RE: ACTION-408 - security & fraud proposed text - Section 6.2.

I agree and actually would add validating user access and preventing account
takeovers (being user specific vs server).  For example a user signing in
from an IP address in another country.  


That said being from the security community, at times we define malicious
from fraudulent.


From: Chris Mejia [] 
Sent: Wednesday, June 12, 2013 1:34 PM
To: Dan Auerbach
Cc: W3C DNT Working Group Mailing List; David Wainberg - AppNexus; Mike
Zaneis; Marc Groman - NAI; Lou Mastria - DAA; Nicholas Nick Doty - W3C;
Peter Swire - W3C TPWG Co-Chair
Subject: Re: ACTION-408 - security & fraud proposed text - Section 6.2.


Dan, respectfully, I don't appreciate the assertion that I have been
unnecessarily "verbose", imprecise, or ill tailored in proposing my draft
language to the working group for consideration.  Those are all baseless
arguments.  I've explained to you in detail, in our back and forth
discussions before the due date for this action item, why my constituency
(industry security professionals) felt it necessary to include the language
I've included.  Despite my detailed explanations to you, you've really only
replied with "it's too verbose".  So if you disagree with the actual merits
of my positions, or the merits of the proposed text, let's hear that.
Otherwise, I think we are largely in agreement on substance, and you'll be
ok with my proposed language.






Chris Mejia

Digital Supply Chain Solutions

Ad Technology Group

Interactive Advertising Bureau - IAB


On Jun 12, 2013, at 2:32 PM, "Dan Auerbach" <> wrote:

We largely agree but Chris's text was not agreed to be the version we sent
out. But here's my version, which I think is more precise, appropriately
tailored, and less verbose: Detection and Prevention of Malicious or Invalid Activity

Information may be collected, retained and used to the extent reasonably
necessary for detecting and preventing malicious or invalid activity.
Information related to malicious or invalid activity may furthermore be
retained if necessary for particular civil actions being pursued, or for
particular criminal investigations that are in process. This information may
be used to alter the user's experience in order to reasonably keep a service
secure or prevent malicious or invalid activity. 

The term "malicious or invalid activity" means: 
    (a) invalid Web traffic (for instance bot activity generating
impressions or clicks), 
    (b) bogus, malicious or automated sign ups or form submissions, 
    (c) attacks intended to disrupt the availability of a service, 
    (d) malicious intrusions into corporate networks, 
    (e) fraud prevention, or 
    (f) abuse of a service in a way that harms the integrity or security of
a service or the security of the users of a service.

On 06/12/2013 09:17 AM, Chris Mejia wrote:

David Wainberg, Dan Auerbach and I worked on this draft text.  I'm
submitting it now for consideration by the wider group, as there were only
small gaps between Dan and our text proposals.


-- Detection, Prevention or Prosecution of Malicious, Nefarious or
Invalid Activity


Data may be collected, retained and used to the extent reasonably necessary
for detecting and/or preventing malicious, nefarious or disingenuous
activity. Additionally, data related to malicious, nefarious or disingenuous
activity may be retained when reasonably necessary to support civil or
criminal prosecution of parties that conduct, support or perpetuate
malicious, nefarious or disingenuous activity. This data may also be used to
alter the user's experience in order to preserve or bolster the security of
a site/service/user(s), or to prevent malicious, nefarious or disingenuous


The term "malicious, nefarious or disingenuous activity" means: 

    (a) disingenuous Web traffic/server requests (for example: non-human
activity generating bogus server requests, ad-impressions or clicks);

    (b) bogus, malicious, automated or non-human Web-form submissions;

    (c) attacks intended to disrupt a site, service or user experience;

    (d) malicious or nefarious intrusions, or attempts to intrude into
private or corporate networks;

    (e) fraudulent activity, including any activity that's purpose is to
defraud a site, service or users of a site or service;

    (f) any activity that's reasonably determined to abuse, or attempts to
abuse a site/service/user in any way.




Received on Wednesday, 12 June 2013 20:49:15 UTC