Re: clarifying distinctions on ISSUE-24 (security/fraud)

On Jul 16, 2013, at 3:52 PM, Nicholas Doty wrote:

> Hi John and Roy,
> I just wanted to clarify some distinctions for your change proposal on security/fraud permitted use:
> One key difference is certainly adding the definition of graduated response and stating that it is preferred. There are a couple of other distinctions from the Editors' Draft text, and I wasn't sure how essential they are to the proposal. (If we can consolidate proposals, that will make the groups' decision-making easier.)
> 1. To the extent reasonably necessary vs. to the extent proportionate and reasonably necessary:
> I believe the "proportionate" language came out of some concerns from our EU colleagues. Would you agree with including proportionate as well? In that case, I think the graduated-response-is-preferred language would explain the concept nicely.

My guess is that what you mean by proportionate is the amount
of data retained?  I don't see how that is relevant here.
EU laws don't have any notion of retaining a proportion of
data relevant to security, AFAIK, and prosecution in the US
would require complete retention of the applicable data.

In any case, I think this is already covered by limiting the
permitted use to what is reasonably necessary.  If, in fact,
we do encounter a situation where disproportionate data
collection, retention, or use is also reasonably necessary,
then I can assure the WG that the service will continue to
collect that data regardless of DNT.  To do anything else
would invite attackers to send DNT:1 just to obtain the path
of least protection.

There is no incentive for companies to collect more data for
this permitted use than necessary because the suggested text
also restricts how the collected data can be used:
"provided that such data is not used for operational behavior
(profiling or personalization) beyond what is reasonably necessary
to protect the service or institute a graduated response".

> 2. "malicious, deceptive, fraudulent, or illegal activity" vs. "security risks and fraudulent or malicious activity"
> Is deceptive necessary here? Would deceptive include use of anonymizing proxies, onion routing, or other network-related privacy measures? Or is it just aimed at malicious deception (like fraudulent automated impressions, say)?

Hiding the origin of a request is not deception.  Claiming a
request is coming from an intranet host (via IP spoofing or
Referer/Origin rewriting) would be deceptive if the request
is actually received from some other network or referring site.
Whether a given anonymizing proxy is being deceptive or not
will depend on what it sends; most simply hide what is behind
the proxy by removing data, rather than sending false data.

It is often the case that we need to perform data collection
just for the sake of providing fair queueing of non-malicious
requests; e.g.,

In many cases, we don't know if traffic is malicious,
fraudulent, or even illegal until several pages after the
start of tracking.  Again, the privacy protection here is
with regard to how the data can be used and how long it can be

A lot of people assume that DNT is only going to affect advertising.
While that is certainly where the money has been talking, my
concerns are about third party subrequests in general, including
the use of shared UI frameworks at well-known locations (e.g.,
common URIs for CSS or jQuery that are shared by many sites to
reduce average initial latency) and the use of security services
that do not qualify as service providers because they use patterns
derived from data sent to multiple unaffiliated sites.

The extent of what is reasonably necessary tracking for the
permitted use of security is going to vary depending on what
service is being protected and what attacks are encountered,
which in turn will vary over time.  I don't think it is useful
for the WG to claim that can be further limited by DNT.


> Thanks,
> Nick
> Re:

Received on Wednesday, 17 July 2013 01:07:15 UTC