Re: Change proposal: De-identification (including unlinkability) from David Singer on 2013-07-03 (public-tracking@w3.org from July 2013)

From: David Singer <singer@apple.com>
Date: Wed, 03 Jul 2013 15:06:25 -0700
To: rob@blaeu.com
Cc: public-tracking@w3.org
Message-id: <E9110893-6E99-4F4C-897A-3465306A4440@apple.com>

Also being friendly, a few points:

a) having defined 'tracking data' as data that can be linked to a user etc., I'd like to say that it cannot be, or be made into "tracking data" rather than the end of the sentence.

b) we seem to be having a lot of debate about 'yellow' state, and I am not sure it's relevant to the spec., though it may be to best practices.  From a spec. point of view, either the data identifies, or can be linked to, someone, or it can't.  The former is tracking data, and is controlled; the latter is not.

c) I think we need to hold companies to a standard of de-identification (or de-linking, if you prefer that term) that was considered adequate *at the time the de-id occurred*.  It's not reasonable to hold de-identification done in 2005 to the state of art in 2015, for example.  "You knew this was inadequate at the time you did it" seems a needed attitude to criticize someone.

d) On the other hand, I think we need to say something about data which was de-id'd to the state of the art at the time it was de-id'd, but something happened such that the data is no longer considered reasonably de-id'd (there was a data leak, a technique was found, and so on).  I'm not sure what that is; we can't ask companies to undo the past.  Perhaps "If data that was de-identified and thus made into non-tracking data, is later discovered or shown to be identifiable, the party MUST take commercially reasonable steps to mitigate the problem, by de-identifying it further or deleting it, and securing it from further exposure or sharing."?

On Jul 3, 2013, at 7:27 , Rob van Eijk <rob@blaeu.com> wrote:

> 
> Peter,
> 
> I added the following change proposal to the wiki: www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Deidentification
> 
> De-identification (including unlinkability)
> 
> Friendly amendment from Rob van Eijk to proposal by Dan Auerbach:
> 
> Data is de-identified when a party, including the party that collected the data:
> 
> * has taken reasonable steps to ensure that the data as been deleted, modified, aggregated, anonymized, made unlinkable or otherwise manipulated in order to achieve a reasonable level of justified confidence that the data cannot reasonably be used to infer information about, or otherwise be linked to, a particular user, user agent, or device;
> 

David Singer
Multimedia and Software Standards, Apple Inc.

Received on Wednesday, 3 July 2013 22:06:53 UTC