W3C home > Mailing lists > Public > public-tracking@w3.org > October 2014

Re: ISSUE-235 (Auditability requirement for security)

From: Justin Brookman <jbrookman@cdt.org>
Date: Wed, 29 Oct 2014 15:01:19 -0400
Cc: Tracking Protection Working Group <public-tracking@w3.org>
Message-Id: <F6D7653B-AFB6-4800-BC18-72A21B3EFBC8@cdt.org>
To: Walter van Holst <walter.van.holst@xs4all.nl>
For those who donít feel like visiting the wiki, Walter has proposed to retain the auditability requirement, and to clarify with the following language:

In this context auditable is typically understood that there are sufficient records available of access and use of data retained that a third-party auditor would have a reasonable level of confidence that the data retained is exclusively used for the permitted uses or that  breaches of this can be detected ex-post. A good yardstick of the level of confidence would be a similar level of confidence required for the organisation's financial records. 


I donít have any great insight into the manner in which companies typically document their access and use of tracking databases, but Iíd welcome opinions on whether this would represent a marginal burden to companies.

On Oct 29, 2014, at 7:59 AM, Walter van Holst <walter.van.holst@xs4all.nl> wrote:

> On 2014-10-22 17:40, Justin Brookman wrote:
>> I do not have a general notion of what an auditor would consider to be
>> auditable, so why donít you propose specific text (doesnít have to be
>> in the next 20 minutes!) for the group to consider.
> I have put a proposal underneath Vincent's in the wiki:
> https://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Remove_auditable_security_requirement
> Sadly, I'm very unlikely to be able to attend today's call. Feedback by mail, either on- or off-list would be much appreciated.
> Regards,
> Walter
Received on Wednesday, 29 October 2014 19:01:46 UTC

This archive was generated by hypermail 2.3.1 : Friday, 3 November 2017 21:45:24 UTC