Re: ACTION-408 - security & fraud proposed text - Section 6.2. from David Wainberg on 2013-06-12 (public-tracking@w3.org from June 2013)

From: David Wainberg <david@appnexus.com>
Date: Wed, 12 Jun 2013 18:44:08 -0400
To: Dan Auerbach <dan@eff.org>
CC: "public-tracking@w3.org" <public-tracking@w3.org>
Message-ID: <51B8F9B8.7060905@appnexus.com>
I should jump in and apologize if there's been miscommunication. I 
hadn't gotten to compiling the text we'd discussed and submitting it to 
the list, as I was tasked to do. Chris offered to jump in and do it, so 
I told him to go ahead. It seems as though we weren't actually all on 
the same page about what should be submitted.

-David

On 6/12/13 6:14 PM, Dan Auerbach wrote:
> Chris,
>
> You, David, and I had a shared action item. The last thread between 
> the three of us ended with an email from me detailing some 
> suggestions. Before that was an email from David with concerns about 
> your language. Instead of engaging with us and trying to finish the 
> action together, you decided to unilaterally send your text out to the 
> group and label it as our shared text, despite the fact that David and 
> I both subsequently proposed revisions after your text was sent out. 
> This is incredibly disrespectful, and put me in a position where I had 
> no choice but to give the group more context about where I stand with 
> respect to your language. It is simply not accurate to label this as 
> the language associated with that open action.
>
> As for the substance of my criticism and your reply, if you'd like, we 
> can email the entire thread to the group so that they can judge who 
> has provided more thoughtful analysis. It is inaccurate to say my 
> criticism amounted to saying "that's too verbose", but rather than 
> rehashing that thread all over again, I'd be happy to send it out with 
> David's consent.
>
> The goal of course would be to come to consensus language first 
> between the three of us, so that the full group could be spared from 
> the discussion, but since you've chosen to forego that path, it seems 
> we have no choice but to lay out both possibilities (as well as 
> David's latest draft, if he wishes) and consider this an unresolved 
> open issue for the group to debate.
>
> If others have particular scenarios that they worry are not covered by 
> the language, I think we definitely should hear them, and include them 
> in whatever text gets finalized.
>
> Dan
>
> On 06/12/2013 01:34 PM, Chris Mejia wrote:
>> Dan, respectfully, I don't appreciate the assertion that I have been 
>> unnecessarily "verbose", imprecise, or ill tailored in proposing my 
>> draft language to the working group for consideration.  Those are all 
>> baseless arguments.  I've explained to you in detail, in our back and 
>> forth discussions before the due date for this action item, why my 
>> constituency (industry security professionals) felt it necessary to 
>> include the language I've included.  Despite my detailed explanations 
>> to you, you've really only replied with "it's too verbose".  So if 
>> you disagree with the actual merits of my positions, or the merits of 
>> the proposed text, let's hear that.  Otherwise, I think we are 
>> largely in agreement on substance, and you'll be ok with my proposed 
>> language.
>>
>> Thanks,
>>
>> Chris
>>
>> ++++++++++++++++++++++++
>> Chris Mejia
>> Digital Supply Chain Solutions
>> Ad Technology Group
>> Interactive Advertising Bureau - IAB
>>
>>
>> On Jun 12, 2013, at 2:32 PM, "Dan Auerbach" <dan@eff.org 
>> <mailto:dan@eff.org>> wrote:
>>
>>> We largely agree but Chris's text was not agreed to be the version 
>>> we sent out. But here's my version, which I think is more precise, 
>>> appropriately tailored, and less verbose:
>>>
>>> /6.2.2.6 Detection and Prevention //of Malicious or Invalid Activity//
>>> //
>>> //Information may be collected, retained and used to the extent 
>>> reasonably necessary for detecting and preventing //malicious or 
>>> invalid //activity. Information related to malicious or invalid 
>>> activity may furthermore be retained if necessary for particular 
>>> civil actions being pursued, or for particular criminal 
>>> investigations that are in process. ///This// information may be 
>>> used to alter the user's experience in order to reasonably keep a 
>>> service secure //or prevent//malicious or invalid activity./
>>>
>>> The term "malicious or invalid activity"//means:
>>>     (a) //invalid Web traffic (for instance bot activity generating 
>>> impressions or clicks),
>>>     (b) bogus, malicious or automated sign ups or form submissions,
>>>     (c) attacks intended to disrupt the availability of a service,
>>>     (d) malicious intrusions into corporate networks,
>>>     (e) fraud prevention, ///or
>>>     (f) abuse of a service in a way that harms the integrity or 
>>> security of a service or the security of the users of a service.//
>>>
>>> On 06/12/2013 09:17 AM, Chris Mejia wrote:
>>>> David Wainberg, Dan Auerbach and I worked on this draft text.  I'm 
>>>> submitting it now for consideration by the wider group, as there 
>>>> were only small gaps between Dan and our text proposals.
>>>> */
>>>> /*
>>>> */--/*
>>>> */
>>>> /*
>>>> */
>>>>
>>>> 6.2.2.6 Detection, Prevention or Prosecution of 
>>>> Malicious, Nefarious or Invalid Activity
>>>>
>>>> Data may be collected, retained and used to the extent reasonably 
>>>> necessary for detecting and/or 
>>>> preventing malicious, nefarious or disingenuous activity. Additionally, 
>>>> data related to malicious, nefarious or disingenuous activity may 
>>>> be retained when reasonably necessary to support civil or criminal 
>>>> prosecution of parties that conduct, support or perpetuate 
>>>> malicious, nefarious or disingenuous activity. This data may also be used 
>>>> to alter the user's experience in order to preserve or bolster the 
>>>> security of a site/service/user(s), or to prevent malicious, 
>>>> nefarious or disingenuous activity.
>>>>
>>>> The term "malicious, nefarious or disingenuous activity" means:
>>>>
>>>>     (a) disingenuous Web traffic/server 
>>>> requests (for example: non-human activity generating bogus server 
>>>> requests, ad-impressions or clicks);
>>>>
>>>>     (b) bogus, malicious, automated or non-human Web-form submissions;
>>>>
>>>>     (c) attacks intended to disrupt a site, service or user experience;
>>>>
>>>>     (d) malicious or nefarious intrusions, or attempts to 
>>>> intrude into private or corporate networks;
>>>>
>>>> (e) fraudulent activity, including any activity that's purpose is 
>>>> to defraud a site, service or users of a site or service;
>>>>
>>>>     (f) any activity that's reasonably determined to abuse, or 
>>>> attempts to abuse a site/service/user in any way.
>>>>
>>>>
>>>>
>>>> /*
>>>
>
Received on Wednesday, 12 June 2013 22:44:33 UTC