David Wainberg, Dan Auerbach and I worked on this draft text. I'm submitting it now for consideration by the wider group, as there were only small gaps between Dan and our text proposals.
--
6.2.2.6 Detection, Prevention or Prosecution of Malicious, Nefarious or Invalid Activity
Data may be collected, retained and used to the extent reasonably necessary for detecting and/or preventing malicious, nefarious or disingenuous activity. Additionally, data related to malicious, nefarious or disingenuous activity may be retained when reasonably necessary to support civil or criminal prosecution of parties that conduct, support or perpetuate malicious, nefarious or disingenuous activity. This data may also be used to alter the user's experience in order to preserve or bolster the security of a site/service/user(s), or to prevent malicious, nefarious or disingenuous activity.
The term "malicious, nefarious or disingenuous activity" means:
(a) disingenuous Web traffic/server requests (for example: non-human activity generating bogus server requests, ad-impressions or clicks);
(b) bogus, malicious, automated or non-human Web-form submissions;
(c) attacks intended to disrupt a site, service or user experience;
(d) malicious or nefarious intrusions, or attempts to intrude into private or corporate networks;
(e) fraudulent activity, including any activity that's purpose is to defraud a site, service or users of a site or service;
(f) any activity that's reasonably determined to abuse, or attempts to abuse a site/service/user in any way.