Re: Change proposal -- Permitted Use Security and Fraud -- Issue-24 from Nicholas Doty on 2013-06-22 (public-tracking@w3.org from June 2013)

From: Nicholas Doty <npdoty@w3.org>
Date: Fri, 21 Jun 2013 17:01:53 -0700
To: John Simpson <john@consumerwatchdog.org>
Cc: "public-tracking@w3.org List" <public-tracking@w3.org>, "Roy T. Fielding" <fielding@gbiv.com>, Chris Mejia <chris.mejia@iab.net>
Message-Id: <8BA486E4-C723-4811-A77B-415996BB9F30@w3.org>

I've added this change proposal to the wiki:
http://www.w3.org/wiki/Privacy/TPWG/Change_Proposal_Security#WD-style_text_.2B_Graduated_Response

The group can review this text next to the change proposal from Chris Mejia.

Thanks,
Nick

On Jun 21, 2013, at 6:44 AM, John Simpson <john@consumerwatchdog.org> wrote:

> Colleagues,
> 
> I wanted to ensure that the security permitted use language first proposed by Roy Fielding and incorporating essential non-normative text suggest by Ian Fette be considered.  It would substitute for the security language in the June draft and adds the essential concept of graduated response and, importantly, explains the concept.
> 
> Regardless of the tracking preference expressed, data may be
>    collected, retained, and used to the extent reasonably necessary
>    to detect security incidents, protect the service against malicious,
>    deceptive, fraudulent, or illegal activity, and prosecute those
>    responsible for such activity, provided that such data is not
>    used for operational behavior (profiling or personalization)
>    beyond what is reasonably necessary to protect the service or
>    institute a graduated response.
> 
>    When feasible, a graduated response to a detected security incident
>    is preferred over widespread data collection (see <defn>).
>    An example would be recording all use from a given IP address range,
>    regardless of DNT signal, if the party believes it is seeing a
>    coordinated attack on its service (such as click fraud) from that
>    IP address range. Similarly, if an attack shared some other
>    identifiable fingerprint, such as a combination of User Agent and
>    other protocol information, the party could retain logs on all
>    transactions matching that fingerprint until it can be determined
>    that they are not associated with such an attack or such retention
>    is no longer necessary to support prosecution.
> Regards,
> John
> 
> ---------
> John M. Simpson
> Privacy Project Director
> Consumer Watchdog
> 2701 Ocean Park Blvd., Suite 112
> Santa Monica, CA, 90405
> Tel: 310-392-7041
> Cell: 310-292-1902
> www.ConsumerWatchdog.org
> john@consumerwatchdog.org

Received on Saturday, 22 June 2013 00:02:06 UTC