Re: ISSUE-235 (Auditability requirement for security) from Justin Brookman on 2014-10-21 (public-tracking@w3.org from October 2014)

From: Justin Brookman <jbrookman@cdt.org>
Date: Tue, 21 Oct 2014 17:22:38 -0400
To: "Amy Colando (LCA)" <acolando@microsoft.com>
Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
Message-Id: <83D83493-7D62-4BED-88D5-4F73562D3CE6@cdt.org>

No one spoke up for maintaining this language either on the list or on last week’s call; if anyone wants to make a pitch for maintaining this or other auditability language, please do so; otherwise, we’ll adopt Jack’s proposal to remove the sentence.

On Oct 15, 2014, at 5:37 PM, Amy Colando (LCA) <acolando@microsoft.com> wrote:

> +1
> 
> 
> -----Original Message-----
> From: David (Standards) Singer [mailto:singer@apple.com] 
> Sent: Wednesday, October 15, 2014 2:31 PM
> To: Justin Brookman
> Cc: public-tracking@w3.org (public-tracking@w3.org)
> Subject: Re: ISSUE-235 (Auditability requirement for security)
> 
> I understand the good intentions behind this sentence, and applaud them, but
> 
> a) it's not specific:
>  i) who by? a court? a SWAT team crashing down your door? the CDT asking nicely? an independent researcher sending email?
>  ii) of what? the actual data, and the data flows, or the processes and controls that are in place?
> b) it's not testable.
> 
> We've said some things must be publicly documented (e.g. in the privacy policy), and that's both testable and clear what is stated (it can only be the process). This is trying to be half-way, sort-of vaguely discoverable under undefined quasi-formal ('audit') conditions.  
> 
> (I think I am going to go get a half-way vaguely discoverable coffee now and drink it in undefined quasi-formal conditions).
> 
> On Oct 15, 2014, at 7:54 , Justin Brookman <jbrookman@cdt.org> wrote:
> 
>> Before leaving NAI and the Working Group, Jack Hobaugh had proposed to delete from the general security requirement for data held for permitted uses the line:
>> 
>> Third parties SHOULD ensure that the access and use of data retained for permitted uses is auditable.
>> 
>> If anyone still supports this proposal and wants to discuss it, please advocate for it on the mailing list (or on the working group call today).
>> 
> 
> David Singer
> Manager, Software Standards, Apple Inc.
> 
>

Received on Tuesday, 21 October 2014 21:23:22 UTC