Re: summary: data retention call

Shane,

I disagree, and think that the WG should arrive at reasonable time
frames to guide companies. To make that as data driven as possible,
sharing information with the group would of course go a long way,
especially if the time frames are data driven within a company (for
example: I would hope that folks in the WG at companies would ask their
fraud engineers to provide them with hard numbers on how much invalid
activity gets caught after the ad event happens, broken down in a
granular way (by minutes, hours, days, say), to arrive at a sensible
internal retention period).

I disagree that transparency alone will provide incentives to compete on
retention periods. I don't see a way forward, but I think our respective
positions on the matter are clear.

Thanks,
Dan

On 06/03/2013 04:15 PM, Shane Wiley wrote:
> Dan,
>
> Some of us had discussed this in Sunnyvale and we had agreed to always provide transparency so there was no need for an arbitrary retention timeframe in normative text (the "SHOULD" proposed by Aleecia and team).  The danger of arbitrary timeframes is that they're not data driven, don't express all online business models, and would likely be defined so low as to not provide any value for most implementers (meaning we'd be back to most everyone providing transparency).  So to short-cut the situation, we've agreed to simply always provide transparency - no matter the timeframe.
>
> - Shane
>
> -----Original Message-----
> From: Dan Auerbach [mailto:dan@eff.org] 
> Sent: Monday, June 03, 2013 3:33 PM
> To: public-tracking@w3.org
> Subject: Re: summary: data retention call
>
> On 06/03/2013 01:49 PM, Thomas Roessler wrote:
>> We met today to further discuss data retention for permitted uses, following up on the lunch table discussion in Sunnyvale.
>>
>>
>>
>> Minutes are available:
>> 	http://www.w3.org/2013/06/03-dnt-minutes.html
>>
>>
>> 1. Points of general agreement from the face-to-face:
>>
>> - third parties must provide public transparency re: retention for 
>> permitted uses
>> - there could be different retention periods for different Permitted 
>> Uses
>> - post retention period, data is destroyed or otherwise rendered anonymous / deidentified / ...
>> - there is disagreement about a proposal to normatively include 
>> specific numbers
> It wasn't discussed so much in the meeting, but just to clarify the position that I have (and believe to be Aleecia's position too): we are not suggesting that normative language is used to force retention numbers; instead, the idea is to have guiding numbers with the carve-out that companies who need longer periods need merely to disclose that, and possibly provide a bit of justification in their privacy policies.
>
>> There was also agreement in Sunnyvale that data retention for permitted uses must be proportionate, though I forgot to mention that point on the call.
>>
>>
>> 2. Transparency for retention periods
>>
>> - agreement that disclosures should say "data XYZ is retained for permitted use UVW for time ABC"
>> - agreement that the nature of "data XYZ" should be somewhere in the middle between P3P-type granularity and "we keep data about the user"
>> - disagreement what that looks like exactly
>> - disagreement whether data currently shared in privacy policies is 
>> adequate
>>
>> As a follow-up item, if people can give a sense what additional data might be useful (while staying in "middle ground" territory), or what else they think might be needed to get closer to consensus, then that would be useful to put on the table.
>>
>>
>> 3. Information sharing within the group
>>
>> - Dan Auerbach called out financial logging, audit, security as permitted uses where he thought more data might be needed; frequency capping probably ok.
>> - sentiment from industry participants that they would expect to share 
>> the same data within the group as in public
>> - Offered W3C staff anonymizing information, or providing a W3C member confidential forum for additional information sharing.
>> - General preference for private  1:1 conversations over any of these, therefore not pursuing further.
> My preference is for companies to share publicly. But in light of clear signals that this won't happen, I think 1:1 is the only way towards potentially useful information sharing.
>>
>> 4. Numbers or not?
>>
>> Time was up; we'll reconvene specifically on this pint.
>>
>> Thomas Roessler, W3C <tlr@w3.org> (@roessler)
>>
>>
>>
>>
>>
>>
>
>
>

Received on Monday, 3 June 2013 23:33:34 UTC