Re: [ISSUE-31] Minimization -- to what extent will minimization be required for use of a particular exemption?

I've had the opportunity to discuss minimization with a number of stakeholders since Cambridge.  The view I (and quite a few others) have been converging on is that minimization will be an exception-by-exception issue.  In some cases (e.g. frequency capping) we might allow only specific privacy-preserving approaches; in others (e.g. financial fraud detection) we might offer latitude.

Jonathan

On Dec 12, 2011, at 2:50 PM, Shane Wiley wrote:

> What Nick said… J
>  
> This was in the context of 3rd party data protection where they were looking for 1st party data use rights (3rd party as a 1st party).  The concepts of minimization and technical protections crossed in this conversation and the open question emerged:  does minimization allow for a particular exemption?  One example was data aggregation (time frame between raw and aggregated was debated).  Does aggregation provide an exemption to the DNT signal (for example, for a ComScore or Nielsen to provide web-wide aggregate reporting to the world)?
>  
> - Shane
>  
> From: Nicholas Doty [mailto:npdoty@w3.org] 
> Sent: Monday, December 12, 2011 3:43 PM
> To: Kevin Smith
> Cc: public-tracking@w3.org; Shane Wiley
> Subject: Re: [ISSUE-31] Minimization -- to what extent will minimization be required for use of a particular exemption?
>  
> On Dec 12, 2011, at 2:09 PM, Kevin Smith wrote:
> Apparently Shane said: “do you get exemptions by using particular technical implementations?”
> Which Nick interpreted and created the issue:” Minimization – to what extent will minimization be required for use of a particular exemption? (conditional exemptions)”
> 
> Shane, Nick, or anyone else?  Do you remember this conversation?  Can you tell me what the underlying issue or question was?  Nick, what do you mean by minimization?  Collecting as little data as possible??
>  
> I think "data minimization" is generally considered to be the technique of collecting little data (or less specific data) or retaining less data (or less specific data, or for less time) in order to decrease privacy risks. In location privacy, we often give the example of storing only the zip code rather than precise latitude/longitude as a data minimization technique.
>  
> The relevant text from the minutes (http://www.w3.org/2011/09/21-dnt-minutes.html) seems to be this:
> Jonathan: Minimization... in some cases privacy concern might be minimal, but in many cases lots of tech apporaches 
> ... to what extent so we want to recommend tech / nice tech? 
> ... broad exceptions yet some tech might be better for implementing them? 
> ... frequency capping eg, we are NOT going to allow it in .... but may be allow it in this other case, where minimization makes a difference
> Peter: The technical conditional nature of exemption
> Aleecia: Is it reasonable for us to only have exemption only based on the tech they use?
>  
> I think the general idea being, are there exemptions to a Do Not Track preference when a particular technique is being used for minimizing data? What kind of recommendations should the specification make on minimization techniques and what effect will the particular technique have on the requirements put on a tracking server?
>  
> Hope this helps,
> Nick

Received on Monday, 12 December 2011 23:15:19 UTC