Re: ISSUE-235 (Auditability requirement for security) from Walter van Holst on 2014-10-22 (public-tracking@w3.org from October 2014)

From: Walter van Holst <walter.van.holst@xs4all.nl>
Date: Wed, 22 Oct 2014 17:34:34 +0200
To: Justin Brookman <jbrookman@cdt.org>
Cc: Amy Colando <acolando@microsoft.com>, public-tracking@w3.org
Message-ID: <6690bd67f3aa46062054b10fa1cabaf8@xs4all.nl>

On 2014-10-22 17:15, Justin Brookman wrote:
> Walter, I don’t think anyone objects to the idea of auditability in
> theory, but I think there are questions about what that means in the
> specification.  If a DPA has the legal authority to require certain
> evidence or documentation from a data controller, then it does so —
> this standard cannot grant or deprive any consumer protection
> authority of those rights.

You are quite right that this standard cannot deprive any regulator of 
such rights (mind you, I object to framing all these issues as mere 
consumer protection issues). However, you are very wrong about the 
ability of this standard of granting any regulator rights. Whether by 
virtue of design or circumstance, the net result of this attempt at 
self-regulation is that it may grant the FTC an authority it never was 
granted through the legislative process in the USA and may give European 
regulators an unambiguous standard to establish consent for tracking 
(DNT:0).

>  What do you want this standard to require
> — that companies prepare some sort of documentation in advance of a
> request?  That they architect their systems in ways that can be
> comprehended by a regulator?  I think there was agreement that a
> general requirement of “auditability” was confusing and certainly not
> testable, but if you have a more concrete suggestion in mind, I think
> people would be open-minded.

I still object to applying the same testability criteria to the 
compliance spec as we do to the technical spec. They are worlds apart 
and it is inherent to any compliance spec that it will contain elements 
that are ultimately only testable in court. It is more of a contract 
than of a technical specification. When I draft a contract with audit 
clauses, I typically rely on what an EDP auditor would consider 
"auditable". That field has a long history to ascertain the extent to 
which an organisation has taken plausible safeguards against 
unauthorised access to and manipulation of transaction data. May I 
suggest the inclusion of similar, but non-normative, language to clarify 
that notion of "auditability"?

Regards,

  Walter

Received on Wednesday, 22 October 2014 15:35:25 UTC