- From: John Simpson <john@consumerwatchdog.org>
- Date: Tue, 24 Sep 2013 15:04:50 -0700
- To: Nicholas Doty <npdoty@w3.org>
- Cc: David Singer <singer@apple.com>, Shane M Wiley <wileys@yahoo-inc.com>, "public-tracking@w3.org List" <public-tracking@w3.org>
Colleagues, Alas, I think this chain demonstrates the futility of ever reaching consensus… Regards, John On Sep 24, 2013, at 2:58 PM, Nicholas Doty <npdoty@w3.org> wrote: > On September 23, 2013, at 7:00 PM, David Singer <singer@apple.com> wrote: >> On Sep 23, 2013, at 18:39 , Shane M Wiley <wileys@yahoo-inc.com> wrote: >> >>> I object to this being added. New Issue? >>> >>> 'Graduated Response' is not a viable approach to Security. While I appreciate how this approach sounds perfectly acceptable from a logical perspective, in practice this doesn't work. This was highlighted during the Sunnyvale face-to-face where the "security expert" agreed that attempting to collect more data from a user over time would likely tip off the suspected bad actor that they were being tracked in a differentiated manner - something you would not want to as they would quickly change tactics - creating another security risk/channel. >>> >>> I've attempted to convey our security experts views in this area and thought the Sunnyvale session clearly demonstrated there is little value to this approach and creates a false expectation by placing this in the Compliance and Scope document. More than happy to continue documenting though and have true security experts provide this feedback to the group. >> >> We probably need to debate this more (sadly) but the "when feasible" introduction does seem to allow your experts some…latitude. > > I don't see the need for additional debate on the presence of non-normative text -- I was sending it around just so that the editors could update the text with the group decision -- but it's true that this is written (by Ian Fette, then revised by Roy Fielding and also proposed by John Simpson) specifically to allow latitude for use cases where a graduated response wouldn't make sense: both "when feasible" and "is preferred" are to that point. I believe the group supported it in part because as non-normative text it didn't add any requirements that might conflict with Shane's use case. While some preferred having a normative requirement and some preferred no mention at all, everyone on the call (2013-07-17 [0]) could live with the non-normative description. > > There is an open issue and set of change proposals on security, focused on the normative text: > http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security > http://www.w3.org/2011/tracking-protection/track/issues/24 > > Thanks, > Nick > > [0] http://www.w3.org/2013/07/17-dnt-minutes#item01
Received on Tuesday, 24 September 2013 22:05:19 UTC