Re: New Research on Protocol Information (ISSUE-16, ISSUE-19) from John Simpson on 2012-02-08 (public-tracking@w3.org from February 2012)

From: John Simpson <john@consumerwatchdog.org>
Date: Wed, 8 Feb 2012 12:00:24 -0800
To: Matthias Schunter <mts@zurich.ibm.com>
Cc: public-tracking@w3.org
Message-Id: <3AEF22AD-D542-489E-BD60-3ABD25B94C0A@consumerwatchdog.org>
Matthias,

Thank you for a very thoughtful analysis. This is an excellent statement of the WG's goals.

Best,
John


On Feb 8, 2012, at 8:48 AM, Matthias Schunter wrote:

> Hi Jonathan,
> 
> 
> some of my (more academic) thoughts on privacy-enhancing technologies...
> 
> If viewed from a academic privacy angle (the trust model underlying
> Chaums original privacy work), user should never be required to trust
> anyone else to achieve/protect their privacy.
> 
> While this model is useful and appropriate in many cases and is OK to
> pursue as the ideal goal, I believe it is not what we want to achieve
> using DNT:
> 
> If protocols satisfy this trust model (i.e., users can self-protect),
> then no DNT would be needed anymore: Why send signals to untrusted
> parties that will not honor it in any case?
> 
> Overall, DNT aims at finding the right mix between privacy
> improvement, efficient implementability by sites, and ideally also
> some verifiability by end users (i.e., at least regulators may detect
> misbehavior).
> 
>> From my perspective, our goals are to
> - substantially improve privacy for the end-user sending   DNT;1
> - provide a standard that is implementable by all web-sites at low cost
> - not breaking essential functionalities
>   (Note: do not reply to this goal : Exception discussion is
> elsewhere ;-)
> - satisfying key regulatory requirements
> 
> I am confident that this will lead to
> - Wide adoption/support by industry and end users
> - Incentives (not requirement) for additional novel privacy enhancing
> technologies
> 
> Note that I do not believe that a solution that aims at completely
> preventing tracking by malicious sites (under DNT;1) will achieve
> these objectives.
> 
> Some itneresting questions I see are:
> - What are the right exeptions (discussed elsewhere)
> - Example implementation guidance for exeptions that illustrate
>  how they can easily be addressed using today's technology
>  (e.g., statements like "if you do not store anything, then you're
> fine").
> - How to ensure enforcement by regulators, i.e.,
>  how can one determine whether a site follows the required practices?
> - How can one encourage privacy-enhancing technologies without
> requiring them?
> 
> 
> Regards,
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On 2/8/2012 3:52 PM, Shane Wiley wrote:
>> Rigo,
>> 
>> I appreciate the desire for the working group to solve all privacy issues in a single pass but would suggest an attempt to solve the age old debate of "when is 'anonymous' anonymous enough?" is outside of the scope of this working group.  Many local laws already take positions on this topic and I suggest we allow this discussion to evolve separate to the efforts of this working group.
>> 
>> - Shane
>> 
>> -----Original Message-----
>> From: Rigo Wenning [mailto:rigo@w3.org] 
>> Sent: Wednesday, February 08, 2012 1:37 AM
>> To: public-tracking@w3.org
>> Cc: Jonathan Mayer
>> Subject: Re: New Research on Protocol Information (ISSUE-16, ISSUE-19)
>> 
>> On Tuesday 07 February 2012 16:30:32 Jonathan Mayer wrote:
>>> The paper also finds that scrubbing the last octet from an IP address may do
>>> little to mitigate tracking.
>> 
>>> From a scientific point of view, this was already acquired as a fact in our 
>> discussions around P3P in 2001. I'm pretty sure that Matthias can find some 
>> paper from long time ago that already addresses this issue.
>> 
>> This raises the question of how anonymous is anonymization. While being 
>> interesting from a scientific point of view, this may be dangerous for our 
>> considerations here as it will push us into the anonymity arms race. As this 
>> is a moving target, it is hard to lay down something in the specification. 
>> 
>> My suggestion would be that the group:
>> 
>> 1/ Recognizes that just removing the last octet of an IP-address is NOT 
>> sufficient for anonymization or even pseudonymization.
>> 
>> 2/ Discuss what is "good enough" for the risk we are trying to tackle, risk 
>> being one of the following: consumer protection and dangers for democracy 
>> (have to be made more concrete in the discussion)
>> 
>> I don't think a burdensome re-identification of a single person like in a law 
>> enforcement scenario is our attacking scenario, but rather mass information 
>> processing to find opinions and predict and influence people in an undue and 
>> dangerous way or amass sufficient information that others could abuse the 
>> amassed information for undue and dangerous purposes.
>> 
>> Best, 
>> 
>> Rigo
>> 
>> 
>> 
>> 
>> 
> 

----------
John M. Simpson
Consumer Advocate
Consumer Watchdog
1750 Ocean Park Blvd. ,Suite 200
Santa Monica, CA,90405
Tel: 310-392-7041
Cell: 310-292-1902
www.ConsumerWatchdog.org
john@consumerwatchdog.org
Received on Wednesday, 8 February 2012 20:01:00 UTC