- From: Roy T. Fielding <fielding@gbiv.com>
- Date: Wed, 17 Jul 2013 00:37:43 -0700
- To: John Simpson <john@consumerwatchdog.org>
- Cc: "public-tracking@w3.org (public-tracking@w3.org)" <public-tracking@w3.org>
On Jul 16, 2013, at 11:22 PM, John Simpson wrote: > On Jul 16, 2013, at 11:14 PM, "Roy T. Fielding" <fielding@gbiv.com> wrote: >> Initial data collection for security occurs because we don't know >> if there are "reasonable grounds to believe ...". The main point >> of performing the data collection is to determine if those grounds >> exist for this particular client request (or sequence of requests). >> After the grounds are obtained, then a graduated response can begin >> (i.e., more data collection, or retention for a longer period). >> This kind of data collection has nothing to do with OBA or building >> user profiles -- it is attack profiling and short-term retention >> of request traces. > > How long is "short-term?" There is no easy answer for that because it depends on what data is being collected, why it is collected, and what is being protected. My suggested text limits it "to the extent reasonably necessary to detect security incidents, protect the service against malicious, deceptive, fraudulent, or illegal activity, and prosecute those responsible for such activity". Limits on what is necessary would have to come from specific experience, or imposed via regulatory guidelines, for each kind of service. We simply cannot create such limits out of thin air because the Web contains so many different types of services. Consider, for example, the very different types of security that are needed for third-party checks on my blog (via Akismet), versus the fairly complex example of Ticketmaster trying to detect other ticket brokers, or the more extensive threat detection needed by banks and multi-tenant hosting sites. I think a better question is whether any service would agree to implement DNT if it prevents them from detecting security incidents, or from protecting the service against malicious, deceptive, fraudulent, or illegal activity, or from prosecuting those responsible for such activity? ....Roy
Received on Wednesday, 17 July 2013 07:37:57 UTC