W3C home > Mailing lists > Public > public-tracking@w3.org > October 2014

Re: ISSUE-235 (Auditability requirement for security)

From: Justin Brookman <jbrookman@cdt.org>
Date: Wed, 15 Oct 2014 13:03:35 -0400
Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-Id: <70EDDE56-16E3-4134-A794-C3724D0BA1AE@cdt.org>
To: Shane M Wiley <wileys@yahoo-inc.com>
Thanks Shane for the quick response. Does anyone want to argue in favor of maintaining the auditability requirement, or revise it to address the vagueness concerns that Shane has raised?

Here is the reasonable security section as it stands today (proposal is to remove the last sentence):

3.3.1.4 Reasonable Security

A party that collects data for a permitted use MUST use reasonable technical and organizational safeguards to prevent further processing of data retained for permitted uses. While physical separation of data maintained for permitted uses is not required, best practices SHOULD be in place to ensure technical controls ensure access limitations and information security. That party SHOULD ensure that the access and use of data retained for permitted uses is auditable.           


On Oct 15, 2014, at 11:49 AM, Shane M Wiley <wileys@yahoo-inc.com> wrote:

> Justin,
> 
> I support its removal.  As we've discussed in the past a SHOULD is very close to a MUST and only for very specific technical arguments does one escape the necessity that term creates.  In this case, adding a blanket "all permitted use structures MUST be auditable" is VERY opened ended and therefore should be removed.  To what level is something considered "auditable"?  Do we have security standards in place today that lay out in a very objective manner what is and is not considered to be "auditable" (specific hooks? Reporting?)?  If we agree that anything that exists technically is therefore "auditable" to some degree, then what is the value of this clause anyway?
> 
> I'd be more comfortable with moving it to a MAY but it still lacks any objective substance so I'm still confused as to how I would say something is or is not auditable?  If we're suggesting "externally auditable" here then I'll double-down on my support for its removal as that particular issue is much more difficult to solve for in our current timeframe.
> 
> - Shane
> 
> -----Original Message-----
> From: Justin Brookman [mailto:jbrookman@cdt.org] 
> Sent: Wednesday, October 15, 2014 7:55 AM
> To: public-tracking@w3.org (public-tracking@w3.org)
> Subject: ISSUE-235 (Auditability requirement for security)
> 
> Before leaving NAI and the Working Group, Jack Hobaugh had proposed to delete from the general security requirement for data held for permitted uses the line:
> 
> Third parties SHOULD ensure that the access and use of data retained for permitted uses is auditable.
> 
> If anyone still supports this proposal and wants to discuss it, please advocate for it on the mailing list (or on the working group call today).
> 
> 
Received on Wednesday, 15 October 2014 17:04:10 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:24 UTC