RE: ISSUE-24 (fraud detection and defense)


I'd rather we drop the 2nd paragraph.  I've spoken to many security experts - including the security expert "live" at the October Sunnyvale F2F - and everyone agrees that the most effective security approach is to start with a larger net and then minimize from there as you're able to determine traffic is not suspicious.  Attempting to go the reverse direction is not effective and would allow many "bad guys" through.  As companies are all alone in this fight, we need every tool in our arsenal for this very specific permitted use.  Companies instead should look to data minimization and data segregation principles to ensure the proportional use of this information.

- Shane

From: Justin Brookman []
Sent: Thursday, October 09, 2014 1:19 PM
To: (
Subject: ISSUE-24 (fraud detection and defense)

Hello all, last October we came very close to final agreement on language on the fraud/security permitted use:

Regardless of the tracking preference expressed, data MAY be collected, retained, and used to the extent reasonably necessary to detect security incidents, protect the service against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for such activity, provided that such data is not used for operational behavior (profiling or personalization) beyond what is reasonably necessary to protect the service or institute a graduated response.
When feasible, a graduated response to a detected security incident is preferred over widespread data collection. An example would be recording all use from a given IP address range, regardless of DNT signal, if the party believes it is seeing a coordinated attack on its service (such as click fraud) from that IP address range. Similarly, if an attack shared some other identifiable fingerprint, such as a combination of User Agent and other protocol information, the party could retain logs on all transactions matching that fingerprint until it can be determined that they are not associated with such an attack or such retention is no longer necessary to support prosecution.

However, Shane strongly objected to the language and the issue has remain unresolved.  So I am inclined to go for a Call for Objections on the issue.  Shane, would your proposal just end in the first paragraph after "to protect the service"?  Or do you wish to propose something different?

Justin Brookman
Director, Consumer Privacy
Center for Democracy & Technology

Received on Thursday, 9 October 2014 20:43:05 UTC