RE: New Research on Protocol Information (ISSUE-16, ISSUE-19) from Shane Wiley on 2012-02-08 (public-tracking@w3.org from February 2012)

From: Shane Wiley <wileys@yahoo-inc.com>
Date: Wed, 8 Feb 2012 06:52:52 -0800
To: Rigo Wenning <rigo@w3.org>, "public-tracking@w3.org" <public-tracking@w3.org>
CC: Jonathan Mayer <jmayer@stanford.edu>
Message-ID: <63294A1959410048A33AEE161379C8023D0C8AC9EA@SP2-EX07VS02.ds.corp.yahoo.com>

Rigo,

I appreciate the desire for the working group to solve all privacy issues in a single pass but would suggest an attempt to solve the age old debate of "when is 'anonymous' anonymous enough?" is outside of the scope of this working group.  Many local laws already take positions on this topic and I suggest we allow this discussion to evolve separate to the efforts of this working group.

- Shane

-----Original Message-----
From: Rigo Wenning [mailto:rigo@w3.org] 
Sent: Wednesday, February 08, 2012 1:37 AM
To: public-tracking@w3.org
Cc: Jonathan Mayer
Subject: Re: New Research on Protocol Information (ISSUE-16, ISSUE-19)

On Tuesday 07 February 2012 16:30:32 Jonathan Mayer wrote:
> The paper also finds that scrubbing the last octet from an IP address may do
> little to mitigate tracking.

>From a scientific point of view, this was already acquired as a fact in our 
discussions around P3P in 2001. I'm pretty sure that Matthias can find some 
paper from long time ago that already addresses this issue.

This raises the question of how anonymous is anonymization. While being 
interesting from a scientific point of view, this may be dangerous for our 
considerations here as it will push us into the anonymity arms race. As this 
is a moving target, it is hard to lay down something in the specification. 

My suggestion would be that the group:

1/ Recognizes that just removing the last octet of an IP-address is NOT 
sufficient for anonymization or even pseudonymization.

2/ Discuss what is "good enough" for the risk we are trying to tackle, risk 
being one of the following: consumer protection and dangers for democracy 
(have to be made more concrete in the discussion)

I don't think a burdensome re-identification of a single person like in a law 
enforcement scenario is our attacking scenario, but rather mass information 
processing to find opinions and predict and influence people in an undue and 
dangerous way or amass sufficient information that others could abuse the 
amassed information for undue and dangerous purposes.

Best, 

Rigo

Received on Wednesday, 8 February 2012 14:56:28 UTC