- From: Lorrie Cranor <lorrie@research.att.com>
- Date: Tue, 16 Oct 2001 09:59:06 -0400
- To: "Giles Hogben" <giles.hogben@jrc.it>, "p3pdev" <www-p3p-dev@w3.org>
- Cc: "Tom Jackson" <tom.jackson@jrc.it>, "Bob Thibadeau" <rht@cs.cmu.edu>
Yes, we talked about including security information in the P3P vocabulary. However, we decided that it would be very difficult for web sites to provide meaningful security information. The fact that they use particular security software is not really all that meaningful. A company may use great security software but not apply it to one of their systems, and that's where they have the breach. And the best practices with respect to security are changing constantly. I served on the FTC advisory committee on online access and security and we had a similar discussion. In general this group of experts felt that while web sites should have security policies, describing their security procedures and software in a consumer-oriented privacy policy was not particularly useful. Lorrie ----- Original Message ----- From: "Giles Hogben" <giles.hogben@jrc.it> To: "p3pdev" <www-p3p-dev@w3.org> Cc: "Tom Jackson" <tom.jackson@jrc.it>; "Bob Thibadeau" <rht@cs.cmu.edu> Sent: Tuesday, October 16, 2001 3:12 AM Subject: Re: Collection of user information by forms > I have a question for the group. > I know it's too late for the existing spec, but has the working group > thought about including tags which make statements about the measures the > company takes to secure the data once it is on their servers: > For example > <DATASECURITY><portscanlogs/><penetrationtesting tool="iss" > interval="yearly" description="We use iss vulnerability scanner to test for > vulnerabilities"/></DATASECURITY> > > I have just been on a course in penetration testing (for strictly > professional purposes!) and this made me realise that this is quite a big > issue in the data collection cycle, not only in real terms but also in terms > of consumer perception. > > Giles Hogben > >
Received on Tuesday, 16 October 2001 10:01:34 UTC