Re: June Change Proposal: security and fraud exemption (Issue-24)

Hi Lee,

I've updated this wiki page to include your proposal next to Chris's, John's and the editors' draft text: 
http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security

If it's possible to consolidate your text with either of the other proposals, please let us know. Also, is it possible to consolidate the two separate sections by saying, for example, "for the purposes of preventing fraud and ensuring its security, provided that...."?

Thanks,
Nick

On Jun 25, 2013, at 7:04 PM, Lee Tien <tien@eff.org> wrote:

> The EFF/Mozilla/Stanford proposal originally proposed:
> 
> "A third party may collect and use protocol information for the detection and prevention of security breaches and fraudulent activity, subject to a six-month retention period. A third party may collect, retain, and use data about a particular user or user agent for the purpose of preventing fraud, provided that there are reasonable grounds to believe the user or user agent was attempting to commit fraud at the time the data was received. A third party may collect, retain, and use data about a particular user or user agent for the purpose of ensuring its security, provided that there are reasonable grounds to believe the user or user agent was attempting to breach the party's security at the time the data was received."  
> 
> I assume that language is still on the table?
> 
> Regardless, I now propose the following, which omits specific retention periods in favor of "only retains so long as necessary" tied to parties' transparency obligations on retention periods (as generally set forth in the June Draft on minimization and transparency).  
> 
> "I. Fraud Prevention
> 
> A. Operative Text
> 
> A third party may collect, retain, and use data about a particular user or user agent for the sole purpose of preventing fraud, provided that there are reasonable grounds to believe the user or user agent is presently attempting to commit fraud.  Data may only be retained as long as necessary to mitigate the present threat.
> 
> B. Non-Normative Discussion
> 
> When a user meaningfully interacts with third-party content (e.g. clicking an ad), the third party can collect, retain, and use information for fraud prevention.  Third parties can also use protocol logs for fraud prevention.  This exception provides an additional capability to, in certain circumstances, track impressions for fraud prevention.
> 
> II. Security
> 
> A. Operative Text
> 
> A third party may collect, retain, and use data about a particular user or user agent for the sole purpose of ensuring its security, provided that there are reasonable grounds to believe the user or user agent is presently attempting to breach the party's security.  Data may only be retained as long as necessary to mitigate the present threat.
> 
> B. Non-Normative Discussion
> 
> This exception grants third parties (e.g. advertising networks) some latitude to mitigate security risks. Websites that users store sensitive personal information on (e.g. financial services and webmail) are all first-party; they are able to collect, retain, and use information about all users for security purposes."  
> 
> 
> -- 
> Lee Tien
> Senior Staff Attorney
> Electronic Frontier Foundation
> 815 Eddy Street
> San Francisco, CA 94109
> (415) 436-9333 x 102 (tel)
> (415) 436-9993 (fax)
> tien@eff.org

Received on Wednesday, 26 June 2013 07:16:02 UTC