RE: TAG on privacy by design for web applications from Larry Masinter on 2012-04-29 (www-tag@w3.org from April 2012)

From: Larry Masinter <masinter@adobe.com>
Date: Sun, 29 Apr 2012 16:18:04 -0700
To: Thomas Roessler <tlr@w3.org>
CC: "www-tag@w3.org" <www-tag@w3.org>, "public-privacy@w3.org" <public-privacy@w3.org>
Message-ID: <C68CB012D9182D408CED7B884F441D4D194AC36D62@nambxv01a.corp.adobe.com>
Hi Thomas,

I know (and knew) the draft minutes are public, and are posted to a public list.  I was having trouble reasoning about "privacy" as an abstract, and thought it would be useful to discuss a situation where I cared about the result.

You suggest as a design principle:
- if T prefers that people don't refer to M, that the T should not post M publicly, but rather post M in a context with more restricted access.

There are a couple of difficulties with this rule:
* I was trying to distinguish between "publishing" and "linking". You didn't link to the draft minutes, you copied them. In the process, you left out some of the metadata such as the schedule for revision and approval.
* Choosing the right link:
  Between the links:
    -- to a persistent copy of the raw unreviewed minutes
        http://lists.w3.org/Archives/Public/www-tag/2012Apr/0127.html
    -- to a location which currently contains the unreviewed minutes but will be updated:
          http://www.w3.org/2001/tag/2012/04/02-minutes#item06

I would prefer a link to the latter.   It's a distinction between the assertion "Larry said" and "The scribe at the time thought Larry said"; I'm willing to accept that people often misquote me (I speak fast and mumble). 
* the mitigation you suggest  (not posting publicly but to a more restricted list) sounds reasonable, but not always effective. In my experience, there  is no visible consequence to those with access to more restricted context divulging the content, and a large number of individuals with such access (thousands). 

The mitigation I suggested was that the minutes carry a more explicit status and redistribution policy notice (I gave " DRAFT, UNREVIEWED, DO NOT FORWARD OR CITE header or other disclaimer").    Not every publication to the public www-tag mailing list carries that disclaimer, of course. This leaves open the possibility that someone would ignore the policy header anyway. 

* There was also a secret suggestion  
     ((WARNING PRIVATE MEMBER-ONLY LINK https://lists.w3.org/Archives/Member/tag/2012Apr/0029.html ))
   to do something else but related, but of course I can't divulge what whoever-said-it says.

Which is the right design principle for this privacy use case? Does it generalize?

A group has a private meeting which they want to record publicly. The group has a mailing list whose archives are public. Someone posts a photo of the group to a popular social networking or photo sharing site and tags group members, sends out a link. Members who are tagged incorrectly can correct the tagging, but if someone copies the photo and its tags and sends it to another public venue, corrections won't apply to the reposting. 

Is that the same case? 

Larry
--
http://larry.masinter.net

-----Original Message-----
From: Thomas Roessler [mailto:tlr@w3.org] 
Sent: Sunday, April 29, 2012 9:16 AM
To: Larry Masinter
Cc: Thomas Roessler; www-tag@w3.org; public-privacy@w3.org
Subject: Re: TAG on privacy by design for web applications

Larry,

I'll point out that these draft minutes were public, and were posted to a public list.

While I'll happily respect the TAG's wishes to not point other parties at its minutes, I'd suggest that, if you indeed prefer that people don't refer to your draft minutes, you post them in a member-confidential context.

Regards,
--
Thomas Roessler, W3C  <tlr@w3.org>  (@roessler)







On 2012-04-29, at 17:47 +0200, Larry Masinter wrote:

> Thomas:
> 
> The TAG does post plain text versions of its minutes before review and approval, but I wish you wouldn't repost unapproved minutes, as you did:
> http://lists.w3.org/Archives/Public/public-privacy/2012AprJun/0056.html
> 
> The original email containing unapproved minutes http://lists.w3.org/Archives/Public/www-tag/2012Apr/0127.html at least contains a pointer to the location of the location to be updated: http://www.w3.org/2001/tag/2012/04/02-agenda, with a great URL for the (updated, formatted) minutes on the topic you quoted:
>                       http://www.w3.org/2001/tag/2012/04/02-minutes#item06
> 
> TAG:
> 
> In future, I suggest when sending out Draft minutes in email to www-tag@w3.org that we explicitly add a disclaimer DRAFT, UNREVIEWED, DO NOT FORWARD OR CITE header or other disclaimer.
> 
> Given that the TAG occasionally discusses issue that are contentious and highly political nature, I'd like to more strongly discourage this practice.
> 
> 
> Public-Privacy discussion & TAG:
> 
> I think this is a "privacy" use case: 
> I have an expectation of audience and distribution. I know the meeting isn't recorded, and that while minutes are taken, I expect to have an opportunity to review the minutes after a draft is published and before they are approved. My expectation wasn't met. 
> 
> My fault?  I should have known that if I am concerned about being misquoted I have to watch the irc log in real time and correct errors BEFORE the draft minutes get published, and trust that the person cleaning up the notes doesn't inadvertently change the meaning of what I said.
> Thomas' fault? The TAG's fault for posting draft minutes publicly?
> 
> If there were APIs for any of this information flow -- if we somehow automated the processes by which minutes are taken, edited, drafts published, reviewed, approved -- would "API minimization" help ? How?
> 
> Larry
> --
> http://larry.masinter.net
> 
>
Received on Sunday, 29 April 2012 23:18:38 UTC