Re: Proportionate Response for Fraud Prevention and Security (ISSUE-24)

Roy, Jonathan, Shane, 

On Wednesday 14 March 2012 11:39:55 Shane Wiley wrote:
> Please understand these activities are to PROTECT users and businesses alike
> (depends on the attack).  I'm hopeful we don't purposely create real risk
> of harm to users in our attempts to "lock down" the DNT standard.

Security vs Privacy is a big classic in data protection. Our forefathers of 
data protection in the seventies said that good data protection is requiring 
more secure systems to protect also against abuse of personal information. So 
they tried to harmonize security and data protection. 

On the one hand, I have a lot of sympathy with Roy warning us to open that can 
of worms. I would be very reluctant to include security-related provisions 
into the two Specifications. On the other hand, I also have a lot of sympathy 
for the suggestion to use the present expertise to have some privacy 
suggestions for the fraud-fighters in the Web's payment channel. 

Because PROTECT is relative. I'm pretty sure that Assad claims to PROTECT 
Syria. So only saying "protect" as a use limitation doesn't save our live 
here.  A best practices document on fraud protection for ad companies would be 
cool. This could determine unnecessary data collection and identify doubtful 
sharing practices that would allow to abuse the data collected for fraud 
protection. In one word, make fraud protection for the web smarter to some 
extend, privacy wise.. And I think that in a second generation, we could have 
a framework where a service agrees to back down a bit because the users have 
decided (via DNT) not to be as highly secured because they favor privacy in a 
given context.

Best, 

Rigo

Received on Thursday, 15 March 2012 09:20:29 UTC