W3C home > Mailing lists > Public > public-tracking@w3.org > October 2014

Re: ISSUE-235 (Auditability requirement for security)

From: David (Standards) Singer <singer@apple.com>
Date: Wed, 15 Oct 2014 14:31:10 -0700
Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-Id: <165DDAF9-3B23-499A-B88B-F66495655B6D@apple.com>
To: Justin Brookman <jbrookman@cdt.org>
I understand the good intentions behind this sentence, and applaud them, but

a) itís not specific:
  i) who by? a court? a SWAT team crashing down your door? the CDT asking nicely? an independent researcher sending email?
  ii) of what? the actual data, and the data flows, or the processes and controls that are in place?
b) itís not testable.

Weíve said some things must be publicly documented (e.g. in the privacy policy), and thatís both testable and clear what is stated (it can only be the process). This is trying to be half-way, sort-of vaguely discoverable under undefined quasi-formal (Ďaudití) conditions.  

(I think I am going to go get a half-way vaguely discoverable coffee now and drink it in undefined quasi-formal conditions).

On Oct 15, 2014, at 7:54 , Justin Brookman <jbrookman@cdt.org> wrote:

> Before leaving NAI and the Working Group, Jack Hobaugh had proposed to delete from the general security requirement for data held for permitted uses the line:
> 
> Third parties SHOULD ensure that the access and use of data retained for permitted uses is auditable.
> 
> If anyone still supports this proposal and wants to discuss it, please advocate for it on the mailing list (or on the working group call today).
> 

David Singer
Manager, Software Standards, Apple Inc.
Received on Wednesday, 15 October 2014 21:31:41 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:24 UTC