W3C home > Mailing lists > Public > public-tracking@w3.org > September 2013

RE: updating Compliance doc with graduated response

From: Shane M Wiley <wileys@yahoo-inc.com>
Date: Tue, 24 Sep 2013 01:39:27 +0000
To: Nicholas Doty <npdoty@w3.org>, "public-tracking@w3.org List" <public-tracking@w3.org>
Message-ID: <DCCF036E573F0142BD90964789F720E31418DBE4@GQ1-MB01-02.y.corp.yahoo.com>
I object to this being added.  New Issue?  

'Graduated Response' is not a viable approach to Security.  While I appreciate how this approach sounds perfectly acceptable from a logical perspective, in practice this doesn't work.  This was highlighted during the Sunnyvale face-to-face where the "security expert" agreed that attempting to collect more data from a user over time would likely tip off the suspected bad actor that they were being tracked in a differentiated manner - something you would not want to as they would quickly change tactics - creating another security risk/channel.

I've attempted to convey our security experts views in this area and thought the Sunnyvale session clearly demonstrated there is little value to this approach and creates a false expectation by placing this in the Compliance and Scope document.  More than happy to continue documenting though and have true security experts provide this feedback to the group.

- Shane

-----Original Message-----
From: Nicholas Doty [mailto:npdoty@w3.org] 
Sent: Friday, September 20, 2013 9:59 PM
To: public-tracking@w3.org List
Subject: updating Compliance doc with graduated response

Attached is a diff proposed to add a definition of graduated response and then a non-normative section in the security permitted use. I believe this implements the group's decision on a call in July. (Text included below if you want to read the changes.)


> 			<section id="graduated-response">
> 				<h3>Graduated Response</h3>
> 				<p>
> 					A <dfn>graduated response</dfn> a methodology where the action taken is proportional to the size of the problem or risk that is trying to be mitigated. In the context of this document, the term is used to describe an increase in the collection of data about a user or transaction in response to a specific problem that a party has become aware of, such as an increase in fraudulent activity originating from a particular network or IP address range resulting in increased logging of data relating to transactions from that specific range of IP addresses as opposed to increased logging for all users in general.
> 				</p>
> 			</section>
>   			<section id="security-graduated" class="informative">
>   				<h4>Graduated Responses for Security</h4>
>   				When feasible, a <a>graduated response</a> to a detected security incident is preferred over widespread data collection. An example would be recording all use from a given IP address range, regardless of DNT signal, if the party believes it is seeing a coordinated attack on its service (such as click fraud) from that IP address range. Similarly, if an attack shared some other identifiable fingerprint, such as a combination of user agent string and other protocol information, the party could retain logs on all transactions matching that fingerprint until it can be determined that they are not associated with such an attack or such retention is no longer necessary to support prosecution.
>   			</section>
Received on Tuesday, 24 September 2013 01:41:06 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:18 UTC