Re: Deidentification (ISSUE-188) from David Singer on 2014-07-23 (public-tracking@w3.org from July 2014)

From: David Singer <singer@apple.com>
Date: Wed, 23 Jul 2014 09:32:31 -0700
To: "Roy T. Fielding" <fielding@gbiv.com>
Cc: Justin Brookman <jbrookman@cdt.org>, "public-tracking@w3.org List" <public-tracking@w3.org>
Message-id: <C48CAA62-0A07-4B8A-8C8F-353696F856DD@apple.com>

On Jul 23, 2014, at 9:19 , Roy T. Fielding <fielding@gbiv.com> wrote:

> On Jul 23, 2014, at 6:24 AM, Justin Brookman wrote:
> 
>> Different questions to Roy and David about their proposals:
>> 
>> Roy, on the call last week, you said that if data can be tied to a user agent or device, then it wasn’t deidentified.  Nick proposed adding “, user agent, or device” to the end of your definition to make that clear.  So it would read: 
>> 
>> A data set is considered de-identified when there exists a reasonable level of justified confidence that the data within it cannot be used to infer information about, or otherwise be linked to, a particular user, user agent, or device. 
>> 
>> However, from the minutes, at some point you rejected some amendment — not sure if it’s this one or not.
> 
> Yes, the problem is the other text around it.  I don't want
> 
>  "data within it cannot be used to infer information about ...
>   a user agent, or device."
> 
> One of the main reasons for collecting data is to ensure that the
> site/system works for a given UA/device.  That's data we need to keep, at least
> for any UA which does not identify a user (i.e., is in use by enough distinct
> users that we can retain that data without identifying them).  That's
> why I did not include UA and device in the proposal.
> 
> Alternatively, I would be happy with:
> 
>  A data set is considered de-identified when there exists a reasonable
>  level of justified confidence that none of the data within it can be
>  linked to a particular user, user agent, or device.

and to capture the thought in process, what I was floating on the call just now was to add:

A data set is considered de-identified when:
a) there exists a reasonable level of justified confidence that none of the data within it can be linked to a particular user, user agent, or device;
b) and the creator of the data-set commits not to re-identify any user, user-agent, or device that contributed to the data;
c) and the creator either restricts recipients from any such re-identification or accepts responsibility for any such re-identification.



David Singer
Manager, Software Standards, Apple Inc.

Received on Wednesday, 23 July 2014 16:33:14 UTC