RE: clarifying distinctions on ISSUE-24 (security/fraud) from Craig Spiezle on 2013-07-17 (public-tracking@w3.org from July 2013)

From: Craig Spiezle <craigs@otalliance.org>
Date: Tue, 16 Jul 2013 18:09:34 -0700
To: "'John Simpson'" <john@consumerwatchdog.org>, "'Lee Tien'" <tien@eff.org>
Cc: "'Nicholas Doty'" <npdoty@w3.org>, <public-tracking@w3.org>
Message-ID: <015701ce828a$4d5e0c70$e81a2550$@otalliance.org>

I made this point a few weeks ago that the view of security was very biased
toward the needs of the ad networks for click fraud and related issues, and
not inclusive of the broader usages of data for fraud and malicious
purposes.  This include account sign up, log ons, contest abuse, credit card
fraud.....



-----Original Message-----
From: John Simpson [mailto:john@consumerwatchdog.org] 
Sent: Tuesday, July 16, 2013 5:59 PM
To: Lee Tien
Cc: Nicholas Doty; public-tracking@w3.org (public-tracking@w3.org)
Subject: Re: clarifying distinctions on ISSUE-24 (security/fraud)


On Jul 16, 2013, at 4:50 PM, Lee Tien <tien@eff.org> wrote:

Lee's approach makes sense and is worth discussing.


> I'm simple-minded, click-fraud seems different from security in the sense
of someone trying to crack into a system or computer.  
> 
> And it appears that companies do different things for the different
threats, e.g. they might retain data longer for security than for
click-fraud, or retain different data.
> 
> So the point of using two rules is to ensure proper scoping.  Each
permitted use requires its own justification and its own
minimization/retention rule.  A bit like NSA/FISA rules that blur national
security and law enforcement purposes, need to maintain the wall.  
> 
> Thanks,
> Lee
> 
> On Jul 16, 2013, at 4:01 PM, Nicholas Doty wrote:
> 
>> Hi Lee,
>> 
>> I understand the key distinction in your change proposal on
security/fraud to be the limiting condition of "reasonable grounds to
believe the user or user agent is presently attempting to [commit
fraud/breach security]". I believe that has been often discussed in the
Working Group and we likely understand what it entails.
>> 
>> But you also proposed separating this into two separate permitted uses,
even though the language is roughly identical between the two. Is this an
editorial suggestion or is that a key substantive consideration for this
proposal? Could you briefly explain your motivations there?
>> 
>> Thanks,
>> Nick
>> 
>> Re:
http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security#Separate_Fraud_
and_Security_Permitted_Uses
> 
>

Received on Wednesday, 17 July 2013 01:10:05 UTC