl Cargill
Principal Scientist, Standards
Adobe Systems
Cargill@adobe.com
Office: +1 541 488 0040
Mobile: +1 650 759 9803
@AdobeStandards
http://blogs.adobe.com/standards

Attachments

text/html attachment: untitled-_2_

Received on Wednesday, 23 October 2013 08:00:16 UTC