Re: ACTION-408 - security & fraud proposed text - Section 6.2. from Dan Auerbach on 2013-06-12 (public-tracking@w3.org from June 2013)

From: Dan Auerbach <dan@eff.org>
Date: Wed, 12 Jun 2013 12:33:25 -0700
To: Chris Mejia <chris.mejia@iab.net>
CC: W3C DNT Working Group Mailing List <public-tracking@w3.org>, David Wainberg - AppNexus <david@appnexus.com>, Mike Zaneis <mike@iab.net>, Marc Groman - NAI <mgroman@networkadvertising.org>, Lou Mastria - DAA <lou@aboutads.info>, "Nicholas \"Nick\" Doty - W3C" <npdoty@w3.org>, Peter Swire - W3C TPWG Co-Chair <peter@peterswire.net>
Message-ID: <51B8CD05.1070305@eff.org>

We largely agree but Chris's text was not agreed to be the version we
sent out. But here's my version, which I think is more precise,
appropriately tailored, and less verbose:

/6.2.2.6 Detection and Prevention //of Malicious or Invalid Activity//
//
//Information may be collected, retained and used to the extent
reasonably necessary for detecting and preventing //malicious or invalid
//activity. Information related to malicious or invalid activity may
furthermore be retained if necessary for particular civil actions being
pursued, or for particular criminal investigations that are in process.
///This// information may be used to alter the user's experience in
order to reasonably keep a service secure //or prevent//malicious or
invalid activity./

The term "malicious or invalid activity"//means:
    (a) //invalid Web traffic (for instance bot activity generating
impressions or clicks),
    (b) bogus, malicious or automated sign ups or form submissions,
    (c) attacks intended to disrupt the availability of a service,
    (d) malicious intrusions into corporate networks,
    (e) fraud prevention, ///or
    (f) abuse of a service in a way that harms the integrity or security
of a service or the security of the users of a service.//

On 06/12/2013 09:17 AM, Chris Mejia wrote:
> David Wainberg, Dan Auerbach and I worked on this draft text.  I'm
> submitting it now for consideration by the wider group, as there were
> only small gaps between Dan and our text proposals.
> */
> /*
> */--/*
> */
> /*
> */
>
> 6.2.2.6 Detection, Prevention or Prosecution of
> Malicious, Nefarious or Invalid Activity
>
>  
>
> Data may be collected, retained and used to the extent reasonably
> necessary for detecting and/or
> preventing malicious, nefarious or disingenuous activity. Additionally, data related
> to malicious, nefarious or disingenuous activity may be
> retained when reasonably necessary to support civil or criminal
> prosecution of parties that conduct, support or perpetuate
> malicious, nefarious or disingenuous activity. This data may also be
> used to alter the user's experience in order to preserve or bolster
> the security of a site/service/user(s), or to prevent malicious,
> nefarious or disingenuous activity. 
>
>  
>
> The term "malicious, nefarious or disingenuous activity" means: 
>
>     (a) disingenuous Web traffic/server
> requests (for example: non-human activity generating bogus server
> requests, ad-impressions or clicks);
>
>     (b) bogus, malicious, automated or non-human Web-form submissions;
>
>     (c) attacks intended to disrupt a site, service or user experience;
>
>     (d) malicious or nefarious intrusions, or attempts to
> intrude into private or corporate networks;
>
>     (e) fraudulent activity, including any activity that's purpose is
> to defraud a site, service or users of a site or service;
>
>     (f) any activity that's reasonably determined to abuse, or
> attempts to abuse a site/service/user in any way.
>
>
>
> /*

Received on Wednesday, 12 June 2013 19:34:00 UTC