- From: Shane Wiley <wileys@yahoo-inc.com>
- Date: Mon, 3 Jun 2013 23:15:22 +0000
- To: Dan Auerbach <dan@eff.org>, "public-tracking@w3.org" <public-tracking@w3.org>
Dan, Some of us had discussed this in Sunnyvale and we had agreed to always provide transparency so there was no need for an arbitrary retention timeframe in normative text (the "SHOULD" proposed by Aleecia and team). The danger of arbitrary timeframes is that they're not data driven, don't express all online business models, and would likely be defined so low as to not provide any value for most implementers (meaning we'd be back to most everyone providing transparency). So to short-cut the situation, we've agreed to simply always provide transparency - no matter the timeframe. - Shane -----Original Message----- From: Dan Auerbach [mailto:dan@eff.org] Sent: Monday, June 03, 2013 3:33 PM To: public-tracking@w3.org Subject: Re: summary: data retention call On 06/03/2013 01:49 PM, Thomas Roessler wrote: > We met today to further discuss data retention for permitted uses, following up on the lunch table discussion in Sunnyvale. > > > > Minutes are available: > http://www.w3.org/2013/06/03-dnt-minutes.html > > > 1. Points of general agreement from the face-to-face: > > - third parties must provide public transparency re: retention for > permitted uses > - there could be different retention periods for different Permitted > Uses > - post retention period, data is destroyed or otherwise rendered anonymous / deidentified / ... > - there is disagreement about a proposal to normatively include > specific numbers It wasn't discussed so much in the meeting, but just to clarify the position that I have (and believe to be Aleecia's position too): we are not suggesting that normative language is used to force retention numbers; instead, the idea is to have guiding numbers with the carve-out that companies who need longer periods need merely to disclose that, and possibly provide a bit of justification in their privacy policies. > > There was also agreement in Sunnyvale that data retention for permitted uses must be proportionate, though I forgot to mention that point on the call. > > > 2. Transparency for retention periods > > - agreement that disclosures should say "data XYZ is retained for permitted use UVW for time ABC" > - agreement that the nature of "data XYZ" should be somewhere in the middle between P3P-type granularity and "we keep data about the user" > - disagreement what that looks like exactly > - disagreement whether data currently shared in privacy policies is > adequate > > As a follow-up item, if people can give a sense what additional data might be useful (while staying in "middle ground" territory), or what else they think might be needed to get closer to consensus, then that would be useful to put on the table. > > > 3. Information sharing within the group > > - Dan Auerbach called out financial logging, audit, security as permitted uses where he thought more data might be needed; frequency capping probably ok. > - sentiment from industry participants that they would expect to share > the same data within the group as in public > - Offered W3C staff anonymizing information, or providing a W3C member confidential forum for additional information sharing. > - General preference for private 1:1 conversations over any of these, therefore not pursuing further. My preference is for companies to share publicly. But in light of clear signals that this won't happen, I think 1:1 is the only way towards potentially useful information sharing. > > > 4. Numbers or not? > > Time was up; we'll reconvene specifically on this pint. > > Thomas Roessler, W3C <tlr@w3.org> (@roessler) > > > > > >
Received on Monday, 3 June 2013 23:16:26 UTC