- From: David Singer <singer@apple.com>
- Date: Wed, 13 Aug 2014 16:58:44 -0700
- To: Justin Brookman <jbrookman@cdt.org>
- Cc: "<public-tracking@w3.org>" <public-tracking@w3.org>, Mike O'Neill <michael.oneill@baycloud.com>
On Aug 8, 2014, at 6:54 , Mike O'Neill <michael.oneill@baycloud.com> wrote: > I also read it as (A && (B || C)) but the last phrase (“or the data is not subsequently reidentified.”) is unclear. Is it a command not to reidentify or an eternal statement of fact. Better to say that the data has been made impossible to re-identify (like taking out the keys or deleting it). > > Also a “reasonable level of” could be construed by some as too low a bar, and adds nothing to help implementers. > > How about: > > A data set is considered deidentified when (1) there exists justified confidence that none of the data within it can be linked to a particular user, user agent, or device and (2) either any transfer of the data is accompanied by a restriction on recipients from trying to reidentify the data, or the data has been made incapable of being subsequently reidentified. I also am going to try this again; Mike is right, there was a bracketing error. Trying another way of phrasing it: Data is permanently de-identified (and hence out of the scope of this specification) when a sufficient combination of technical measures and restrictions ensures that the data does not, and cannot and will not be used to, identify a particular user, user-agent, or device. Note: Usage and/or distribution restrictions are strongly recommended for any dataset that has records that relate to a single user or a small number of users; experience has shown that such records can, in fact, sometimes be used to identify the user(s) despite the technical measures that were taken to prevent that happening. David Singer Manager, Software Standards, Apple Inc.
Received on Wednesday, 13 August 2014 23:59:19 UTC