TPWG F2F Breakout Group C

12 Feb 2013

See also: IRC log


Jonathan_Mayer, +1.646.654.aaaa, +1.617.253.aabb


board: the questions from http://www.w3.org/wiki/Privacy/DNT-Breakouts

plus the FTC definition: data is not “reasonably linkable” to the extent that a company: (1) takes reasonable measures to ensure that the data is de-identified;

(2) publicly commits not to try to reidentify the data; and

(3) contractually prohibits downstream recipients from trying to re-identify the data.

speaking about 3) - contractually prohibits…

ed: a concern may be under 3) that if you make the data public you may not be in a position where you can have a contract

the case: a company is OK privacy-wise, but someone says - aha, you don't have a contract with the public under point 3)

ed: you can put it in terms of use

focusing on 1)

regarding examples - question 3

finding examples of OK and not OK

Lou: some of the stuff Thomas Schauf was presenting would provide some examples of OK

looking at t. schauf's slides to better understand pseudonyomous data

jmayer - short term browsing history is no privacy concern is probably undermined by research at this point

ed: browser history linked to a cookie id is not unlinkable data

ionel: not sure why as using a random id then a "transformed" id linked to the same data is basically the same thing

lou: what is the problem we're trying to solve>


what is the privacy harm after we take the PII out?

ed: remaining info can be potentially be linked back to the user
... question is the level to go to to actually be unidentifiiable

each harm will have different risk mitigation techniques

we're in a scenario where we're trying to override a choice by being sure that the user's data is not going to be compromised

jmayer: focus is on understanding cases where privacy risks are not there

we can avoid the harm discussion for the purposes of deidentification

lou: are we defining "not tracking"?

ed: no

we're trying to say confidently that whatever the user was trying to do when activating DNT is not affected

chris: browsing history can include sensitive info

on the board: not compliant - still have PII

jmayer: do we have consensus that if any of the urls happen to have usernames, names, etc, then this info is not unidentifiable?

lou: yes

jmayer: if we have a reasonable risk that pii is iincluded, can you count that info as not unidentifiable or not?

example: you collect a bunch of stuff and you know that this may include usernames or email addresses

lou - don't know

ed: is there a justifiable level of justified confidence that the URL does not include info that could lead back to the user?

chris: I've heard some consumer groups saying that a URL history by itself may pose threats even without PIIs

lou: in the sensitive stuff we take the PII out

ed: for people compliant with DAA

Lou: we look at the whole market

so it would apply to the market

ed: the URLs may have all kind of info packed into them

one easy example is to connect this data to a cookie id that is still alive

lou: how easy is to infer info from the URLs?

jmayer: the point of the category is to set aside business concerns, legal concerns

lou: I agree - once we get to the definition and get the PII out we get to the clear road of "this is what we're looking for"

Chris: I can understand the argument that sometimes it can contain PII, although in practice it may be difficult

ed: hard in practice to identify what's sensitive in the URL history

jmayer: removing PII and would probably be not enough either

lou: we also need to look at the contractual obligations - we don't want to go into the same trap as with P3P

the definition on board speaks to that: for a good actor this is something they live on, and for a bad actor FTC takes care of it

ed: but even in the room we haven't agreed on some of the meanings in some cases

board: url history alone, unless there's a reasonable level of justified confidence that history does not contain any identifier

means not compliance

question 4: should the discussion mention pseudonymous data or we should just talk about the definition, or do we define pseudonymous data as such

Summary of Action Items

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.137 (CVS log)
$Date: 2013-02-12 19:27:16 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.137  of Date: 2012/09/20 20:19:01  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

No ScribeNick specified.  Guessing ScribeNick: ionel
Inferring Scribes: ionel

WARNING: No "Topic:" lines found.

Default Present: Jonathan_Mayer, +1.646.654.aaaa, +1.617.253.aabb
Present: Jonathan_Mayer +1.646.654.aaaa +1.617.253.aabb

WARNING: No meeting chair found!
You should specify the meeting chair like this:
<dbooth> Chair: dbooth

Got date from IRC log name: 12 Feb 2013
Guessing minutes URL: http://www.w3.org/2013/02/12-dntc-minutes.html
People with action items: 

WARNING: Input appears to use implicit continuation lines.
You may need the "-implicitContinuations" option.

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report

[End of scribe.perl diagnostic output]