W3C home > Mailing lists > Public > public-tracking@w3.org > November 2014

Re: ISSUE-235 (Auditability requirement for security)

From: Walter van Holst <walter.van.holst@xs4all.nl>
Date: Wed, 19 Nov 2014 16:06:20 +0100
To: public-tracking@w3.org
Message-ID: <80e27925547675daa90ac17ea211f0de@xs4all.nl>
On 2014-11-19 01:57, Nicholas Doty wrote:
> Separate as to whether this auditing requirement is a good idea for
> the recommendation, I'd propose a couple small, friendly amendments to
> the language, as per below.
>> For the purposes of this recommendation, auditable is understood as 
>> having sufficient records of access and use of data retained such that 
>> an independent auditor would have a reasonable level of confidence 
>> that the data retained is exclusively used for the permitted uses or 
>> that breaches of this can be detected ex-post. For example, an auditor 
>> might use a similar level of confidence to that required for the 
>> organization's financial records.
> (Use independent instead of third-party, as the document has a
> separate definition for third-party. Use "recommendation". "Example"
> rather than "yardstick".)

I'm reasonably comfortable with this amendment.

For the purpose of the conversation on the necessity of all this, I'd 
like to point at this document: 

For audience measurement purposes industry groups are perfectly happy 
with process audit requirements (see paragraph 4, sub 2) for ad 
measurement, which reads as:

4. Auditing Guidelines
Third-party independent auditing is encouraged for all ad-serving 
applications used in the buying and selling process. This auditing is 
recommended to include both counting methods and processing/controls as 
1. Counting Methods: Independent verification of activity for a defined 
period. Counting method procedures generally include a basic process 
review and risk analysis to under-
stand the measurement methods, analytical review, transaction 
authentication, validation of filtration procedures and measurement 
recalculations. Activity audits can be executed at
the campaign level, verifying the activity associated with a specific ad 
creative being delivered for performance measurement purposes.
2. Processes/Controls: Examination of the internal controls surrounding 
the ad delivery, recording and measurement process. Process auditing 
includes examination of the adequacy of site or ad-server applied 
filtration techniques.

Strangely enough, in this group all of a sudden none appears to 
understand the meaning of auditable in the context of DNT:1 data 
retained for purposes exempted under this standard? What I am asking for 
is not substantially different and definitely not more burdensome then 
what IAB suggests for ad measurement. We're simply talking about an 
analog to the process/controls audits mentioned above.


Received on Wednesday, 19 November 2014 15:06:53 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:24 UTC